Phishing

Oxford English Dictionary added “Phishing” to its latest publication making it a definitive word of English Language. It defines “Phishing” as:

“the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers, online.”

According to the Annual Report of the Indian Computer Emergency Response Team (CERT-In), Deptt. of Information Technology, Ministry of Communications & Information Technology, (Govt. of India) in the year 2009, the CERT-In handled about 374 phishing incidents. There are three major factors that cause an increase in Phishing in India

• Lack of Awareness among Public:

  Worldwide, particularly in India, there has been lack of awareness regarding the phishing attacks among the common masses. The users are unaware that their personal information is actively being targeted by criminals and they do not take proper precautions when they conduct online activities.

• Lack of Awareness regarding Policies:

  The fraudsters often count on victim’s unawareness of Bank/financial institution policies and procedures for contacting customers, particularly for issues relating to account maintenance and fraud investigation. Customers unaware of the policies of an online transaction are likely to be more susceptible to the social engineering aspect of a phishing scam, regardless of technical sophistication.

• Technical Sophistication:

   Fraudsters are now using advanced technology that has been successfully used for activities such as spam, distributed denial of service (DDoS), and electronic surveillance. Even as customers are becoming aware of phishing, criminals are developing techniques to counter this awareness. These techniques include URL obfuscation to make phishing emails and web sites appear more legitimate, and exploitation of vulnerabilities in web browsers that allow the download and execution of malicious code from a hostile website.

In India, the most common form of phishing is by email pretending to be from a bank, where the sinister asks to confirm your personal information/login detail for some made up reason like bank is going to upgrade its server. A typical phishing email may look like this-

Apart from the general banking phishing scams, some of the recent phishing attacks that took place in India are as follows:

1. RBI Phishing Scam: The phishing email disguised as originating from the RBI, promised its recipient prize money of Rs.10 Lakhs within 48 hours, by giving a link which leads the user to a website that resembles the official website of RBI with the similar logo and web address. The user is then asked to reveal his personal information like password, I-pin number and savings account number. However, the RBI posted a warning regarding the fraudulent phishing e-mail on the bank’s official website.
2. Income Tax Department Phishing Scam: The email purporting to be coming from the Income Tax Department lures the user that he is eligible for the income tax refund based on his last annual calculation, and seeks PAN CARD Number or Credit Card details
3.  ICC World Cup 2011: Here, the fraudsters through the similar looking fake website of organizers of the event have tried to lure victims with special offers and packages for the grand finale of the event. The Users were asked for credit card details to book tickets and packages along with their personal information which once submitted would be used to compromise the online banking account of the victim leading to financial losses to the victim.

Phishing under the Information Technology Act, 2000

Phishing is a serious offence under Information technology Act .Section 66C penalizes identity theft. The provision states that

“Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.”

In addition, Section 66D of this Act deals with sanction for cheating by personation by using computer resource.

Phishing is a major concern in the contemporary e-commerce environment in India as there is no silver bullet to thwart the phishing attack. However, it has been noticed in the most of the phishing scams worldwide particularly in India that the hacker succeeds in phishing attempt due to the uninformed, gullible customers. Therefore, the awareness and customer education is the key here to fight the menace of the “Phishing” apart from mitigating or preventative measures.

Author: Sushmita Ravi, School of Law, Christ University, Bangalore

Image from here