Phishing is the new tech-age crime that has witnessed a rapid upward trend in the last two decades. It is a type of social engineering attack used to extract sensitive information from the user such as login credentials, credit card numbers, personal identification numbers, account usernames, etc. In such instances, the cybercriminal masquerades as a legitimate entity and dupes the victim into opening an email, SMS text or a hyperlink which further leads to the installation of malware, freezing the system as a part of the ransom attack or revealing personal information.[i]
Such cybercrimes can have a deleterious outcome on financial, mental, social and emotional spheres of the victim’s life.
The increasing rate of phishing in India
India is ranked at 3rd place on the list of countries targeted by the phishers, moreover, India is also among the top hosting countries for such cyberattacks, only second to the United States. The other nations under the radar of such criminals include Canada, Netherlands and the United States of America, as researched by RSA Security (Dell Technologies).[ii]
Phishing accounted for 26% of the total fraud attacks in India in 2018. Globally, Phishing attacks accounted for 50 per cent of all observed fraud attacks in the third quarter of 2018, claimed the “RSA Quarterly Fraud Report” for the Q3 2018.[iii]
In the third quarter, RSA detected 38,196 total fraud attacks worldwide. The overall phishing volume in Q3 increased 70 per cent from Q2.
Methods used by attackers
Man-in-the-middle attacks – Here, the attacker sits between the user and the real web-based application, where he proxies all the communication taken place between the user and the website. This technique is successful for both HTTP and HTTPS communications. The user now operates on the attacker’s server, thinking it to be the real website. Simultaneously, the attacker’s server makes a connection to the real site. The criminal then extracts all the information of the user by putting proxy over the communications.
URL Obfuscation Attacks – The URL obfuscation method involves unrecognizable alterations to the URL, as a result of which the user is redirected to a webpage he did not intend to open. It’s natural that these webpages are malicious and are made in such a way that the victim is unable to differentiate it from the real website, therefore letting the attackers enter into the user’s cyberspace. URL obfuscation uses the unspoken, unwritten secrets of the TCP/IP protocol to trick users into viewing a website that they did not intend to visit.
XSS (Cross-site Scripting) – Almost all the cross-site scripting assaults (XSS) either use a custom URL or furtively insert a code in an original web-based application URL or embedded data field. In usual cases, these XSS strategies are a consequence of the failure of the website to certify client input before returning it to the user’s web-browser.
Phishing assaults using XSS:
User logs into an online site
‘Mines’ have been spread by the cyber attacker on the website
User unknowingly falls upon an XSS mine
User receives a SMS saying that the session has expired, and they are required to validate again
User’s confidential information is sent to the criminal
Recent phishing scams
Operation Phish Phry – Deemed as one of the largest international phishing cases ever, the Operation Phish Phry witnessed hundreds and thousands of bank account holders receiving legitimate-looking emails which directed them to a fake financial website. The cybercriminals then extracted the banking information of these users as they entered their account numbers and passwords on fraudulent forms.[iv]
This was a largescale cyber-attack conducted by an organized syndicate of criminals. The FBI with the support of Egyptian national security agents charged more than 100 individuals. The criminals managed to pilfer more than 1.5 million USD from thousands of bank accounts.
RBI Phishing Scam: In a unique attack of its kind, the fraudsters not even spared the Reserve Bank of India. The phishing email replicated as originating from the RBI, promised recipient prize money of Rs.10 Lakhs within 2 days, by providing a link which leads the user to a website that resembles the official website of RBI with the similar details such as the logo, contents of the webpage, etc.[v] The user is then asked to reveal his personal information like password, I-pin number and savings account number. However, the RBI posted a warning regarding the fraudulent phishing e-mail on the official website of the bank and even issued a notification in the national newspaper.
Indian legal standpoint
Cybercrimes are still not defined anywhere in the Information Technology Act, 2000, the Indian Penal Code, 1860 or even the policy of National Cyber Security. However, a general idea can be taken by reading the sections dealing with the vast scope of cybersecurity. Phishing, being a cybercrime attracts numerous penal provisions under the Information Technology Act, 2000 (amendment 2008) and Indian Penal Code, 1860. The amendments in 2008 dealt with phishing in much more depth and provide greater clarity on this format of cybercrime. Also, these acts read along with the Indian Evidence Act, 1872 and the Bankers’ Book Evidence Act, 1891 throw some light on the menace of phishing. The following sections deal with phishing:
Section 43 of the Information Technology Act, 2000 – Penalty and compensation] for damage to computer, computer system, etc.–If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network,[vi]
accesses or secures access to such computer, computer system or computer network [or computer resource];
downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;
introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;
damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;
disrupts or causes disruption of any computer, computer system or computer network;
denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means;
provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder;
charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network;
destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means;
steal, conceal, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage;[vii]
[he shall be liable to pay damages by way of compensation to the person so affected.]
