This article has been written by Nandini Mukati of SLFJPS, National Forensic Sciences University, Gandhinagar. This article provides detailed information about phishing attacks and its types.

This article has been published by Sneha Mahawar.

Introduction

People are increasingly sharing their private records online as the internet becomes more widely used. As a result, fraudsters have access to a large number of personal documents and financial transactions. Despite the fact that technical security measures are improving, phishing remains one of the cheapest and easiest ways for cyber thieves to obtain access to critical data. Victims might put their company’s security at risk and expose themselves to identity theft simply by clicking a link. Personal information, such as usernames and passwords, as well as financial information, such as credit card numbers, could be compromised.

Phishing attacks occur when a person sends a fake message that appears to come from a trusted source. Email is the most used method of communication. The purpose is to steal sensitive information such as credit card and login information, or to infect the victim’s computer with malware. Phishing is a frequent sort of cyberattack that everyone should be aware of in order to stay safe online.

What is a phishing attack 

Phishing is a type of social engineering assault that is commonly used to obtain sensitive information from users, such as login credentials and credit card details. When an attacker poses as a trustworthy entity and convinces a victim to open an email, instant message, or text message, they are engaging in social engineering. After then, the recipient is duped into clicking a malicious link, which can result in the installation of malware, the freezing of the machine as part of a ransomware assault, or the disclosure of sensitive information.

The consequences of an attack can be disastrous. Unauthorised purchases, money theft, and identity theft are all examples of this for individuals.

Phishing attacks are frequently employed as part of a wider attack, such as an Advanced Persistent Threat (APT) event, to create a foothold in business or governmental networks. Employees are compromised in this scenario in order to go beyond security perimeters, disseminate malware inside a closed environment, or get privileged access to protected data.

An organisation that is the victim of such an attack usually suffers significant financial losses as well as a loss of market share, reputation, and consumer trust. A phishing attempt, depending on its extent, could turn into a security catastrophe from which a company will have a tough time recovering.

