Phishing: Deception in Cyberspace: Eastern Book Company Generated: Thursday, June 3, 2021
Phishing: Deception in Cyberspace: Eastern Book Company Generated: Thursday, June 3, 2021
Phishing: Deception in Cyberspace: Eastern Book Company Generated: Thursday, June 3, 2021
Digital infrastructure is rapidly becoming congruent with almost all aspects of modern societies. The inherent nature of
the internet has obliterated all physical boundaries and constructed a worldwide information systems infrastructure. This
globalisation of information and communication technologies has however posed a problem regarding its security. The
increasing decentralisation and global interconnectivity has made the system more susceptible to exploitation.
Vulnerabilities are not only found in the technical nature of the infrastructure but also in the users themselves. Moreover,
the similarity of the infrastructure makes for easy replication of the attack modus operandi at different places.
The faceless nature of the digital infrastructure has made identity theft a natural and extremely attractive avenue.
Phishing is just one method of engaging in online identity theft. In phishing, the perpetrators design e-mails and websites
that appear to originate from a legitimate source, thus deceiving the victim into disclosing personal information. “Phishing
is a particularly pernicious form of identity theft because it exacts a price on both the individual consumer and on internet
use in general.―1
Defining phishing Phishing, also known as “brand spoofing― or “carding,― is a process employing the immense
capabilities of the internet to socially engineer2 people by imitating legitimate forms and methods into imparting their
confidential information for purposes of identity theft.3 “Phishing is a particularly invidious attack on the internet
community because it almost always involves two separate acts of fraud. The phisher first ‘steals’ the identity of the
business it is impersonating and then acquires the personal information of the unwitting customers who fall for the
impersonation. This has led commentators to refer to phishing as a ‘twofold scam’ and a ‘cybercrime double play.’ â
The Delhi High Court opined in National Assn. of Software and Service Companies v. Ajay Sood5 that,
10. ... Phishing is a form of internet fraud. In a case of ‘phishing’, a person pretending to be a legitimate association
such as a bank or an insurance company in order to extract personal data from a user such as access codes,
passwords, etc. which are then used to his own advantage, misrepresents on the identity of the legitimate party. Typically
‘phishing’ scams involve persons who pretend to represent online banks and siphon cash from e banking accounts after
conning consumers into handing over confidential banking details.
The United States Department of Justice defines phishing as, “Criminals’ creation and use of e-mails and
websites—designed to look like e-mails and websites of well-known legitimate businesses, financial institutions, and
government agencies—in order to deceive internet users into disclosing their bank and financial account information or
other personal data such as usernames and passwords.― 6
Genesis of the terminology “The hacker news group alt.2600 first published the word “phishing― on the internet in
January 1996, although the term was used by computer security trespassers, or hackers, before then.― 7 The genesis of
the word “phishing― is attributed to several sources. It is commonly suggested that the basic etymology arises from the fact
that the scammers are “fishing― for confidential information from gullible customers. 8 The orthographic substitution of ‘p
for ‘f’ is most likely by analogy to “phone phreaking―,9 or to distinguish the internet scam from the sport.10 Contracti
the term “password harvesting― is another suggested basis of the word “phishing― 11. In its initial stages, phishing es
focused on obtaining passwords of America Online (AOL) accounts. By 1996, hacked accounts were called “phish―, and
by 1997 phish were actively being traded between hackers as a form of electronic currency. With time, the nature of
information being phished for has graduated from user account details to access to all personal data.12
Phishing techniques The techniques13 employed by phishers can essentially be grouped under four headings. First,
is the Dragnet method, which involves the use of spammed e-mails, websites, pop-up windows or fake banner
advertising bearing falsified corporate identification, that are addressed to a large class of people. This method does not
involve identification of specific prospective victims in advance. Instead, it relies on the false information to perpetrate a
response from the victims thus enabling identity theft. Nigerian 419 Letters and Work at Home/Reshipping Schemes are
extremely common examples of such a technique.
In United States v. Carr14, the defendant was found guilty of phishing through unauthorised access devices. Her
modus operandi consisted of sending fake e-mail messages to AOL customers directing them to update their credit card
and personal information on file with AOL to maintain their accounts.
