Introduction

Not so long ago, the Cert-In [Indian Computer Emergency Response Team] sent out a public
warning, advising the citizens to stay on their toes when interacting on any online forum, as it
anticipated a large-scale phishing attack which could potentially inflict damage over 2 million
people. The recent and still ongoing pandemic of the SARS-CoV virus, which grinded the entire
world to a halt, as it crippled every profession and business. The effects of a large scale, world
wide pandemic were apparent on people, as everyone was suffering.. almost everyone. This
period of global cacophony and pandemonium was the perfect storm for the scammer and looters
that wait in the shadows of the internet. People staying at home, locked down due to the medical
guidelines, resulted in more traffic online, and the ongoing medical travesty was resulting in
people standing up and helping each other. Scammers found this a a golden opportunity to reel
out their hooks as they went ‘phishing’. Scammers posing as private health organization, or
government funded aided projects, or relatives to those affected by fake social media accounts
scammed a lot of the population out of their hard earned money. This problem of identity theft
and phishing is a detailed and wide concept. In order to ascertain the implications of phishing,
rate the level of legal enforcement around it, and constructing a way forward, it is essential that
we take a closer look at the concept itself.

What is ‘phishing’

In today’s time, the malpractice of phishing has reached such high frequency and is so rampant
in the internet sphere, that it caused the Oxford English Dictionary to include the term in one of
its recent editions, thereby stamping its validity and adding it to the lexicon.

Generally speaking, Phishing is in way, is a type of social engineering, which is made distinct by
the use of deceit to influence the minds of unsuspecting victims into parting ways with personal
and/or confidential information such as ATM PINs, passwords, bank account details, etc. which
is eventually used to create a false identity and thereby inflicting damage upon the victim by
initiating fraudulent transactions and interactions. This act of deception carried out by fraudulent
and deceitful entities functioning under the cloak of a trusted name has been termed as phishing.

Although the dark and shady corners of the internet are bustling with new ideas and strategies to
inflict scams and phishing upon the general unsuspecting victims, we have been able to ear mark
and categorize these attacks into groups characterized by the strategy and means adopted by the
scammers. Some of them are:

1. “Man in the middle” attacks: also called as the middleman attack, this category of
phishing attacks are carried out by the fraudulent entity by placing itself in between the
eventual victim and the authentic and official online forum, and from that perch, the
attackers intercept and proxy the interaction between the two clients. This mode of attack
requires a higher degree of technological nuance, and is able to infect HTTP and HTTPS
servers. This is a real time scam which is carried out when the unsuspecting victim
initiates communication with the official servers, which is intercepted via the attacked
server which has been perched in the middle. The corrupted server makes a connection
with the authentic server, and then proceeds to proxy all the interaction which takes place
between the two clients. This method is particularly effective due to the placement of the
attacker’s server.
2. “URL Obfuscation” Attacks: as is made obvious by the name, this category of phishing
attacks involves obscuring or altering the URL of an authentic and official internet entity,
and baiting the potential victims into clicking on these mal-intended links which then
open a page which is a perfect imposter of the authentic website. Once the victim enters
their personal details into the system, the scam is complete. A key aspect of this scam is
that although it is relatively simple, it involves the psychological aspect of our brains not
registering a slight change amongst a bunch of clumped alphabets. This scam
incorporates minute changes within the URL, and the victims more often than not aren’t
even aware that they have been had. This act of URL manipulation involves altering and
tinkering with the TCP/IP protocols.

Phishing is a rather innovative and dynamic method of fraudulently obtaining information from
naive victims who are not as familiar with the internet age, and are still adjusting to this sudden
shift in communication and information. It is a hit and miss sort of a crime that involves aspects
of psychology, social engineering, technological nuance, and malafide intentions to create
fraudulent baits that are designed to cultivate interaction and involvement from the potential
victims. This can be done by creating identical and unsuspecting web pages, or by placing
themselves within the communication bubble without setting off any alarms. These scams are not
always the ones that involve large sums of money, they are not complicated, it is essentially
scammers masquerading as trustworthy and good-willed entities on the internet which engage in
miscommunication and dupe people into surrendering confidential information, of their own
accord, and in most cases, the victims never even find out when exactly were they compromised.