Some real-world examples of phishing

• Operation Phish Phry (2009): Operation Phish Phry was dubbed the greatest worldwide phishing investigation ever by the FBI in 2009. Hundreds of consumers of banks and credit cards received official-looking emails leading them to bogus financial websites. Victims filled out bogus forms with their account numbers and passwords, providing the attackers easy access to their personal information. The con artists were really well-organised. When it comes to ambitious, wide-scale cyberattacks, then-director Robert Mueller used it as an example of how large organised criminal syndicates are indistinguishable from nation-state actors. There is just no way to determine who the true perpetrator is until the investigation is completed. It was clear from the beginning that Operation Phish Phry would be a large-scale undertaking. The FBI eventually charged over 100 people, with over half of them being apprehended outside of US soil thanks to Egyptian National Security Officials’ Cooperation.
• Google under phishing attack (2017): Users of the Google email service “Gmail” allegedly received a legal notice from the Gmail team asking them to update their account name, password, occupation, birth date, and country of residence within seven days of receiving the warning, with the warning that if they did not update their details within seven days of receiving the warning, their account would be permanently lost. However, a Google official denied receiving any such legal letter, claiming that personal information was obtained through a phishing attack known as spoofing or password phishing.
• The Ukrainian Power Grid Attack (2015): The attack on Ukraine’s electrical grid in December 2015 was a watershed moment in the country’s history. It was the second time malicious firmware was created with the intent of harming physical machinery, the first being Stuxnet, which was deployed by the US and Israel to shut down Iranian nuclear centrifuges in 2009. Unlike Stuxnet, however, the Ukrainian malicious firmware attack began with an email phishing attack. It was also the first to employ automatic, scalable malicious firmware updates, allowing a small group to take down several sites at once. For months before the attack, Russian cyberintelligence operators had access to the power plant’s data and facilities and meticulously planned every stage of the strike for maximum effect. Because cybercriminals may develop custom-coded malicious software for electrical power station nodes, they can potentially override anything on a network, from printers and refrigerators to planes and airport communications towers, provided they have access to it. A single blunder made by a power plant employee led to this historic cyberattack. It might have been avoided totally with comprehensive phishing prevention and training.
• ICC World Cup (2011): Internet users in the host countries, particularly India, Bangladesh, and Sri Lanka, where the World Cup matches were taking place, had been targeted by fraudsters. The phishing attacks were clearly focused on India, which was hosting 29 World Cup matches. A phishing attack against a financial institution is related to the modus operandi. Through a similar-looking bogus website of the event’s organisers, the scammers attempted to attract victims with exclusive bargains and packages for the event’s grand finale. In order to purchase tickets and packages, users were asked for credit card information as well as personal information. The victim’s internet banking account was then hacked, resulting in financial losses.
• The Target/FMS Scam : The Target Data Breach, which compromised 110 million customers, including 41 million retail card accounts, was one of the year’s biggest news events. Few news outlets covered the breach at the time, but the entire findings of the probe are now available. Target was not directly attacked by cybercriminals, as it turns out. They targeted Fazio Mechanical Services (FMS), a third-party HVAC company with trusted access to Target’s servers. It was trivial to acquire entire access to Target’s servers after compromising FMS. The message is clear: trusting links must be reviewed by an independent expert. Someone in your firm should consider if keeping a trusted link is worth the potential security risk.
• Reserve Bank of India (RBI) Phishing Scam (2012): In a first of its kind phishing attempt, scammers had targeted the Reserve Bank of India. The phishing email, which had purported to come from RBI, promised the targeted public, prize money of Rs.10 lakhs within 48 hours if they clicked on a link that took them to a website that looked exactly like the RBI’s official website powered with the same logo and web address. After that, the user was prompted to give personal information such as his password, I-pin, and savings account number. The RBI, on the other hand, issued a warning about the fake phishing e-mail on its official website. The Reserve Bank of India has been warning the public about unscrupulous persons operating under the name of the RBI and scamming the general population on a regular basis. These criminals forge RBI letterheads, send emails purporting to be from RBI officials, and entice consumers with fraudulent offers, lottery winners, and remittances of inexpensive foreign cash from outside. The general public is pressured to pay money in the form of currency transaction fees, foreign currency conversion fees, and prepayment, among other things. As part of its ‘Public Information Campaign,’ the RBI has been spreading awareness about bogus emails through different methods such as sending SMS to members of the public, outdoor advertising, and telecasting awareness videos.
• IT department phishing scam (2016): An email pretending to be from the Income Tax Department convinced the user, qualified for an income tax refund based on his most recent yearly calculation, and then asked for his PAN CARD number or credit card information. To the Computer Emergency Response Team-India, better known as the CERT-In, the department has reported over 100 phishing emails and hacking attempts through phoney websites and links. The CERT-In has been informed that these emails are a serious concern for taxpayers and the Income Tax Department, as this malicious Internet assault directly dents the taxman’s efforts to effectively engage with the taxpaying public in a paperless and non-adversarial manner, as well as deters an individual from conducting safe e-transactions. The threat of phishing emails has grown to the point where the Central Board of Direct Taxes (CBDT) issued a statement and public advisory assuring taxpayers that they will never be asked for sensitive financial information such as PIN numbers, passwords, or credit or debit card information.

How did phishing get its name

The phrase “phishing” was first recorded in Koceila Rekouche’s cracking toolkit AOHell in 1995, however, it’s probable that the term was first used in a print version of the hacker magazine 2600 prior to that. Phishing hasn’t always been as ubiquitous and well-known as it is today. Despite the fact that the technique began about 1995, ordinary people were not aware of it until nearly a decade later. That isn’t to say that phishing hasn’t always been a force to be reckoned with. It is vital to have a rudimentary awareness of the history of such scams in order to prevent becoming a victim of one.

Phishing scams entice consumers to hand over sensitive information by using counterfeit emails and websites. It’s no surprise that these ruses are known as “phishing.” There’s also a valid reason why the phrase is spelled with a “ph” rather than a “f.” Phreaks were a term used to describe some of the first hackers. The examination, testing, and analysis of telecommunication networks is referred to as phreaking. Phreaks and hackers have long had a symbiotic relationship. Phishing scams were linked to these underground communities using the “ph” spelling.

The evolution of phishing

Phishing hasn’t altered much since its AOL glory days in many aspects. Phishers shifted their focus to online payment systems in 2001. Although the initial attack on E-Gold in June 2001 was deemed unsuccessful, it did sow a crucial seed. If you weren’t paying attention, phishers registered dozens of domains in late 2003 that looked exactly like reputable sites like eBay and PayPal. They sent out fake emails to PayPal customers using email worm tools. Customers were directed to counterfeit websites and prompted to update their credit card information and other personal information.

