Yogesh Prasad Kolekar ((Assistant Professor, Ismailsaheb Mulla Law College, Satara, Maharashtra, India)).
ABSTRACT
A Phishing a crime of fraud or deception through emails. The perpetrator sends email resembling legitimate one to lure the user to reveal a password or financially vital code. As opening an email account is a simple process and does not require any factual identity verification, hence, emails are also a popular medium to commit cybercrimes, especially phishing also commonly known as email frauds. Phishing is an act of sending emails to acquire personal, particularly financial information such as Bank account details, credit card details, pin number or passwords. In phishing crime, the receiver of an email is led to believe that, he had received an email from a bank or Government department and is tricked to reveal vital information. The offense of phishing is a punishable offense under Information Technology Act, 2000 and Indian Penal Code. The offense of phishing is punishable under Sec. 66, Sec. 66C and Sec. 66D of the Information Technology Act, 2000. The Phishing scammer is adopting novel practices to defraud innocent online users; hence, ultimately it would be in the interest of users to practice safe internet habits to keep oneself from being hooked by a phishing scam.
INTRODUCTION
Today we live in a technology driven world. Industrial revolution gave birth to giant machines for industrial advancement and information technology have delivered intelligent machines to revolutionize human development. Today we are surrounded by automated smart technology, which have touched almost all sectors of human interface from military to medicine and from education to the election. We live in a world with boundaries, which is secured, but still it can be intruded virtually ((UK, National Criminal Intelligence Services, Director of Intelligence, Roger Gaspar, says “The internet is a global system; we can now be attacked by criminals who do not need to come to this territory. Lots of policing arrangements have their roots in the fact that victim and offender are geographically co-located.” Available at http://news.bbc.co.uk/hi/english/static/in_depth/uk/2001/life_of_crime/cybercrime.stm Last accessed on May 7, 2015)). This is real and this is cyberspace ((William Gibson in his novel Neuromancer, 1984 had coined the word cyber space)). The term is cyberspace has not been defined statutorily, however commonly it is used in the context of computer networks. The New Oxford Dictionary defines cyberspace as “The notional environment in which communication over computer networks occurs ((Available at http://www.oxforddictionaries.com/definition/english/cyberspace Last accessed on May 7, 2015)).”
The new blessing brought by information technology also had its own curse in the form of cybercrimes ((This term is nowhere been defined in any statute /Act passed or enacted by the Indian Parliament. Cybercrime is defined as a crime in which a computer is the object of the crime (hacking, phishing, spamming) or is used as a tool to commit an offense (child pornography, hate crimes). Cybercriminals may use computer technology to access personal information, business trade secrets, or use the Internet for exploitive or malicious purposes. Criminals can also use computers for communication and document or data storage. Criminals who perform these illegal activities are often referred to as hackers. Cybercrime may also be referred to as computer crime. Available at http://www.techopedia.com/definition/2387/cybercrime Last accessed on May 7, 2015)), which were both novel, and high tech in nature, hence required new classification that is dealt under Information Technology Act 2000. Cybercrimes are criminal activity involving computers, computer resources or internet. One of the most widespread and simplest online crime is phishing ((The word is said to be coined by hackers stealing online accounts and passwords)). The Information Technology Act 2000 is a prime legislation dealing with cyber offenses and electronic commerce ((The object of the Information Technology act 2000 defines ecommerce as ………. transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as “electronic commerce”, which involve the use of alternatives to paper-based methods of communication and storage of information…))in India ((It is based on the United Nations Model Law on Electronic Commerce adopted by the United Nations Commission on International Trade Law (UNCITRAL). http://www.uncitral.org/pdf/english/texts/electcom/05-89450_Ebook.pdf Last accessed on May 7, 2015)). The Act is applicable to the whole of India ((S. 1(2) it shall extend to the whole of India and, save as otherwise provided in this Act, it applies also to any offence or contravention thereunder committed outside India by any person))and to the offenses or contravention committed outside the territory of India by any person irrespective of his nationality ((S. 75. Act to apply for offences or contravention committed outside India.—(1) Subject to the provisions of sub-section (2), the provisions of this Act shall apply also to any offence or contravention committed outside India by any person irrespective of his nationality. (2) For the purposes of sub-section (1), this Act shall apply to an offence or contravention committed outside India by any person if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India)).
DEFINITION
The Oxford dictionary defines phishing as;
“The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers, online”.
The Dictionary.com defines it as;
“to try to obtain financial or other confidential information from Internet users, typically by sending an email that looks as if it is from a legitimate organization, usually a financial institution, but contains a link to a fake website that replicates the real one.”
A Phishing is a crime of fraud or deception through emails. The perpetrator sends email resembling legitimate one to lure the user to reveal a password or financially vital code ((Available at http://searchsecurity.techtarget.com/definition/phishing last accessed on May 7, 2015)).