Again, in United States v. Guevara15, the defendant created false e-mail accounts with Hotmail and an unauthorised
website with the address www.msnbilling.com through Yahoo! He then sent MSN customers e-mail messages,
purporting to come from MSN that directed customers to the fraudulent website and asked them to verify their accounts
https://www.supremecourtcases.com Eastern Book Company Generated: Thursday, June 3, 2021
The Practical Lawyer
by providing name, MSN account, and credit card data. The website automatically forwarded each customer’s data to the
defendant’s false Hotmail accounts.16
Rod-and-Reel method is the second mode, wherein phishers identify specific prospective victims in advance and
convey false information to them to prompt their disclosure of personal and financial data. In United States v.
Forcellina17, the defendants accessed chat rooms, used a device to capture screen names of chat room participants and
then sent e-mails pretending to be the ISP requiring correct billing information, including current credit card number. The
credit card numbers and other personal data were then employed to arrange for wire transfers of funds.
In United States v. Gebrezihir18, the defendant sent phoney letters on bank letterhead along with altered or
counterfeit Internal Revenue Service (IRS) forms, which solicited the victim’s personal information. The completed forms
then had to be faxed ostensibly to the IRS or to the bank fax numbers provided. The numbers were in fact internet-based
fax numbers that converted all incoming faxes to e-mail attachments and then forward these attachments to e-mail
accounts. Wire transfer instruction were then sent to banks and money was transferred from the victims’ accounts.19
The third mode, called the Lobsterpot method relies solely on the use of spoofed websites. It consists in the creation
of spoofed websites, similar to legitimate corporate ones, that a narrowly defined class of victims is likely to seek out. In
Lobsterpot phishing, the phishers identify a smaller class of prospective victims in advance, but do not rely on a call to
action to redirect prospective victims to another site. It is enough that the victims mistake the spoofed website they
discover on their own as a legitimate site.
In United States v. Kalin20, the defendant registered four websites with domain names deceptively similar to the
website operated by DealerTrack Inc. DealerTrack provides services via internet to auto dealerships located throughout
US, including dealers’ ordering credit reports on prospective automobile buyers. The defendant’s website was designed
be practically identical to the main page of DealerTrack. He then got a number of dealership employees mistakenly to
enter usernames and passwords at his sites and consequently managed to obtain unauthorised access to DealerTrack
for personal data.
In another case21, a cyber-criminal impersonated FBI in order to obtain social security numbers and other personal
information. He set up a complete fake website with the FBI logo. As many citizens like to request information from the
Government, the presence of such a request form on the website contributed to the perception of its authenticity. Visitors
to the website furnished the information requested including their credit card numbers to pay the ten dollar application fee.
In the fourth method i.e. the Gillnet method, phishers introduce malicious code into e-mails and websites. Mere
access or browsing may lead to a virus or Trojan infection. For example, a variant of the Mimail virus, not only spoofed
an e-mail message from PayPal, but also opened a pop-up window asking for credit card information, social security
number, and mother’s maiden name. 22 In other cases, malicious spyware, such as keyboard loggers record user’s
keystrokes and passwords when they visit legitimate banking sites, then transmit those data to phishers for later illegal
access to users’ financial accounts.23
Evolving trends Phishing techniques embrace and integrate with evolving technology. Some of the new methods rely
far less on social engineering than the traditional techniques; others are expanding to different fields; still others are
exploring innovative avenues in the same turf. The traditional techniques have not been abandoned; they are still
continuing but are being complemented by evolved methods.
Spyware and Trojan horse programs are being increasingly used to gain control over personal computers. “Once
thieves have control of a number of computers (sometimes called a ‘zombie network’ or a ‘botnet’), the network can
used to generate ‘phishing’ attacks.― 24
Recently, vishing or Voice phishing has also emerged. It combines internet and telephone resources to capture
personal information.25 Similarly, pharming, or domain spoofing, has evolved as a sophisticated form of phishing. It “uses
Trojan horse programs that compromise the user’s computer or domain name system (DNS) server to reroute internet
users from the internet site they desire to view to an illegitimate site that mimics the legitimate site―. 26
Lately, phishing has come to be not limited to banking or financial schemes, but has struck social networking sites
such as Facebook27 and MySpace28. Also, the latest methods of communication are being targeted, such as Instant
Messaging, Bluetooth, Wi-Fi, etc.29 Another evolving trend in phishing scams is to target the elderly. “As the elderly are
members of the newest demographic to venture into cyberspace, they are naturally the least educated about the dangers
and intricacies of phishing fraud.― 30
Proposed solutions “Like other types of fraud, cybercrime can be defeated through knowledge, common sense, and a
few well-placed security measures.― 31 Essentially the phishing threat needs to be countered through a three pronged
approach emphasising on the legislative, the technical and the enforcement measures. Each approach has to work in
tandem and complement the other’s stance.
