Phishing is the new tech-age crime that has witnessed a rapid upward trend in the last two decades. It is a type of social engineering attack used to extract sensitive information from the user such as login credentials, credit card numbers, personal identification numbers, account usernames, etc. In such instances, the cybercriminal masquerades as a legitimate entity and dupes the victim into opening an email, SMS text or a hyperlink which further leads to the installation of malware, freezing the system as a part of the ransom attack or revealing personal information.
Such cybercrimes can have a deleterious outcome on financial, mental, social and emotional spheres of the victim’s life.
The Increasing Rate of Phishing in India
India is ranked at 3rd place on the list of countries targeted by the phishers, moreover, India is also among the top hosting countries for such cyberattacks, only second to the United States. The other nations under the radar of such criminals include Canada, Netherlands and the United States of America, as researched by RSA Security (Dell Technologies).
Phishing accounted for 26% of the total fraud attacks in India in 2018. Globally, Phishing attacks accounted for 50 percent of all observed fraud attacks in the third quarter of 2018, claimed the “RSA Quarterly Fraud Report” for the Q3 2018.
In the third quarter, RSA detected 38,196 total fraud attacks worldwide. The overall phishing volume in Q3 increased by 70 percent from Q2.
Methods Used by Attackers
- Man-in-the-middle attacks – Here, the attacker sits between the user and the real web-based application, where he proxies all the communication taken place between the user and the website. This technique is successful for both HTTP and HTTPS communications. The user now operates on the attacker’s server, thinking it to be the real website. Simultaneously, the attacker’s server makes a connection to the real site. The criminal then extracts all the information of the user by putting proxy over the communications.
- URL Obfuscation Attacks – The URL obfuscation method involves unrecognizable alterations to the URL, as a result of which the user is redirected to a webpage he did not intend to open. It’s natural that these webpages are malicious and are made in such a way that the victim is unable to differentiate it from the real website, therefore letting the attackers enter into the user’s cyberspace. URL obfuscation uses the unspoken, unwritten secrets of the TCP/IP protocol to trick users into viewing a website that they did not intend to visit.
- XSS (Cross-site Scripting) – Almost all the cross-site scripting assaults (XSS) either use a custom URL or furtively insert a code in an original web-based application URL or embedded data field. In usual cases, these XSS strategies are a consequence of the failure of the website to certify client input before returning it to the user’s web-browser.
Phishing assaults using XSS:
- User logs in to an online site
- ‘Mines’ have been spread by the cyber attacker on the website
- User unknowingly falls upon an XSS mine
- The user receives an SMS saying that the session has expired, and they are required to validate again
- User’s confidential information is sent to the criminal
Recent Phishing Scams
- Operation Phish Phry – Deemed as one of the largest international phishing cases ever, Operation Phish Phry witnessed hundreds and thousands of bank account holders receiving legitimate-looking emails that directed them to a fake financial website. The cybercriminals then extracted the banking information of these users as they entered their account numbers and passwords on fraudulent forms. This was a largescale cyber-attack conducted by an organized syndicate of criminals. The FBI with the support of Egyptian national security agents charged more than 100 individuals. The criminals managed to pilfer more than 1.5 million USD from thousands of bank accounts.
- Russian World Cup scam – A relatively newer case where millions of football fans received fake emails promising them air tickets to Russia and accommodation for free or at dirt-cheap prices. The attackers even hacked into the server of Bookings.com and successfully duped thousands of people. These people either received a genuine-looking email or a text message on their mobile number. The investigators state that rather than a particular syndicate, the scam was carried by thousands of individuals or smaller groups spread across the globe.
- RBI Phishing Scam: In a unique attack of its kind, the fraudsters not even spared the Reserve Bank of India. The phishing email replicated as originating from the RBI, promised recipient prize money of Rs.10 Lakhs within 2 days, by providing a link which leads the user to a website that resembles the official website of RBI with the similar details such as the logo, contents of the webpage, etc. The user is then asked to reveal his personal information like password, I-pin number and savings account number. However, the RBI posted a warning regarding the fraudulent phishing e-mail on the official website of the bank and even issued a notification in the national newspaper.
Indian Legal Standpoint
Cybercrimes are still not defined anywhere in the Information Technology Act, 2000, the Indian Penal Code, 1860 or even the policy of National Cyber Security. However, a general idea can be taken by reading the sections dealing with the vast scope of cybersecurity. Phishing, being a cybercrime attracts numerous penal provisions under the Information Technology Act, 2000 (amendment 2008) and Indian Penal Code, 1860. The amendments in 2008 dealt with phishing in much more depth and provide greater clarity on this format of cybercrime. Also, these acts read along with the Indian Evidence Act, 1872 and the Bankers’ Book Evidence Act, 1891 throw some light on the menace of phishing. The following sections deal with phishing:
i. Section 66 of the Information Technology Act, 2000 – If any person, dishonestly or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both.
ii. Section 66A of the Information Technology Act, 2000 – Punishment for sending offensive messages through communication service, etc. – Any person who sends, by means of a computer resource or a communication device, –
a) any information that is grossly offensive or has menacing character; or
b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will, persistently by making use of such computer resource or a communication device;
c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages, shall be punishable with imprisonment for a term which may extend to three years and with fine.
iii. Section 66D of the Information Technology Act, 2000 – Punishment for cheating by personation by using computer resource.–Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees.
iv. Section 420 of the Indian Penal Code, 1860 – Cheating and dishonestly inducing delivery of property – Whoever cheats and thereby dishonestly induces the person deceived to deliver any property to any person, or to make, alter or destroy the whole or any part of a valuable security, or anything which is signed or sealed, and which is capable of being converted into a valuable security, shall be punished with imprisonment of either description for a term which may extend to seven years, and shall also be liable to fine.
The government endeavors of digitization and persistent efforts to develop the nation as a ‘cash-less economy’ have made India a lucrative platform for cybercriminals. Therefore, it is only natural that the nation would encounter more of such scams and crimes on its road to development.
Hence, the need of the hour is to come out with more stringent laws which directly deal with such new-age internet crimes. Also, the legislature should amend the existing provisions and make them area-specific as most of the cyber laws currently deal with a large scope of the crimes, but are still very vague in their meaning. The current Indian laws nowhere clearly define what cybercrime is? Therefore, it’s time that the authorities took this issue seriously to curb the problem phishing and pharming while it is still at a nascent stage.
The citizens also should be made aware of the electronic forms of crime. Since this is relatively a newer format of criminal activity and is much more sophisticated, most of the victims don’t understand what wrong has happened to them. As a result, they don’t report the crime to the police. This can be changed by improving digital literacy. Newspaper agencies and T.V. channels should inform the people about such mischiefs and also provide ways to protect themselves. The internet users should also be careful while browsing online, use good-quality internet antiviruses, visit only verified websites and not open spam emails. They must immediately report the police if they feel they have been duped.
1. ‘Phishing scams in India and Legal provisions’ by Neeraj Arora.
2. ‘Social media, cloud and phishing: evolving trends in cybercrime’ by Mukul Shrivastava, EY.
3. ‘The Top 5 Phishing Scams in History – What you need to know’PhishProtection.
4. ‘India among top 4 countries targeted for phishing attacks’ Business Standard.