Phishers were experiencing a large wave of success by the beginning of 2004, which included attacks against financial sites and their consumers. Victims’ personal information was collected through pop-up windows. Approximately 1.2 million customers in the United States lost $929 million as a result of phishing between May 2004 and May 2005. Phishing costs businesses over $2 billion per year and is now considered a fully structured black market activity. On a global scale, specialised softwares capable of handling phishing payments are increasing, thereby offloading a significant risk. Organised crime gangs use the software in phishing attacks.

How does a phishing attack work

Phishing takes advantage of the human component to go beyond technological security measures. Technical security safeguards could be rendered worthless as a result of this attack approach. Spear phishing attacks may allow attackers to obtain access to a company’s systems while the company is unaware. These attacks spread malware that allows the attackers to take control of the victim’s computer. This gives an attacker from the outside remote access to the internal network.

Furthermore, as a result of attacks, attackers frequently get access to users’ credentials. With these credentials, you can gain access to restricted systems or data. Using privileged access from compromised computers or credentials to an organisation’s systems, many technological security safeguards can be evaded. As a result, attackers may be able to pivot and escalate their access to other systems and data. In the end, this might lead to a total compromising of an organisation. This could involve consumer and staff data theft, source code leaks, website defacement, and so forth.

What are the different types of phishing attacks

What is spear phishing

In contrast to random application users, spear phishing targets a specific person or company. It is a more sophisticated form of phishing that necessitates specific knowledge of an institution, especially its power structure. An attack could look like this:

1. A culprit looks for the identities of personnel in a company’s marketing department and acquires access to the most recent project bills.

2. Posing as the marketing director, the attacker sends an email to a departmental project manager (PM) with the subject “Updated invoice for Q3 campaigns.” The wording, style, and logo are all identical to the organisation’s normal email template.

3. A link in the email goes to a password-protected internal document, which is actually a forgery of a stolen invoice.

4.  In order to access the document, the PM is asked to log in. The attacker obtains complete access to sensitive portions of the organisation’s network after stealing his credentials.

Spear phishing is a successful way for performing the first stage of an APT because it provides an attacker with valid login credentials.

What is whaling

Whaling is similar to spear phishing, except that instead of targeting any person within a firm, scammers target senior executives (or “the big fish,” as the term implies). This includes the CEO, CFO, and any other high-ranking executive who has access to more sensitive information than lower-level personnel. To hook their victims, these emails frequently exploit a high-pressure circumstance, such as relaying a statement from the firm being sued. This tempts recipients to click on the malicious link or attachment in order to learn more.

What is smishing

SMS phishing, often known as smishing, is a phishing attempt that uses text messages rather than email. They operate similarly to email-based phishing attacks: Attackers send texts with malicious links from what appear to be reputable sources (such as trusted businesses). Links could be disguised as a promotional code (20% off on your next order!) or an offer to win something, such as concert tickets.

What is vishing

Vishing, otherwise known as voice phishing, is similar to smishing in a manner that here a phone is used as the mode for an attack, but instead of exploiting victims via text message, it’s done with a phone call. A vishing call often relays an automated voice message from what is meant to seem like a legitimate institution, such as a bank or a government entity. 

Attackers might claim you owe a large amount of money, your auto insurance is expired or your credit card has a suspicious activity that needs to be remedied immediately. At this point, a victim is usually told they must provide personal information such as credit card credentials or their social security number in order to verify their identity before taking action on whatever claim is being made.  

What is email phishing

Phishing through email is a numbers game. Even if only a tiny number of receivers fall for the scam, an attacker who sends out thousands of bogus communications can obtain valuable information and money. As previously mentioned, attackers employ a variety of strategies to improve their success rates.

For one thing, they’ll go to considerable pains to make phishing messages look like real emails from a fake company. The mails appear to be real because they use the same language, typefaces, logos, and signatures.

Furthermore, attackers will frequently aim to compel users to act by instilling a sense of urgency. As an example, as previously demonstrated, an email may threaten account expiration and set a countdown for the receiver. The user becomes less diligent and more prone to errors as a result of the pressure. Finally, links inside messages look exactly like their legitimate counterparts, although they usually feature a misspelt domain name or additional subdomains. 

The URL myuniversity.edu/renewal was replaced with myuniversity.edurenewal.com in the preceding example. The similarities between the two addresses give the sense of a secure connection, making the recipient less aware of the attack.

What is search engine phishing

Hackers use search engine phishing to create their own website, which is then indexed by legitimate search engines. These websites usually advertise low-cost products and amazing pricing in order to entice naive online shoppers who come across the site while searching on Google. Consumers who click on it are frequently prompted to register an account or enter their bank account information in order to complete a transaction. Scammers will, of course, grab this personal data and use it for financial gain or identity theft.