Section 66 of the Information Technology Act, 2000 – If any person, dishonestly or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both.[viii]
Section 66D of the Information Technology Act, 2000 – Punishment for cheating by personation by using computer resource.–Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees.[ix]
Section 420 of the Indian Penal Code, 1860 – Cheating and dishonestly inducing delivery of property – Whoever cheats and thereby dishonestly induces the person deceived to deliver any property to any person, or to make, alter or destroy the whole or any part of a valuable security, or anything which is signed or sealed, and which is capable of being converted into a valuable security, shall be punished with imprisonment of either description for a term which may extend to seven years, and shall also be liable to fine.[x]
National Cyber Security Policy, 2013
As of 2013, India had no strategy to deal with the threats on cyberspace, the result of which was rampant cyberattacks at individuals as well as the government. Moreover, the American National Security Agency (NSA) whistleblower Edward Snowden suggested that America was doing surveillance of the Indian government agencies.[xi] This encouraged the Department of Electronics and Information Technology to come out with the National Cyber Security Policy. The policy explicitly defined ‘Cyberspace’ and manifested its ‘Vision’, ‘Mission’, ‘Objectives’ & ‘Strategies’. The main aim of the cybersecurity policy was to safeguard and create a healthy virtual environment, so that personal information, financial information and also the confidential data of both the individuals and government can be secured.[xii] It was important as with the advent of technology there was heavy reliance over the virtual infrastructure. A few of the plans mentioned under the National Cyber Security Policy, 2013 are:
To create mechanisms for obtaining strategic information relating to threats to the Information & Communications Technology infrastructure.
Safeguarding of Nation’s critical data structure by operating a 24×7 National Critical Information Infrastructure Protection Centre (NCIIPC).
Cementing cybersecurity regulatory framework.
Developing apparatus for early warning of security threat, vulnerability management and also reverting to such cyber threats
Creating awareness among citizens about cyber threats and also investing in Research & Development in cybersecurity.
The government endeavours of digitisation and persistent efforts to develop the nation as a ‘cash-less economy’ have made India a lucrative platform for the cybercriminals. Therefore, it is only natural that the nation would encounter more of such scams and crimes on its road to development.
Hence, the need of the hour is to come out with more stringent laws which directly deal with such new-age internet crimes. Also, the legislature should amend the existing provisions and make them area-specific as most of the cyber laws currently deal with a large scope of the crimes, but are still very vague in their meaning. The current Indian laws nowhere clearly define what cybercrime is? Therefore, it’s time that the authorities took this issue seriously to curb the problem phishing and pharming while it is still at a nascent stage.
The citizens also should be made aware of the electronic forms of crime. Since this is relatively a newer format of criminal activity and is much more sophisticated, most of the victims don’t understand what wrong has happened to them. As a result, they don’t report the crime to the police. This can be changed by improving digital literacy. Newspaper agencies and T.V. channels should inform the people about such mischiefs and also provide ways to protect themselves. The internet users should also be careful while browsing online, use good-quality internet antiviruses, visit only verified websites and not open spam emails. They must immediately report the police if they feel they have been duped.
[i] Neeraj Arora, Phishing scams in India and legal provisions, Neeraj Arora Blog, available at http://www.neerajaarora.com/phishing-scams-in-india-and-legal-provisions/, last seen on 10/09/2019.
[ii] Shubham Sharma, India, US among top targets, says report, India among top 4 countries targeted for phishing attacks: Report, NewsBytes, available at https://www.newsbytesapp.com/timeline/Science/36667/161870/india-among-top-phishing-targeted-countries, last seen on 10/09/2019.
[iii] PTI, India among top 3 countries most targeted for phishing: Report, The Economic Times (25/05/2018), https://economictimes.indiatimes.com/tech/internet/india-among-top-3-countries-most-targeted-for-phishing-report/articleshow/64318150.cms, last seen on 10/09/2019.
[iv] Brad, The 5 most famous phishing scams in history, The top 5 phishing scams in history – what you need to know, Phish Protection Blog, available at https://www.phishprotection.com/blog/the-top-5-phishing-scams-in-history-what-you-need-to-know/, last seen on 10/09/2019.
[v] SIFY, RBI reveals banking frauds grew by 74 percent from last year in RTI query, Sify Finance (03/06/2019), available at https://www.sify.com/finance/rbi-reveals-banking-frauds-grew-by-74-percent-from-last-year-in-rti-query-news-bank-tgdrxWgedgebi.html, last seen on 11/09/2019.
[vi] S. 43, The Information Technology Act, 2000.
[vii] S. 43, The Information Technology Act, 2000.
[viii] S. 66, The Information Technology Act, 2000.
[ix] S. 66D, The Information Technology Act, 2000.
[x] S. 420, The Indian Penal Code, 1860.
[xi] Sanjiv Tomar, National Cyber Security Policy 2013: An Assessment, Institute for Defence Studies and Analysis Blog, available at https://idsa.in/idsacomments/NationalCyberSecurityPolicy2013_stomar_260813, last seen on 11/09/2019.
[xii] Cyber Security, NITI, available at https://www.niti.gov.in/sites/default/files/2019-07/CyberSecurityConclaveAtVigyanBhavanDelhi_1.pdf, last seen on 11/09/2019.
ABOUT THE AUTHOR
Siddharth Jain is a second-year law student at Rajiv Gandhi National University of Law, Punjab. He has a keen interest in mercantile, space and cyber-tech laws.
In content picture credit: The Economic Times