×

or

Is India Braced for Phishing Attacks of the Modern Age?

Is India Braced for Phishing Attacks of the Modern Age?

Since the Internet has become indispensable, users increasingly share their personal information online. As a result, an enormous amount of personal data and financial transactions become subject to cybercriminals. Phishing is highly effective form of cybercrime that enables criminals to deceive users and steal pertinent data. Since the first reported phishing attack in 1990s, it has been evolved into a more sophisticated attack vector. At present, phishing is considered one of the most frequent examples of fraud activity on the Internet. Phishing attacks can lead to severe losses for their victims including sensitive information, identity theft, companies’ secrets. In the recent past, we have seen fraudsters successfully posing as local authorities in charge of dispensing government-funded Covid-19 support initiatives to retrieve sensitive information from internet users. This article aims to evaluate our legal system in view of the current state of phishing and the existing phishing techniques.

A webseries title “Jamtara” is a tale about phishing rackets operating in a certain part of the country. In India, the most common form of phishing is by email pretending to be from a bank, wherein the imposter asks to confirm your personal information/login detail for some made up reason like bank is going to upgrade its server. Needless to say, the email contains a link to fake website that looks exactly like the genuine site. There have been phishing attempts over ICICI Bank, UTI Bank, HDFC Bank, SBI, etc. The Modus operandi was similar. Hence, it would be worthwhile to explore this issue further. Cybercriminals usually exploit users with a lack of digital/cyber ethics or who are poorly trained in addition to technical vulnerabilities to reach their goals. Susceptibility to phishing varies between individuals according to their attributes and awareness level, therefore, in most attacks, phishers exploit human nature for hacking, instead of utilizing sophisticated technologies. Even though the weakness in the information security chain is attributed to humans more than the technology, there is a lack of understanding about what in this chain is first penetrated.

TARGET VICTIMS

Studies found that certain personal characteristics make some persons more receptive to various lures. For example, individuals who usually obey authorities more than others are more likely to fall victim to a Business Email Compromise that gives the impression to be generated from a financial institution and requests immediate action by seeing it as legitimate. Greed is another human weakness that an attacker could use, such as emails offering great discounts, free gift cards, etc.

The attacker uses various channels to lure the victim through a scam or indirectly to deliver a payload for gaining sensitive and personal information from the victim. However, phishing attacks have already led to damaging losses and could affect the victim through a financial context and have other serious consequences such as loss of reputation or compromise of national security. Phishing attacks are the most common type of cybersecurity breaches. Although these attacks affect organisations and individuals alike, the organizations’ loss is significant, including the cost for recovery, the loss of reputation, fines from information laws/regulations, and reduced productivity.

PHISHING’S MODUS OPERANDI

Generally, most of the phishing attacks start with an email. The phishing mail could be sent randomly to potential users or it can be targeted to a specific group or individuals. Many other vectors can also be used to initiate the attack such as phone calls, instant messaging, or physical letters. However, phishing process steps have been discussed by many researchers due to the importance of understanding these steps in developing an anti-phishing solution. A phishing attack process involves five phases which are planning, setup, attack, collection, and cash. These phases include preparation for the attack, sending a malicious program using the selected vector, obtaining the user’s reaction to the attack, tricking a user to disclose their confidential information which will be transmitted to the phisher, and finally obtaining the targeted money.

THE BASIC SCENARIO FOR THIS ATTACK CAN BE DESCRIBED IN THE FOLLOWING STEPS:
  • The phisher sets up a fraudulent email containing a link or an attachment (planning phase).
  • The phisher executes the attack by sending a phishing email to the potential victim using an appropriate medium (attack conducting phase).
  • The link (if clicked) directs the user to a fraudulent website, or to download malware in case of clicking the attachment (interaction phase).
  • The malicious website prompts users to provide confidential information or credentials, which are then collected by the attacker and used for fraudulent activities. (Valuables acquisition phase).

These are the kinds of phishing that we need to be aware of:

  • Spoofed Website
  • This is also called phishing websites, in which phishers forge a website that appears to be genuine and looks similar to the legitimate website. An unsuspicious user is redirected to this website after clicking a link embedded within an email or through an advertisement (clickjacking) or any other way. If the user continues to interact with the spoofed website, sensitive information will be disclosed and harvested by the phisher.

  • Phishing through phone (Vishing and Smishing)
  • This type of phishing is conducted through phone calls or text messages, in which the attacker pretends to be someone the victim knows or any other trusted source the victim deals with. A user may receive a convincing security alert message from a bank convincing the victim to contact a given phone number with the aim to get the victim to share passwords or PIN numbers. The victim may be duped into clicking on an embedded link in the text message.

