This article has been written by Rajasimha Shastry BK pursuing a Diploma Course in Advanced Contract Drafting, Negotiation, and Dispute resolution from LawSikho.
This article has been published by Shoronya Banerjee.
Phishing is an act of impersonation where a website pretends to be a legitimate source and collects confidential data. It is also known as “band spoofing” and “carding.” The act involves two steps, the first being the stealing of identity and the second being collection of confidential data. Hence, it is also referred to as a “two-fold scam” and “cybercrime double play.” With the rise of internet usage and transactions being done online, the number of victims and losses caused by phishing increased tremendously. This was further increased manifold with the coming of COVID-19, which increased people’s use of the internet. Currently, it is being estimated that the total damage caused by cybercrime would cost 10.25 trillion by 2025. It is also anticipated that phishing is going to be a major contributor to this number.
Types of phishing
While there are multiple kinds of phishing methods like spear phishing, smishing, vishing, whaling, clone phishing, water-hole phishing, etc., they can be grouped into four methods-
- The first is the Dragnet method, which includes spammed emails, websites, pop-up windows or fake banner advertising bearing falsified corporate identification, that are addressed to a large class of people. For example, in the case of United States v. Carr, the phisher pretended to be AOL and sent emails to the AOL customers to update their credit card details.
- The second method is the Rod and Reel in which specific prospective victims are identified in advance and provided with false information that makes them share their personal data. For example, in the case of United States v. Gebresehir, letters on bank letterhead along with altered or counterfeit Internal Revenue Service (IRS) forms were sent to the victims. These forms were to be filled and sent back through fax. The given fax numbers were not of the legitimate institution but were internet based fax-numbers which converted the faxes into e-mail attachments and then forward these attachments to email accounts. Wire transfer instructions were then sent to banks and money was transferred from the victims’ accounts.
- The third mode is the Lobsterpot method which involves the creation of spoof websites. In this, certain people are identified and directed from other websites to the spoof website where details are collected. An example for this method is the case of United States v. Kalin. In this case the phisher had created a spoof website of DealerTrack Inc. it provides services to auto dealerships via the internet. In this, the phisher created an identical website, where the dealership employees mistakenly entered their user id and password. With this, the phisher got access to their personal data.
- The last method is the Gillnet method. In this method, malicious codes are introduced into websites or emails. Mere access to these could lead to a virus attack on your devices.
The nature of phishing, perhaps like most other types of crimes, is that the defense to it is two-fold. In the case of phishing, even if there are stringent laws, the constant vigilance of the internet users and other online institutions (e.g., banks with net banking infrastructure) is a necessity. The best way to not fall victim to phishing is by being vigilant as, despite best efforts, the effectiveness of a law is limited. This is because, firstly, it is difficult to find the perpetrator of an online crime. This is because, when an email is sent, it travels through a complex path. Phishers use an unsecured server or “Open Relay” to hide their identity. This means that there is a good chance that the victim may never be found. Secondly, it is difficult to obtain the personal jurisdiction of the courts. Often, phishing is a cross-border activity. The phisher might be located in a foreign country that is out of the law’s reach. Hence, even if the phisher is identified, bringing him or her to the law might not happen.
Of all the phishing scams that occurred in the US in 2005, only 32% of phishing websites were located in the United States. Thirdly, it is the problem of the perpetrator being judgment-proof. In this case, after the victim wins large punitive damages, the perpetrator either fails to make an appearance, file bankruptcy, or just disappears after the judgment is delivered. Sometimes, judgments cannot be enforced against the perpetrator as they transfer assets offshore to keep them beyond the reach of courts. The US House of Representatives too acknowledged the lack of effectiveness of civil enforcement.
Despite a dearth in the effectiveness of laws, it is pertinent to have them. It is better to acknowledge a crime as a crime and punish for committing it rather than ignoring it for it being less controllable. The legislation can act in two ways. It can prevent phishing from happening in the first place and or attack and punish for phishing already committed.