Originally, these scams started as email frauds that involved masked URLs and clickbait pages to
entice the victim into entering their personal information, however, in this age, these scams are
evolving every second, as their frequency increases at an exponential rate. It is of some serious
concern that despite the global pandemonium surrounding the phishing attacks and protection of
E-commerce from these raiders and looters, India has remained extremely passive when it comes
to the law enforcement aspect. The knowledge gap is wide, as the general populace is blinded to
the concept of phishing, and risks it possesses. Although there have been certain key legislations
passed on the issue, there overall enforcement by the executive and judiciary has been
underwhelming.

Online scams and the prevalence of phishing

Scammer online are conducting the nefarious business to falsely acquire two major entities. One
of the two is rather simple and somewhat straight forward: money; the other is a little more
nuanced and is sometimes ignored within the mind of the common populace is personal data. It
is widely acknowledged that data is the most valuable commodity that exists today. A lot of well
reputed organizations have been found guilty of data grabbing, and although the awareness
surrounding this issue has risen, there still is a long way to go. Data theft can involve any
personal information which the victim possesses. It can range from photos, email addresses,
geographical locations, preferences to passwords and bank account details. Even the minutest
and seemingly harmless piece of personal information can be used against the potential victim by
facilitating ‘Identity theft’ which involves obtaining personal details from someone else and
using it for fraudulent personal gain which can range from misrepresentation on a website to
fraudulent bank transaction. This activity of fraudulently obtaining someone else’s information is
in essence, phishing.1

Phishing was first made illegal in India by a major judgment passed by The Hon’ble High Court
of Delhi, this coincidentally, was also the first time the term ‘phishing’ was defined by the Indian

1
NASSCOM v Ajay Sood & others [2005] (30) PTC 437 Del
Judiciary. The Hon’ble High court, in this landmark judgment gave the following definition: “a
form of internet fraud where a person pretends to be a legitimate association, such as a bank or
an insurance company in order to extract personal data from a customer such as access codes,
passwords, etc. Personal data so collected by misrepresenting the identity of the legitimate party
is commonly used for the collecting party’s advantage”.

The modern age is very technology dependent, and the switch towards technology and its growth
has been just as rapid as it is recent. The scammers operating online use a plethora of tricks to
shield their identity and hide their track on the internet. An open online forum is akin to the Wild
West, when it comes to the presence of gangs of looters and very limited and archaic law
enforcement. These gangs of looters, just like in the days of the wild west, pose as upstanding
citizens and merchants by creating pages and websites and platforms which portray them to be
associated with some reputed brands like Facebook, Amazon, or they set up fake personal
accounts on social media websites by obtaining personal information and scam family members
into giving them money. The naïve consumers or family members usually get roped into these
schemes and end up paying money for counterfeit, local, and cheap products which were
showcasrd as original and authentic on the fraudulent website. This is when the consumers are
lucky, because in a lot of the cases, the naïve victims aren’t even given anything in return, the
moment payment goes through, these scammers shut down the website or fake social media id
and just move on to find the next chump. A rather recent mode of conducting scams has been the
‘Subscription scam’ which involves online scammers projecting the promise of a service or
commodity on a subscription basis, and demand upfront payment for a lengthy time period.
These scammers can offer a subscription of anything from magazines, dietary supplements to
insurance and leases. A great example of this is the small online scams associated with
subscribing to the National Geographic magazine. There are a lot of fake websites, ads and
forums which impersonate this reputed brand and basically steal money from their victims.2

The Indian legislature and judicial landmarks

When we take a look at the effectiveness of the legislature in mitigating the damage done by
phishing, we must remember that both the elements of phishing must have been comprehensively
dealt with i.e. the aspect of false identity and the fraudulent acquisition of data. Although

2
cf (n 4) 8
phishing has never been explicitly mentioned in any statute, the legal framework has taken
cognizance of the lack of penalty when it comes to such crimes. In addition, The Hon’ble
Supereme Court of India adjudicated these nefarious activities as “crime against society”

If we take a look at the criminal aspect of phishing, which involves the creation of a false
identification for the purposes of fraudulently initiating fraudulent transactions on behalf of the
victim, the IT Act, 2000 safeguards against, and penalises, crimes committed over the internet
that involve false identities, which is particular sect of cybercrimes. Specifically, section 43 of
the IT Act lays down a list of offences, which includes “unauthorised access to a computer
resource”, thereby penalizing the act of obtaining confidential information. Punishable with an
imprisonment of up to 3 years and/or a fine up to INR five lakhs, this is a serious offence, and
repeat offenders face an increased imprisonment and fine limit. It is pertinent to mention here
that the term ‘computer resource’ not only refers to CPUs and memory disks, but also passwords
and digital signatures3. The IPC legislations also encompass the criminal act of phishing under
the heads of forgery4, cheating5 and fraudulently inducing delivery6.