The legislative approach Several legislations have been enacted worldwide to deal specifically or ancillary with
phishing. US32, UK33 and EU34 have an extensive set of legislations in this context. Senator Leahy described the
effects of the proposed US Anti-Phishing Act, 2005 in this way:
The [Act] protects the integrity of the internet in two ways. First, it criminalizes the bait. It makes it illegal to knowingly
send out spoofed e-mail that links to sham websites, with the intention of committing a crime. Second, it criminalizes the
sham websites that are the true scene of the crime.35
Lord Goldsmith, the UK Attorney General commented on the UK Fraud Act 2006:
This reform is needed to enable prosecutors to get to grips with the increasing abuse of technology, particularly in
relation to fake credit card scams and personal identity theft, which costs millions of pounds every year.36
In India, the Information Technology Act, 2000 and its subsequent 2008 Amendment cover the phishing scenario. The
2008 Amendment introduced Section 66 C37 and Section 66 D38 to deal specifically with identity theft and cheating by
personation. Additionally, provisions of Section 66 A39 regarding deception of origin of message could also be attracted
in a phishing action.
Prior to the 2008 Amendment, a phishing action was covered under Section 4340 which refers to damage to
computer systems and Section 6541 and Section 6642 which deal with tampering and computer related offences. Also
Section 7243 and Section 7444 of the IT Act, 2000 have implications on the phishing scenario. These sections still
continue to be extremely relevant. The 2008 Amendment supplemented Section 72 with Section 72 A45, completely
revamped Section 66 and added clauses to Section 43 thus making the offences more defined and expansive especially
in context of phishing. The 2008 Amendment also introduced Section 43 A46 which places liability on a body corporate
not to be negligent in securing personal data, and Section 70 B which provides for constituting an Indian Computer
Emergency Response Team.
Furthermore, under the Indian Penal Code, phishing can attract liability under the heads of cheating, mischief, forgery
and abetment. Possible ancillary action in a phishing case could occur under the Trade Marks Act, 199947 and the
Copyright Act, 1957. 48
Technical approach The US House of Representatives made a suggestion: “[t]here is no silver bullet to end spyware or
phishing but greater consumer awareness and use of available technological countermeasures clearly hold the greatest
promise for curbing these abusive practices.―49 Increasing consumer awareness alone is not sufficient to solve the
phishing problem. Consumer awareness must be coupled with technological improvements. Fortification needs to be
provided at three logical layers—the consumer side,50 the server side and the enterprise level.
Enforcement approach Indian Cyber Enforcement Agencies should take proactive and consumer friendly monitoring
similar to the one carried out by the US and European Agencies. These could include maintenance of a Blacklist
Notification, carrying out Honey Pot Decoys and Padded Cells Operations, maintenance of an accessible system of
reporting phishing messages, attempts and victims and finally deploying online phishing radars to track individual
computers and networks used for phishing scams and other types of online fraud.
Conclusion The final fallout of cyber attacks is diminished trust in the internet as a medium of storing and conducting
confidential and personal transactions. Effective cyber security ensures safekeeping of the digital infrastructure and
online transactions and data integrity. This is extremely important to guarantee the stability and propagation of the
information technology model; and it all ultimately rests on building consumer confidence. The difficulty, however, has
been that the internet-based society has no physical boundaries and thus much traffic escapes national supremacy.
Developing countries especially India should be most concerned with this. Lack of security can and will effectively spoil
the benefits of the internet, both on an economic and governmental scale.