What is social media phishing

Social media phishing occurs when attackers utilise social networking sites such as Facebook, Twitter, and Instagram to gain personal data from victims or to trick them into clicking on harmful links. Hackers may build phoney accounts impersonating someone the victim knows in order to trick them into falling into their trap, or they may impersonate a well-known business’s customer service account in order to prey on victims who contact the brand for help.

What is cryptocurrency phishing

Crypto phishing, like ordinary phishing, occurs when scammers contact potential victims and persuade them to transfer funds or provide their passwords for currency wallets. Crypto phishing can occur via email, SMS, social media, and chat.

One of the most well-known recent cases involved a 17-year-old Florida scammer who hacked the Twitter accounts of celebrities such as Bill Gates, Elon Musk, Barack Obama, Joe Biden, and others and used them to persuade crypto investors to send him money to capitalise on a sure-fire investment – and bilked people out of $100,000 in cryptocurrency.

Provisions for phishing under Indian Law

Phishing is a somewhat novel concept, having been unheard of only a few years ago. However, the number of phishing incidents in India has recently increased, with the unsuspecting public falling prey to the diabolical design of fraudsters. In India, the most typical form of phishing is an email posing as a bank, asking you to confirm your personal information/login details for some fictitious reason, such as the bank upgrading its server. Needless to say, the email includes a link to a phoney website that seems identical to the real one. Customers who mistakenly believe it is from the bank provide the requested information, which is then sent to identity fraudsters.

Under the Information Technology Act 2000, phishing is a serious offence. This act was amended in the year 2008, which added a few new provisions and solutions that give a scope to deal with the phishing activity. 

1. Section 66: The phisher has gained access to the victim’s account, which will not be feasible unless and until the fraudster fraudulently makes changes to the victim’s account on the bank server, such as deletion or alteration of information/data. As a result, this behaviour is explicitly covered and penalised under Section 66 of the IT Act.
2. Section 66A: Any person who communicates information that he knows to be false but does so with the aim to harm a victim is subject to the penalties set out in Section 66 of the IT Act.
3. Identity theft is punishable under Section 66C. According to the provision, “Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.”
4. Furthermore, Section 66D of the Information Technology Act, 2000  deals with the penalties for cheating by impersonating someone else and using a computer resource.

Phishing is a serious worry in today’s e-commerce industry in India, as there is no one-size-fits-all solution to prevent phishing attacks. However, it has been observed that in the majority of phishing scams around the world, notably in India, the hacker is successful due to misinformed, gullible customers. As a result, in addition to mitigating or preventative measures, customer education and awareness are critical in combating the threat of “Phishing.”

5. Section 77B of the IT Act, 2000 makes all sections of the IT Act, 2000 that are related to phishing scams bailable (Amendments 2008). This is most likely due to the fact that no one knows who the genuine criminal is. There is always a translucent screen in front of the phisher that masks their identity, and there may be cases where the wrong person is convicted for a crime they did not commit, which is why the charge should be made bailable. Phishing can also be prosecuted under the Indian Penal Code,1860 for cheating (Section 415), mischief (Section 425), forgery (Section 464), and abetment (Section 465), abetment of a thing (Section 107).

Judicial perspective

Here are a few significant judicial decisions.

Shreya Singhal v. Union of India (2015)

In this case, the Supreme Court of India has ruled that Section 66A of the Information Technology Act of 2000 is completely unconstitutional. The Petitioners argued that Section 66A was unconstitutionally vague and that its intended protection from annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, or ill-will fell outside the scope of permissible restrictions under Article 19(2) of the Indian Constitution. The Court concluded that the prohibition against disseminating material through a computer resource or a communication device with the intent to annoy, inconvenience, or insult did not come under any reasonable exceptions to the right to freedom of expression. It went on to say that because the provision didn’t define phrases like discomfort or annoyance, “a vast quantity of protected and innocent speech” may be reduced and that its scope was too broad and unclear.

Nasscom v. Ajay Sood & Others  (2005)

In this case, the Delhi High Court found phishing via the internet to be a criminal act in the case of the National Association of Software and Service Companies vs. Ajay Sood & Others, handed down in March 2005. On the subject, a cybercrime case study was completed.

