This article has been written by Shrikar Ventrapragada, pursuing a Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho.
The term ‘phishing’ is said to have been invented by a very well-known spammer and hacker, Khan C. Smith. The first mention of phishing was found in a hacking tool AOHell, which attempted stealing passwords and financial details of American online users. With the rise of technology, phishing attacks have started to become increasingly sophisticated, allowing the hacker to track everything while the victim is navigating the site. The attackers create a mirror of the site being targeted and lure naive victims into their traps by offering things that are often not true. As of 2020, phishing is considered to be the most common attack performed by cyber-criminals. It is claimed that over twice as many incidents of phishing have been recorded in the past year, as compared to any other type of cyber-crime.
The purpose behind phishing is to lure personal information and steal the user’s identity, critical passwords, robbing bank accounts and consequently taking over the computer to perform an activity that may not be legal. In the article we discuss what is phishing, how does phishing works, how can a person recognise phishing, different techniques of phishing, what are the major factors that gave rise to phishing, and lastly, how the Indian laws deal with phishing.
Phishing is a type of social engineering where an attacker sends a false message created to manipulate a human victim with the intention to fraud them. The attack usually intends on revealing sensitive information of the victim to the malicious software created by the attacker. It is a cybercrime that targets individuals via email, telephone, or text message. Phishing can also be in the form of brand spoofing, where the internet users, browsers are spammed continuously after the user opens a website that is a target area.
How does phishing work?
Phishing starts with a fraudulent email or any other type of communication that is created only with the purpose to lure a victim. The text is deliberately made to look as if it were true and is coming from a trusted sender. Sometimes the malware is automatically downloaded onto the target’s device. If it tricks the victim, they are at the risk of providing confidential information themselves or there is a possibility of coercion as well.
How can a person recognise phishing?
The following reasons might determine whether a person was phished or not:
- Financial loss: Access to details of a person’s bank account leading to unforeseen transactions from a person’s account could be due to phishing. These transactions are either a large one-time amount or are in multiple trenches of smaller amounts.
- Data loss: Breach of the security of the victim’s confidential information, or leakage of credit card numbers, pan card numbers, or other personal details.
- Malware into your electronic device: A virus in any of your electronic gadgets within the range of your reach, it can be a laptop, mobile, tablet or even Wi-Fi routers can be a route for phishing.
- Illegal use of the user’s details: Whenever any of your details are used for any purpose without your knowledge or relevance could be due to a phishing attack on the user.
Different techniques of phishing
1. Link manipulation
The most common type of phishing uses a type of technical deception created by a link in an email that appears to belong to an organization the attackers are impersonating. The misspelling of URLs is the most common trick used.
- For example: http://www.amazon.malicious.com/; in this example for a normal person, this URL might seem normal, but in reality, this is a URL that is guiding the user to the ‘malicious’ section of amazon.com and not to the regular website. This link would lead to the phisher’s website which would eventually lead to tracking and compromising of critical information of the user.
2. IDN (International domain name) spoofing
IDN’s can be exploited by creating web addresses that are similar to that of a legitimate site, which leads to the malicious version of the website. These URLs are visually identical to that of the legitimate site but instead lead to the crooked version. This problem cannot be solved with the help of digital certificates because it is a possibility that the phisher could purchase a valid certification and subsequently manipulate the content to spoof a legitimate website or could even host the phished site without even using the SSL at all.
3. Filter evasion
Attackers often use images in place of texts to make it much more difficult to be detected by an anti-phishing filter, which is commonly used in phished emails. This technique can be solved with the help of a much more technologically advanced sophisticated anti-phishing filter Optical Character Recognition (OCR). This filter can recover the hidden text in images, hence preventing phishing.
4. Social engineering
Most phishing attacks are caused due to the psychological manipulation of the users and not due to the lack of computer knowledge. Most types of Phishing attacks consist of some kind of social engineering, in which the users are lured to clicking a link or opening an attachment, or giving some confidential information. Phishers create a sense of urgency in the mind of the users by claiming the accounts will shut down or it will be seized if so and so action is not performed. Following which the critical information is compromised. Other than these, the attackers use fake news articles which are created to provoke the user into clicking a link without properly analyzing what they are entering into. After entering a website, the users are exploited to the web browser vulnerabilities in installing malware.
Major factors for the increase in phishing attacks
- Unawareness among the public: There has been a lack of awareness on the subject of phishing attacks among the masses in India. The targets are unaware of the fact that they are the ‘targets’ of the cybercriminals and are reckless while browsing on the internet and do not take proper care and precaution.
- Unawareness of policies: Fraudsters often take advantage of the lack of knowledge of banking policies and procedures which are made for the customers particularly in the area of account maintenance.
- Technical advancement: even if the customers are aware of the scams, phishers are creating methods that are much more advanced and sophisticated when compared to the banking servers. An example of such technology is DDoS (Distributed Denial of service).
Provisions for phishing under the Indian laws
Phishing is a fraud that is recognized as cybercrime and attracts many penal provisions of the Information Technology Act, 2000 (hereinafter referred to as ‘IT Act’). This act was amended in the year 2008, which added a few new provisions and solutions that give a scope to deal with the Phishing activity.
The sections which apply to phishing under the IT Act are:
- Section 43: If any person without the permission of the owner of the computer, computer system, computer network; accesses, downloads, introduces, disrupts, denies, or provides any assistance to other people can be held liable under this section.
- Section 66: If the accounts of a victim are compromised by the phisher, who does any act mentioned in Section 43 of the IT act, shall be imprisoned for a term which may exceed up to three years or with a fine which may exceed up to five lakh rupees or both.
- Section 66A: Any person who sends any information which he knows to be false, but is sending it with the intention to damage a victim shall be punishable with the punishment given under Section 66 of the IT Act.
- In the case of Shreya Singhal v. Union of India, the court held that online intermediaries would only be obligated to take down content on receiving an order from the courts or government authority.
4. Section 66C: This provision prohibits the use of electronic signatures, passwords, and any other feature which is a unique identification of a person. Phishers disguise and portray themselves as the true owners of the accounts and perform fraudulent acts.
5. Section 66D: The provision provides punishment for cheating by personating using communication devices or computer sources. Fraudsters use URLs that contain the link for a fake website of banks and organisations and personate themselves as the bank or the financial institution.
6. Section 81: This provision consists of a non-obstante clause i.e., the provisions under this act shall affect notwithstanding anything inconsistent, and also contained in any other act for the time being in force.
The obstante clause overrides the effect of the provisions of the IT Act over the other acts such as the Indian Penal Code. All the provisions of the IT Act, 2000 which are relevant to the phishing scams are however made bailable under Section 77B of the IT Act (Amendments 2008). This obviously because of the uncertainty as to who the real criminal is. There is always a translucent screen in front of the phisher which hides their identity and there may be cases wherein the wrong person convicted for a crime that they have never committed, hence the reason for the offense to be made bailable. Furthermore, as per the Indian Penal Code, Phishing can also be held liable under Cheating (Section 415), Mischief (Section 425), Forgery (Section 464), and Abetment (Section 107).
Students of LawSikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.