MODUS OPERANDI
Electronic mails ((Email is short for ‘electronic mail’. Similar to a letter, it is sent via the internet to a recipient. An email address is required to receive email, and that address is unique to the user. Some people use internet-based applications and some use programs on their computer to access and store emails. Available at www.digitalunite.com/guides/email/what-is-email#sthash.0kU1PLQY.dpuf Last accessed on May 7, 2015))are the exchange of messages electronically through computers or communication device such as mobiles or smart phones. Electronic mail popularly known, as e-mails are virtual, personal post office online, where senders transmit and receive messages in digital form. Emails are popular for both personal and business communication. It is estimated that billions of emails are sent every minute across globe ((According to a report, In 2013,182.9 billion e-mails send/received per day worldwide. Available at www. sourcedigit.com/4233 -much-email-use-daily-182-9-billion-emails-sentreceived-per-day-worldwide/ Last accessed on May 7, 2015)). Emails are free, safe (to some extend) and fastest mode of communication than traditional mail sometimes referred to as snail mail. In modern times, emails have become an integral part of business as well as personal communication. Email services are free ((Paid email services are also available))and sending or receiving an email is convenient, easy and effective way to communicate as one can easily send attachments that can hold different types of files such video, documents or pictures. Email carries a host of advantages hence it has become an important part of day-to-day life. Further, it is mandatory to register email to avail certain online services like online bank statement and other financial reports. It is estimated that there are around 3.1 billion email accounts globally, which is expected to cross 4.1 billion by the end of year 2015 ((Available at http://www.radicati.com/wp/wp-content/uploads/2011/05/Email-Statistics-Report-2011-2015-Executive-Summary.pdf Last accessed on May 7, 2015)).
As opening an email account is a simple process and does not require any factual identity verification, hence, emails are also a popular medium to commit cybercrimes, especially phishing also commonly known as email scams ((It is estimated that around 90% of e-mail message are spam and viruses. Available at http://www.email.about.com/od/emailtrivia/f/emails_per_day.htm Last accessed on May 7, 2015)). It is reported that email scam alone cost India loss of millions of rupees every year and the number of such email scam attacks is increasing day by day ((Available at http://www.hindustantimes.com/india-news/indians-top-e-scam-suckers-list-lose-870mn/article1-1242108.aspx Last accessed on May 7, 2015)). The Phishing scams like email lottery scams, dating fraud, email fake job scams are a few common methods, where the perpetrator sends emails to deceive innocent persons and induce him to reveal vital personal financial information like bank account details, credit card details etc. or lure him to deposit money into fraudulent scams. The sender creates fake email accounts, seal or logo resembling the original one in order to gain confidence.
Phishing is an act of sending emails to acquire personal, particularly financial information such as Bank account details, credit card details, pin number or passwords. In phishing crime, the receiver of an email is led to believe that, he had received an email from a bank or Government department and is tricked to reveal vital information. It is generally done by sending a fake mail resembling legitimate website, letterhead or Logo etc.
The receiver of an email generally receives a link to a fake website ((Having similar color pattern, logo or resemblance of original website)). By clicking the link, the user is led to a fake web portal where he is induced to provide a password or pin details, which is later being misused for personal gain. In the email lottery scam, the user is sent a mail informing that, his email account has been chosen in a lucky draw and the company requires certain financial details so that his prize money could be transferred into his bank account. If the user falls into the trap, then the user is asked to deposit certain money as custom tax or duty in order to receive the prize money. Once the user deposits the amount, the culprit never contracts again and searches for new prey.
MAGNITUDE OF THE PROBLEM
The Assocham ((The Associated Chambers of Commerce & Industry of India))India has recently brought forward ((Sunday, January 04, 2015, http://www.assocham.org/newsdetail.php?id=4821))alarming figures that the number of cybercrime may double in may double to three lakh in 2015 largely due to increased use of smartphones and tablets for online financial transactions.
According to Ultrascan Advanced Global Investigation report, it is found that in the year 2013, India stood in fourth position globally to lose money in the famous Nigerian email scam ((Ultrascan AGI is a subsidiary of Ultrascan Research Services, an International Research Organization that focuses on (internet) crimes such as Advance Fee Fraud (419), Corporate Identity Fraud, Credit Card Fraud etc.)). Every year, thousands of people become victim of different email scams; hence it is necessary to take preventive steps.
CASE STUDY
A woman from Madhya Pradesh was arrested for doping a student through an online lottery scam. The 26 year student received an email from one Arick Donald, who claimed to be an officer with a Multinational company. In his email he informed that the receiver has won the lottery and his company wants to transfer prize money into the receiver’s bank account and in order to do so, he requires certain details like mobile numbers, address, bank account number etc. The victim provided the details. After a few days she was phoned and asked to deposit custom duty amount as the person has come to India to deliver money, which she obliged. Later she was asked to deposit conversion amount for converting dollar into rupees. A few days later she received a letter asking to deposit money into a certain account for paying taxes. However, this time she discussed the issue with a friend who realized that she has become a victim of an online scam ((Kandivli woman loses 1.2L in email scam, newpaper report on Times of India,Mumbai, Sep, 5,2012, Online ed)).
In a daring phishing attempt, fictitious email was sent in the name of Reserve Bank of India asking for bank account details and password. The phishing emails assuring Rs. 10 lakh within 48 hrs was carrying a similar color pattern that of RBI website. The RBI had issued public notice clarifying that it is a phishing attempt to defraud customers ((Available at http://www.rbi.org.in/scripts/BS_PressReleaseDisplay.aspx?prid=27405 Last accessed on May 7, 2015)).