In order to set a precedent in India, the court defined phishing as “a type of internet fraud in which a person impersonates a legitimate organisation, such as a bank or an insurance company in order to extract personal data from a customer, such as access codes, passwords, and other sensitive information.”Personal information obtained by misrepresenting the legitimate party’s identity is frequently exploited to the benefit of the collecting party.

Despite the fact that there is no specific legislation in India that criminalises phishing, the Delhi High Court declared it to be an illegal act, defining it as “a misrepresentation made in the course of trade, leading to confusion as to the source and origin of the email, causing immense harm, not only to the consumer, but also to the person whose name, identity, or password is misused.” The court ruled that phishing is a form of impersonation that tarnishes the Plaintiff’s image.

The National Association of Software and Service Companies (Nasscom), India’s top software association, was the Plaintiff in this lawsuit. The defendants ran a placement firm that specialised in headhunting and recruitment. The defendants created and sent emails to third parties in the name of Nasscom in order to gather personal data that they could exploit for headhunting reasons.

Plaintiff’s trademark rights were recognised by the high court, which issued an ex-parte ad interim injunction prohibiting the defendants from using the trade name or any other name that is confusingly similar to Nasscom. The defendants were also barred from claiming to be affiliated with or a part of Nasscom, according to the court. A commission was constituted by the court to undertake a search warrant at the defendants’ residence. The court-appointed local commissioner took custody of two hard drives from the laptops from which the accused sent fake emails to various parties. The problematic emails were then extracted from the hard drives and presented in court as evidence.

During the course of the cyberlaw lawsuit in India, it became obvious that the defendants, in whose names the infringing e-mails were sent, were false identities constructed on the defendants’ orders by an employee to prevent detection and legal action. After the fraudulent act was discovered, fictional names were removed from the list of defendants in the case.

Following that, the defendants agreed to their illegal actions, and the parties reached an agreement by recording a compromise in the court proceedings. According to the terms of the settlement, the defendants agreed to pay the Plaintiff Rs1.6 million in damages for infringement of the Plaintiff’s trademark rights. The hard drives seized from the defendants’ premises were also ordered to be handed over to the Plaintiff, who would be the rightful owner of the hard discs. This case achieves two significant milestones: it places “phishing” within the scope of Indian law, despite the lack of explicit legislation; and it dispels the myth that there is no “damages culture” in India for infringement of intellectual property rights. This decision supports IP owners’ faith in the Indian court system’s ability and desire to safeguard intangible property rights, as well as sending a strong message to IP owners that they can do business in India without surrendering their intellectual property rights.

Punjab National Bank v. Poona Auto Ancillaries Pvt. Ltd. (2018)

A major argument raised in the Poona Auto Ancillaries case is the police department’s carelessness in dealing with cyber crimes like phishing, which resulted in a loss of over Rs. 45 lakhs in this case. As a result, the Bombay High Court ordered the Maharashtra Police Department to hold specific training seminars for all staff assigned to cybercrime units. According to media reports, police officers in several Indian states are increasingly depending on private cyber forensics businesses to assist them in dealing with cybercrime, which is a good step done by law enforcement agencies. However, it was noted that entrusting a private corporation with sensitive data might be difficult, which provides them with even more motivation to build an effective team of cyber security experts within the law enforcement agency.

A nodal entity called the Indian Computer Emergency Response Team (CERT-In) has been established as part of the Ministry of Electronics and Information Technology initiatives to deal with cyber security issues such as phishing. CERT-In processed 208456 cases in 2018, including 454 phishing cases, according to their most recent annual report. In 2020, CERT-In also published a warning about a potential phishing assault during the COVID-19 worldwide pandemic. The authors believe that CERT-In should engage in similar grassroots sensitization efforts to raise awareness about crimes like phishing. This will help people be more cautious while disclosing sensitive personal information.

Protections available in foreign jurisdictions

• The Convention of the Council of Europe on Cybercrime criminalises:

1. Computer-related forgery, such as the use of forged emails; 

2. Unauthorised access to all or part of a computer system, such as access by phishers who hack a system to display a phishing website or webpage; and 

3. Computer-related fraud, such as the fraudulent use of data obtained from the victim that results in property loss, such as fraudulent e-mails that obtain personal financial information.

• The Fraud Act of 2006 in the United Kingdom

In the United Kingdom, the Fraud Act of 2006 addresses the misuse of technology through offences such as phishing, which inevitably include deception and fraud. Other UK legislation used to combat cybercrime include the Computer Misuse Act,1990 and the Network and Information Systems Regulations, 2018. The United Kingdom is also a signatory to the Council of Europe’s Cybercrime Convention.

Protect against phishing attacks

Many phishing emails are likely to be blocked by your spam filters. Scammers are continually trying to circumvent spam filters, so adding extra levels of protection is a good idea. Here are four things you can do right now to guard against phishing attempts.

 Steps to protect yourself from phishing- 

1. Use security software to keep your device safe. Set the software to automatically update so that it can handle any new security threats.
2. Set software to update automatically on your phone to keep it safe. These updates may provide crucial security protection.
3. Multi-factor authentication is a good way to keep your accounts safe. Some accounts provide additional security by needing two or more credentials to log in. Multi-factor authentication is the term for this. There are two types of additional credentials you’ll need to log in to your account:

• Something you have, such as a passcode or a security key obtained through authentication software.
• Something about you, such as a scan of your fingerprint, retina, or face.

If scammers do gain your login and password, multi-factor authentication makes it more difficult for them to log in to your accounts.

4. Backup your data to keep it safe. Make a backup of your data and make sure it’s not connected to your home network. You can store your computer files on an external hard drive or in the cloud. Also, make a backup of your phone’s data.
5. Go to IdentityTheft.gov if you believe someone has your personal information, such as your Social security number, credit card number, or bank account number. You’ll find detailed instructions based on the information you’ve lost there.

Update your computer’s security software if you suspect you clicked on a link or opened an attachment that downloaded malicious software. Run a scan after that.

Effect of a phishing attack

New Ponemon Institute study report of 2021 reveals average phishing costs soar to $14.8M annually, nearly quadrupling since 2015.

Key findings from the 2021 cost of phishing report include: 

• Loss of productivity – One of the most expensive consequences of phishing is productivity loss. This equates to 63,343 wasted hours per year in an average-sized U.S. firm of 9,567 employees. Phishing attacks cost each employee on average seven hours per year, up from four hours in 2015.
• A significant organisation’s annual cost of Business Email Compromise is approximately $6 million. Illicit payments to BEC attackers total $1.17 million per year.
• Ransomware costs large businesses $5.66 million each year. The paid ransoms account for $790,000.
• On average, security awareness training cuts phishing costs by more than half.
• Since 2015, the cost of removing malware infestations has more than doubled. In 2021, the average overall cost of resolving malware attacks will be $807,506 up from $338,098 in 2015.
• Since 2015, the expense of credential breaches has risen considerably. As a result, businesses are paying more money to respond to these threats. From $381,920 in 2015 to $692,531 in 2021, the average cost of containing phishing-based credential compromises has grown. Over the course of a year, organisations encountered an average of 5.3 compromises.
• The most likely maximum loss scenarios should be considered by business leaders. BEC assaults, for example, may cost businesses up to $157 million in business disruptions if they aren’t prepared. Data exfiltration caused by malware could cost firms up to $137 million.

Conclusion

Phishing is a big issue all over the world in the existing e-commerce ecosystem, and it will continue to be so because new internet users lack awareness. Phishers frequently take use of human weaknesses in addition to technological advantages (i.e., technical vulnerabilities). It has been discovered that age, gender, internet addiction, user stress, and a variety of other factors influence people’s vulnerability to phishing. In parallel, phishing has evolved beyond gaining sensitive information and financial crimes to include cyber terrorism, hacktivism, reputational damage, espionage, and state-sponsored attacks. New sorts of phishing mediums such as voice and SMS phishing are on the rise in addition to classic phishing channels (e.g., email and online). Furthermore, social media-based phishing has grown in popularity in tandem with the expansion of social media. As a result, client education and awareness, in addition to mitigating or preventative measures, are crucial in addressing the “phishing” issue. To tackle the menace of phishing, law enforcement agencies, legislators, and the private sectors should work together and coordinate their activities. Continuous security awareness training is critical for avoiding and reducing the impact of phishing attacks. Developing effective anti-phishing measures that prevent people from being exposed to the assault is also an important step in countering these attacks.

References

• http://www.cyberjure.com/phishing-c-11.html
• https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams
• https://www.globenewswire.com/news-release/2021/08/17/2281950/35374/en/New-Ponemon-Institute-Study-Reveals-Average-Phishing-Costs-Soar-to-14-8M-Annually-Nearly-Quadrupling-Since-2015.html
• https://www.lawyersclubindia.com/articles/phishing-scams-in-india-and-legal-provisions-3606.asp

---

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

https://t.me/lawyerscommunity

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.