  • Social Media Phishing
  • Social media is the new favorite medium for cybercriminals to conduct phishing attacks. Social media threats can be account hijacking, impersonation attacks, scams, and malware distribution. However, detecting and mitigating these threats requires longer than detecting traditional methods as social media exists outside of the network perimeter.

  • Malware-Based Phishing
  • As the name suggests, this is a type of phishing attack which is conducted by running malicious software on a user’s machine. The malware is downloaded to the victim’s machine, either by one of the social engineering tricks or technically by exploiting vulnerabilities in the security system

  • Viruses and Worms
  • A virus is a type of malware, which is a piece of code spreading in another application or program by making copies of itself in a self-automated manner. Worms are similar to viruses but differ in the execution manner, as worms are executed by exploiting the operating system’s vulnerability without modifying another program. Viruses transfer from one computer to another with the document that they are attached to, while worms transfer through the infected host file. Both viruses and worms can cause data and software damaging.

  • Spyware
  • Spying software is a malicious code designed to track the websites visited by users in order to steal sensitive information and conduct a phishing attack. Spyware can be delivered through an email. Once installed on the computer, take control over the device and either change its settings or gather information such as passwords and credit card numbers or banking records, which can be used for identity theft.

  • Data Theft
  • Data theft is an unauthorized accessing and stealing of confidential information for a business or individuals. Data theft can be performed by a phishing email that leads to the download of a malicious code to the user’s computer, which steals confidential information stored in that computer directly. Stolen information such as passwords, social security numbers, credit card information, sensitive emails, and other personal data could be used directly by a phisher or indirectly by selling it for different purposes.

LEGAL PROVISIONS AND INDIA’S DEFENCE MECHANISM

The following legal provisions of the Information Technology Act, 2000 (“IT Act”) pertain to Phishing:

Section 66: The account of the victim is compromised by the phisher which is not possible in the absence of the the imposter conducting fraudulent activity wherein certain changes are brought about by way of deletion or alteration of information/data electronically in the account of the victim residing in the bank’s server.

Section 66A: The disguised email containing the fake link of the bank or organization is used to deceive or mislead the recipient about the origin of such email. Thus, it attracts the provisions of Section 66A.

Section 66C: In a phishing email, the imposter disguises himself as the banker and uses the unique identifying feature of the bank e..g. logo. Thus, it clearly attracts the provision of Section 66C IT Act.

Section 66D: The fraudsters through the use of the phishing email containing the link to the fake website of the bank or financial institutions and impersonates the Bank or financial institutions to cheat innocent persons.

The Information Technology Act, 2000 contains penal provisions under the Chapter XI of the said IT Act and further, Section 81 of the IT Act, 2000 contains a non-obstante clause, i.e., “the provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force”. In the author’s humble opinion, the said clause gives an overriding effect to the provisions of the IT Act over the other Acts, including but not limited to the Indian Penal Code, 1860. It is pertinent to mention that the aforesaid penal provisions of the IT Act, 2000 which is attracted to the phishing scam, have been made bailable under Section 77B IT Act intentionally since there may be an identity conflict on the identity of the person behind the alleged phishing scam.

The author finds it pertinent to mention the landmark case of IDBI Bank v. Sudhir S. Dhupia, wherein the Hon’ble Telecom Disputes Settlement and Appellate Tribunal (TDSAT) directed IDBI bank to pay a penalty of Rs. 1 Lakh for violating provisions of the IT Act. The case pertained to a phishing attack wherein the victim had received a fraudulent mail from IDBI’s email address. The said e-mail had been sent by an imposter and was intended to manipulate the victim into transferring money into a fraudulent bank account. The Tribunal observed that the innocent victim (respondent) could not be blamed for the losses and apportioned the liability towards IDBI bank. Although the Tribunal observed that those phishing frauds may lie beyond the control of any party, it noted that IDBI bank failed to adopt necessary safeguards. Hence, the bank was held for violating. Section 43A of the IT Act which requires “corporate bodies who ‘possess, deal or handle’ any ‘sensitive personal data’ to implement and maintain ‘reasonable’ security practices.” In case any negligence can be attributed to the failure of security practices, the corporate body shall be held liable to compensate the affected parties.

ENDNOTE

Perhaps a stronger mechanism is needed to combat cyber frauds such as phishing. A strong legislative framework will also be fundamental in combating identity theft, and specific mechanisms may be developed to bring phishing under the ambit of criminal conduct that poses increasing threats to gullible users, unsuspecting customers, banks and corporate bodies. Hence, a strong legislative intent to bring in bye-laws (Rules) under the IT Act may be the way forward.

About Author

Avinash Mohapatra

Avinash Mohapatra is the Assistant Editor for Lex Witness and holds an LLM in International Finance law from King’s College, London. Mr. Mohapatra deals in commercial and banking litigation and happens to be an alumnus of Symbiosis Law School, Pune.