Furthermore, failure to ensure adequate minimum security standards will negatively affect the rest of the world, and
might even lead to refusal to deal with a particular country. Countries should be aware, however, that, with the current
pace of technological developments, and the international dimension of cybercrime an accommodation needs to be
arrived at for a unitary yet decentralised global enforcement model. The European Union has attempted such a
harmonised implementation of cyber regulation. However, the model still has a lot of complications and compliance
issues. Furthermore, it is clear that international cooperation cannot be limited to technological considerations; legislation
and enforcement must also play a determining role. Phishing is one such cyber offence that transcends national
boundaries in a manner that renders this form of organised crime a global concern. Of course, the most obvious way to
combat phishing is to stop it arising in the first place; hence the key is to raise global awareness.
*PhD scholar, Indian Law Institute, Delhi; LLM (Intellectual Property Law), The George Washington University Law
School, Washington DC; PGD-Cyber Laws, Indian Law Institute, Delhi; LLB (Hons), University School of Law and Legal
Studies, GGS Indraprastha University, Delhi.
- Jennifer Lynch, “Identity Theft in Cyberspace: Crime Control Methods and Their Effectiveness in Combating Phishing
https://www.supremecourtcases.com Eastern Book Company Generated: Thursday, June 3, 2021
The Practical Lawyer
Information Systems.
- Stevenson, supra, n. 4 quoting 150 Cong Rec S7897-02 (daily Edn. 9 7 2004) (statement of Sen. Leahy).
-.
- 66-C. Punishment for identity theft.—Whoever, fraudulently or dishonestly make use of the electronic signature,
password or any other unique identification feature of any other person, shall be punished....
- 66-D. Punishment for cheating by personation by using computer resource.—Whoever, by means for any communication
device or computer resource cheats by personating, shall be punished....
- 66-A. Punishment for sending offensive messages through communication service, etc.—Any person who sends, by
means of a computer resource or a communication device,— * * *
- (c) any electronic mail or electronic mail message … to deceive or to mislead the addressee or recipient about the
origin of such messages, shall be punishable.
- Section 43 titled “Penalty and Compensation for damage to computer, computer system, etc.― makes the following
contraventions in context of a computer, computer system or computer network or computer resource liable to damages
by way of compensation to the person so affected: (a) accesses or secures access; (b) downloads, copies or extracts
any data, computer data base or information; (c) introduces or causes to be introduced any computer contaminant or
computer virus; (d) damages or causes to be damaged; (e) disrupts or causes disruption (f) denies or causes the denial
of access; (g) provides any assistance to any person to facilitate access; (h) charges the services availed of by a person
to the account of another person by tampering with or manipulating; (i) destroys, deletes or alters any information … or
diminishes its value or utility or affects it injuriously; (j) steal, conceals, destroys or alters or causes any person to … any
computer source code … with an intention to cause damage.
- 65. Tampering with computer source documents.—Whoever knowingly or intentionally conceals, destroys or alters or
intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer,
computer programme, computer system or computer network, when the computer source code is required to be kept or
maintained by law for the time being in force, shall be punishable....
- 66. Computer related offences.—If any person, dishonestly or fraudulently, does any act referred to in Section 43, he
shall be punishable....
- 72. Penalty for breach of confidentiality and privacy.—... any person who, in pursuance of any of the powers conferred
under this Act … has secured access to any electronic record…without the consent of the person concerned discloses
such electronic record … shall be punished….
- 4. Publication for fraudulent purpose.—Whoever knowingly creates, publishes or otherwise makes available a Digital
Signature Certificate for any fraudulent or unlawful purpose shall be punished….
- 72-A. Punishment for disclosure of information in breach of lawful contract.—…any person including an intermediary who,
while providing services under the terms of lawful contract, has secured access to any material containing personal
information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful
gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other
person, shall be punished….
- 43-A. Compensation for failure to protect data.—Where a body corporate, possessing, dealing or handling any sensitive
personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and
maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any
person, such body corporate shall be liable to pay damages by way of compensation….
- By their very nature, spoofed e-mails and websites will contain unauthorised reproductions of the target company’s
trade marks. Thus, this Act gives companies several primary civil actions for trade mark violations.
- Just like trade mark violations, spoofed e-mails and websites will also entail copyright violations.
- Stevenson, supra, n. 4 quoting H.R. REP NO. 108-698, at 5.
- Proactive safeguarding on the consumer’s side, such as anti-virus, firewall, spam protection, e-mail verification, etc.
should be undertaken.