The U.S.A – At the Federal level, while there are laws like the CAN-SPAM Act of 2003, the U.S Safe Web Act of 2006, and the I-SPY Prevention Act of 2007, there is no particular law that specifically penalizes phishing. The Anti-phishing Act of 2005 Bill was proposed in the year 2005. However, it has not been made enforceable. This Bill proposed the criminalization of phishing emails and websites regardless of whether the receiver of the emails and visitor suffered damages. This Bill was put forth by Senator Leahy as “The [Act] protects the integrity of the Internet in two ways. First, it criminalizes the bait. It makes it illegal to knowingly send out a spoofed email that links to sham websites, with the intention of committing a crime. Second, it criminalizes the sham websites that are the true scene of the crime.” However, this act was never passed. There are, however, anti-phishing laws in many states of the US.
Australia- Under the Australian laws too, there is no legislation that addresses phishing directly. However, there are laws, both at the federal and state level that cover phishing like, the Crimes Act 1958, Criminal Code 2002 (Act), the Spam Act 2003, Trade Practices Act 1974, Privacy Act 1988, and similar equivalent legislations. Also, in 2007 a Discussion paper on identity crime was conducted and the recommendation was that three new model offences were to be created. They were (1) identity crime which encompasses identity theft and identity fraud; (2) on-selling identification information; and (3) possession of equipment to create identification information.
India- India’s legislative response has been similar to that of Australia and the US. India today is one of the major targets of phishers. While there is no legislation that addresses phishing directly, there are laws that cover phishing activities. The identification of activity as phishing was done by the Delhi High Court in the famous case of NASSCOM v. Ajay Sood, in 2005. The court stated that there were no laws on “phishing” and that laws on misrepresentation and passing off are used to fight against phishing. Later, in 2008, the Information Technology Act 2000 was amended to add provisions for identity theft and cheating by impersonation. However, the amendment did not address “phishing” directly.
Legislations that criminalize phishing are the IT Act 2000, the Indian Penal Code and Information Technology (Reasonable security practices and procedures and personal data or information) Rules, 2011 (SPDI rules) regulate the corporate bodies that handle personal data. Also, it is to be noted that the Reserve Bank of India regulates payment gateways and payment aggregators.
While there are a plethora of provisions to criminalize the act of phishing, there are a few areas that must be addressed. The SDPI rules are narrow and limited in both scope and application. They apply only to an individual’s personal data and government agencies and NGOs are exempted from it who collect data from individuals. Also, these do not govern or provide a framework for the protection of the data of corporate entities. This shortage affects start-ups who are keen on keeping their costs low. However, the Government plans to come up with open-source security tools. Also, with regards to the Reserve Bank of India’s regulations, it can be said that the widespread use of AI and digitization make RBI regulation less effective as metadata can still be exploited. Hence, while there are plenty of laws in place, there are gaps that ought to be filled.
The fact of phishing activities is that it is a cross-border activity. Hence, international coordination to is required. To have laws to counter phishing at the national level without international coordination would be futile. Attempts for international coordination have been made. The models of the United Nations Convention Against Transnational Organized Crimes and Council of Europe Convention on Cybercrime have been suggested. However, there is difficulty in attaining international consensus.
To conclude, it is to be noted that companies that fall victim to phishing are affected seriously. Not only do they lose data, but also face monetary loss, productivity loss, customer loss, IP theft, and most importantly, the reputation and company value are severely affected. Also, when companies fall victim, they are held responsible. Heavy fines must be paid by an organisation on account of mishandling customers’ data. For example, Sony paid millions of dollars in 2014. The data that was leaked contained personal information about Sony Pictures employees, emails between employees, information about executive salaries at the company, copies of then-unreleased Sony films, plans for future Sony films, scripts for certain films, etc.
The company was a victim of spear-phishing where emails with malware were sent to the employees. Hence, more effective laws, international coordination, and constant vigilance is necessary to fight against phishing.
- Vikrant Narayan Vasudeva, Phishing: Deception in Cyberspace, 2010 PL November 10. Accessed from SCC Online.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: