Phishing in India: All you need to know

What is phishing?

Phishing refers to a type of digital crime in which an attacker impersonating a legitimate organisation communicates with a specific target or targets via assistance calls, chats, or through various verbal and non-verbal means in order to deceive individuals into disclosing private information such as personal individual data, financial information and credit card pins and details. This very sensitive information is then utilized to obtain access to important records, which could lead to security breaches and huge loss of money.

Phishing starts with a phoney dispatch or other communication designed to allure a victim. The communication is intended to appear to have come from a secure source. However, he or she’s converted to give nonpublic information, which is generally done through a fiddle website, If the victim is duped. Malware may be downloaded onto the target’s computer at times.

For financial gain, attackers may be complacent with having to carry a victim’s bank details or any other specific data. Phishing emails are now and then sent in order to steal manual login details or even other relevant data that can be used in a refined strike towards any particular company. Phishing is a popular way for enhanced patient downfalls and data breaches to enter the systems.

More than 8.5 lakh incidents of money loss and data breaches due to phishing have been documented in the past two years, with customers jointly losing at least Rs 1500 crore as a direct consequence. Customers reported 9,34,109 cases and a total loss of Rs. 1,434.75 crores between 1.4.2020 and 31.3.2022. The finance ministry revealed this information during a budget session.

How phishing works

Phishers frequently employ popular social media techniques to intercept e-mails or any other electronic means of communication. Personal messages sent via social media platforms as well as SMS texts are two instances of these commonly used techniques.

Phishers can collect basic details about the victim’s private and professional history, preferences, and events by using public data sources. Normally, through social media platforms such as LinkedIn, Instagram, and Facebook pages.  These sources are typically used to discover information such as possible future victims’ names, job descriptions, domain names, etc. These details can later be utilized to produce a convincing e-mail.

History of phishing

The term “phishing” initially emerged around the late 1990s, when cyberattacks and attackers started were focused on “fishing” for information from legitimate victims through unsolicited emails. Since these initial attackers often were termed “phreaks,” the concept of “phishing” with a “ph” emerged. Phishing emails entice recipients to take the bait. Once attracted, both the customer and the company get into complications.

Because AOL was one of the most widely recognised content systems with access to the web, scammers were posing as AOL personnel while using spam emails and rapid interactions to trick victims into revealing their usernames and password, enabling the attackers to override their financial records.

Hackers started targeting financial institutions in the 2000s. Phishing email messages were sent to deceive users into revealing their bank account information. These emails would include a link to a fraudulent webpage that looked highly resembled the official bank homepage, but the website was a small deviation from the actual domain name.  Later, the attackers targeted numerous different accounts, including eBay and Google, with the intent of stealing login details, defrauding, or spamming other users.

Types of phishing scams

Deceptive Phishing – It is among one of the most common forms of phishing scams. A hacker impersonates a recognisable recipient and sends emails and messages in order to obtain data equivalent to the specific information or login details of the victim. These emails will trick donors into telling particular information by asking them to corroborate account information, change a word, or make a payment.

Spear phishing –

Spear phishing targets specific individuals rather than a large group of people. Victim investigations are constantly performed by scammers on a variety of social media platforms and other websites. They can personally customize these messages so that they appear more authentic before dispatching it to the victim. Shaft phishing is often used as the first move in breaching a company’s defences and in carrying out a cyberattack.

Whaling –

When hackers go after a” big fish,” similar to a CEO, this is known as whaling. These attackers constantly sketch the target in order to comprehend a proper opportunity and framework to steal their user credentials. Whaling is especially problematic because chief executives of a company or an organization have access to a large amount of sensitive corporate information.

Pharming – Pharming, the same as phishing, directs drug users to a totally fake webpage that would seem to be legitimate. Nonetheless, in this particular instance, victims are carried to an erroneous spot without actually clicking on the malicious link. Matter of fact, if the user enters the accurate URL, hackers can afflict the customer’s device or even the site’s Domain name garçon and redirect the customer to a completely different location.