In an inventive phishing attempt, emails were sent in the name of Income Tax department assuring return of income tax based on last annual return and asking vital financial information like credit card details. Income tax department clarified that users should not respond to such emails or download any attachments ((Beware of Phishing Emails, Cautions Income Tax Department, available at http://www.ndtv.com/india-news/beware-of-phishing-emails-cautions-income-tax-department-588256 Last accessed on May 7, 2015)).
In Umashankar Sivasubramaniian v. ICICI Bank ((Civil jurisdiction petition no. 2462 of 2008, Tamil Nadu)), the adjudicating officer, Chennai, had directed ICICI bank to pay compensation to the customer for an unauthorized withdrawal from a customer’s bank account. The bank pleaded it as a phishing attack and asserted that the customer had disclosed confidential information and thereby fallen prey to a phishing fraud.
In UTI phishing case, the perpetrators took undue advantage of the name change of the ‘UTI bank to Axis bank by informing email user that the bank has changed its name and is hence customer are required to provide financial information for updating in new server ((Phishers now aiming UTI bank. Available at http://www.mwti.net/products/pdfs/techvani.com_Phishers%20now%20aiming%20UTI%20bank.pdf Last accessed on May 7, 2015)). The investigation revealed that these fake emails originated from Lagos, Nigeria and the culprits have used the logo of the UTI site in the email to deceive customers ((UTI Bank: Phishing Fraud, available at http://www.ciol.com/uti-bank-phishing-fraud/ Last accessed on May 7, 2015)).
In a landmark case of the National Association of Software ((119 (2005) DLT 596, 2005 (30) PTC 437 Del)), the plaintiff filed the suit alleging that the defendant is circulating fraudulent emails purporting to be originating from the NASSCOM, a premiere software association. According to the terms of compromise settlement, the defendants agreed to pay damages to the plaintiff for violation of the plaintiff’s trademark rights. The Delhi High Court made the following observation with regard to phishing,
“Internet has spawned novel and interesting methods to defraud individuals and companies, ‘Phishing’ is a form of internet fraud. In a case of ‘Phishing’, a person pretending to be a legitimate association such as a bank or an insurance company in order to extract personal data from a user such as access codes, passwords etc. which are then used to his own advantage, misrepresents on the identity of the legitimate party. Typically, ‘Phishing’ scams involve persons who pretend to represent online banks and siphon cash from e-banking accounts after conning consumers into handing over confidential banking details
These messages trick users into handing over their account details and passwords. The quoted details are subsequently used for fraudulent transfers. It was only towards the end of 2003 that phishing e-mails were spotted. Unfortunately, these are becoming increasingly sophisticated. It appears that the expression ‘phishing’ comes from the word fishing whereby a bate is set in the hope that someone will bite.”
CONCLUSION AND RECOMMENDATIONS
The offense of phishing is a punishable offense under Information Technology Act, 2000 and Indian Penal Code. The offense of phishing is punishable under Sec. 66 ((Section 66 Provides punishment for acts referred to in section 43)), Sec. 66C ((Section 66C Punishment for identity theft))and Sec. 66D ((Section 66D Punishment for cheating by personation by using computer resource))of the Information Technology Act, 2000. It is rightly said ‘precaution is better than cure’ hence adoption of precautionary measure like antivirus with anti-phishing feature, installing of firewall and spam filter, deletion of fictitious emails would keep email users on safer side. One of the common errors, which many online user does, is use of an actual password for use of various online services. It is worth noting that online services require actual email to be used as username, and any other password rather of actual password for registration. The Phishing scammer is adopting novel practices to defraud innocent online users; hence, ultimately it would be in the interest of users to practice safe internet habits to keep oneself from being hooked by a phishing scam. The following measure may help the user to secure oneself from phishing attacks ((These suggestions should not be considered as legal advice or expert’s advice and reader should consult qualified experts in this subject matter)).
- Keep your browser, operating system updated. Install only trusted antivirus with anti-phishing features ((10 Tips to Prevent Phishing Attacks, Available at http://www.pandasecurity.com/mediacenter/security/10-tips-prevent-phishing-attacks/ Last accessed on May 7, 2015)).
- Never use links provided in email to use banks’ websites ((Ibid)).
- Use only secure URL for financial transaction. A secure web portal begins with https:// or a ‘lock’ pad icon ((Available at Five tips to secure mobile banking transactions, http://articles.economictimes.indiatimes.com/2014-07-07/news/51133547_1_apps-text-message-mobile-banking-transactions Last accessed on May 7, 2015)).
- Do not respond to emails requesting your password or other financial details. The banks and other financial agencies do not send emails asking for vital financial details. In case of suspicion call your bank or visit personally ((Available at https://www.onguardonline.gov/phishing Last accessed on May 7, 2015)).
- Do not close the browser without logging off. Always log off properly after completing transactions ((Online security, available at http://www.unionbankofindia.co.in/per_internet_onlinesec.aspx Last accessed on May 7, 2015)).