A Glance At Online Fraud ' Phishing

• Published date: 08 August 2022
• Subject Matter: Media, Telecoms, IT, Entertainment, Privacy, IT and Internet, Data Protection
• Law Firm: Karanjawala & Company
• Author: Ms Nandini Gore, Karanveer Singh Anand and Yash Dubey

PHISHING: MAKING INDIA DIGITALLY SECURE

We need a rule that regulates data, which is not personally identifiable, to deter cybercrime and to ensure that firms protect their assets

With the onset of the digital era, crimes in cyberspace have been aggressively increasing - taking myriad forms and targeting people for both monetary and informational reasons. The effects of cybercrime are significant for a country like India, where both traditional and digital literacy rates, are still low, despite slight improvements in the past few years. Phishing scams, internet fraud, online IPR (intellectual property) violations, identity theft, online harassment and bullying are some of the common types of cybercrimes.

Among these malicious attacks, phishing (pronounced fishing) in particular, lacks a statutory framework and therefore a definition. The crime usually manifests in two ways: i) impersonation of a legitimate person and ii) theft of data. Given the lack of a regulatory framework around phishing, this article attempts to understand the phenomenon and the manner in which it is regulated under the existing laws.

Understanding Phishing

From planes to rockets, the human race has made significant technological strides over the past century. Perhaps, the most important invention of all would be the the Internet - a technology that allows people across the globe to communicate with each other at the click of a mouse or the press of a few buttons.

Now with the pandemic, a major part of human lives have shifted to the virtual world. But the convenience hasn't come without its share of hassles. Internet applications and software, function utilising both private as well as non-personal data. This has allowed criminals to gain access to a significant amount of personal data, including details of financial transactions.

To this end, 'phishing' - wherein an individual impersonates another in the virtual world to gain access to sensitive data- has been found to be one of the least expensive methods for criminals. Though steps have been takento curb the same, they have not proved to be entirely efficient thus far.

(Thus, phishing essentially involves a person sending a bogus communication to another wherein they impersonate a trusted source so as to gain sensitive information. The objective behind phishing is to steal sensitive information/data or infect a victim's machine with malicious software. Examples of such communication include, sending fraudulent mails and messages on behalf of some bank in the hope of gaining credit card information.

How Phishing Happens?

Phishing occurs when an unsuspecting victim follows through on a fake e-mail, link, or any other kind of communication that may appear to have been sent by an individual or an organisation, which the viticm trusts.. In most cases, the malware gets automatically or unintentionally downloaded onto the target's device. Some of the most prominent ways in which phishing occurs are;

1. Link manipulation
2. IDN (International domain name) spoofing
3. Filter evasion
4. Social engineering, etc

Once installed, the malware begins to extract confidential information and, in some cases, even corrode the software.. Some of the most pernicious dangers of phishing include;

1. Financial Loss
2. Data Loss
3. Corruption of the device
4. Unauthorised use of user data

Laws Governing Phishing in India

In order to gain an overall understanding of phishing within India's statutory framework we will bifurcate the criminal and data protection aspect of phishing and then understand the laws covering the same, individually.

Criminal Aspect of Phishing

Given that phishing involves a practice where data is extracted from the virtual world, it is treated as a cybercrime and as such, is subject to the provisions of the Information and Technology Act, 2000 ( ('IT Act). The provisions dealing with the crime were incorporated via the 2008 amendment. The provisions that have been incorporated and regulate the crime of phishing are :

• Section 43 - extracting or accessing data without consent

Section 43 stipulates that if an individual accesses another person's computer system or network for the purposes of downloading, accessing...