Phishing laws in India

To gain comprehensive knowledge of phishing within India’s legal structure, it would be easier if the criminal and data protection aspects of phishing are separated

Criminal Aspect of Phishing

Because phishing involves the extraction of information from the digital space, it’s hence labelled as a data breach/cyber attack and therefore is directly relevant to The IT Act 2000’s guidelines and requirements. The criminal guidelines were implemented in the 2008 revision. The regulations that were implemented and that govern this same crime of phishing are as follows:

• Section 43 – If a person gains unauthorised access to some other individual’s data and storage system with the intent of installing, obtaining, hindering, or compromising the information stored therein, then in such a case the individual would be made accountable pursuant to this provision.
• Section 66 – Specifies sentences and fines that can be imposed on a phisher who steals a victim’s sensitive information. Based on the seriousness of the offence committed, the punishment may include either prison sentences for a term of a maximum of three years or even a fine of a maximum of five lakh rupees or even both.
• Section 66A – States that trying to circulate completely bogus details solely with the purpose of causing harm to the user is a chargeable offence. Moreover, the provision defines the offences that are punishable under the Act
• Section 66C – Phishers perpetrate scams by camouflaging themselves as lawful account holder and carrying out financial frauds. This Section prohibits such use of passcodes, digital signatures, and any other feature that serves as a distinctive recognition of any individual.
• Section 66D – The provisions outlined in this section cover fraudulent activities by duping a whole other individual by using communication devices or software source materials. Scam artists abuse the system by duping banking institutions as well as other organisations using Hyperlinks which divert clients and customers to bogus editions of these official websites, giving the appearance they are all a portion in the same organisation.

Moreover, Section 81 of the Act encompasses an obstinate clause that stipulates that regulations of the IT Act rule over any other legislation within the current structure. Nonetheless, phishing scams are punishable under Section 77 Act. This is caused by the incapacity to clearly identify the wrongdoer of the crime.  This method of the crime produces a translucent cover for the phisher, camouflaging their identity as well as resulting in circumstances in which an innocent party could be convicted for a crime they did not commit in the first place.

Furthermore, These relevant provisions of the IPC make an individual fully accountable for phishing:

• 378 to 379: Prohibits Theft
• 405 to 406: Prohibits criminal breach of trust.
• 415 to 419: Prohibits Cheating
• Sections 425 to 426: Prohibits Mischief
• Sections 463 to 477: Prohibits Fabrication

Case Laws dealing with Phishing in India

Association of Software and Service Companies v. Ajay Sood & Others

In the case of the National Association of Software and Service Companies vs Ajay Sood & Others the Delhi High Court asserted phishing as an unlawful practice, resulting in a temporary restraining order as well as the retrieval of losses.

This was among the most publicised phishing events. In this case, the defendants ran a recruitment agency. NASSCOM sent an email to a 3rd party soliciting private details for head-hunting purposes. Damages of around 18 lakhs were awarded.

In accordance with the judgement of Justice P Nandrajog, the Online world has created various new and fascinating techniques for defrauding both individuals and businesses, and ‘Phishing’ is a form of online fraud. In the case of ‘Phishing,’ an individual manipulates a genuine organisation such as a financial institution or an insurance agency in order to get personal details from a customer including passcodes, encryption keys, and so on, which he later then uses to his benefit, consequently misrepresenting the legitimate party’s identity. Individuals posing as delegates of financial institutions generally syphon money from e-banking accounts after defrauding customers into handing over highly classified bank details in these scams.

How to prevent phishing?

A mixture of training to recognize red flags and comprehensive cybersecurity structures to cease payloads is necessary to learn to prevent these scams. E – mail filtration can help with malware, but in instances of false drawbacks, human intervention is still considered necessary.

Here are some methods that can be taken to prevent individuals and companies from to save themselves from phishing scams:

• Red flags include a heightened sense of urgency as well as demands for personal data such as passwords, links, and extensions. Customers should be trained to identify these signs of trouble in order to protect themselves against cybercrimes.
• It is constantly preferable to enter the official web address into a search engine and verify directly from the manually typed site instead of clicking on a hyperlink and authorising it onto a website page straight from an embedded link.
• Using artificial intelligence to inspect incoming messages and information, to identify potentially malicious emails, and contain them. This helps prevent malicious emails and links from reaching the recipient’s mailbox.
• Credentials must be changed on a frequent basis to decrease an attacker’s chance of gaining access. Users must be compelled to change their passcodes for every 1-2 months. When credentials are left the same for an extended period of time, an attacker gains indeterminate access to a vulnerable account.
• Developers release updates to address glitches and security flaws. These upgrades must be installed on a regular basis to make sure that recognised flaws no longer exist in the system.
• In order to manage both incoming and outgoing traffic, firewalls must be installed. Malware installed via phishing quietly collects and transmits private information to an attacker, but a firewall prevents suspicious outgoing demands and records them for later analysis.
• Attackers manipulate the button on a pop-up window in order to deceive the user into entering an infected website or downloading malware. Popup jammers prevent many pop-ups from appearing, and yet systematic errors are all still possible
• Except if the website is totally trustworthy, credit card information should never be given to a webpage you don’t recognise. Any webpage which includes free gifts or cashback ought to be used with utmost caution.

By: N. Venkat Abhinav and Ananya Paliwal are students at Symbiosis Law School, Nagpur.