Furthermore, the SPDI rules, 2011 also have a bearing on the mechanisms that influence
phishing. These rules govern those entities which handle confidential and personal information
of the general population. These rules mandate that such entities must store only the minimum
amount of requisite data which is essential for the task they are conducting. These rules also
necessitate the incorporation of various safety and security measures.

Separately, RBI directives also encompass this ever pervasive issue of phishing. Regulations on
the collection of commercial and transactional data mandate that such sensitive material must
only be kept in servers located nationally. Although the intent of this mandate is to facilitate the
RBI in inspecting the aforementioned data, the domestic placement of these servers does aid the
enforcement authorities in case of an attack. RBI also mandated a Cyber Security Framework
which lays down: (a) minimum measures towards cyber security to be taken by banks; (b)
instituting cyber security centers within the banks; and (c) mechanisms for informing the RBI of
any breach in cyber security.

3
Computer resource’ includes data and a database - Section 2(k), IT Act
4
Section 463 of the IPC
5
Under section 419 of the IPC
6
Under Section 420 of the IPC
IDBI Bank v. Sudhir S. Dhupia7,

This is a recent case which upheld one of the earliest landmark judgment on the issue of
‘phishing’ i.e. the legendary case of S. Umashankar v. ICICI Bank 8, which laid down that “an
entity can be held liable if it fails to establish that due diligence was exercised to prevent
unauthorized access as mandated by Section 43 of the IT Act” 9. The facts of the instant case are
as that a characteristic phishing attack, wherein, the victim had been sent a malintended
fraudulent communication via electronic mail which was masquerading as an official
communication from IDBI Bank’s official and authentic email address. This particular email was
intended to entice the victim into transferring funds into another fraudulent bank account. The
victim fell for it, and then eventually sued the bank within the jurisdiction of the Telecom
Disputes Settlement and Appellate Tribunal. The TDSAT adjudicated that the bank must pay a
penalty of INR 1,00,000/- to the victim party by resting the liability upon the appellants. The
tribunal acknowledged that such phishing scams are not within the operability of either of the
parties, yet it noted that IDBI Bank should have incorporated better mechanisms to mitigate the
chances of such a phishing attack being successful. In finality, IDBI Bank was found wanting for
digital safeguards to cyber attacks, and was held liable under the aegis of Article 43 of the
Information and Technology Act. Thereby, we can predict and detect a trend within the Indian
judiciary when it comes to cases that involve phishing attacks. The mindset of the judiciary is to
settle to the blame on the corporate entity, if it is found lacking, or negligent with its due
diligence in performing and instituting a framework that protects against cyber crimes.

International ideologies on phishing

As is the nature of the beast, E-commerce transactions are carried out via the internet on online
forums (apps, websites, etc.) where despite being in contact, the parties to the transaction are
almost never in geographical vicinity. This boon of instant communication, expeditious logistical
solutions and shrinking of the global market comes with its problems, one of them being:
jurisdiction. The jurisdictional issues when it comes to e-commerce pose a real dilemma since
the parties to the transaction may be situated in different countries, or even continents. The

7
TDSAT | IDBI Bank found guilty of violation of S. 43-A IT Act; held, corporate entity dealing with personal
sensitive information/data has obligation without any exception | SCC Blog (scconline.com)
8
https://cms.tn.gov.in/sites/default/files/documents/adjudication_order.pdf
9
https://www.indiacode.nic.in/bitstream/123456789/1999/3/A2000-21.pdf
geographical distance and the dividing sovereign boundaries complicates the aspect of for the
judicial authorities binding all the parties of the transaction, and as such, having a more or less
uniform approach to these conundrums can help resolve the issues at an expedited rate. It is
pertinent to take a look into how the other nations have attempted to traverse these unfamiliar
and rather recent waters.

The United States of America has developed the doctrine of ‘minimum contact’ to combat this
issue. The hon’ble Supreme Court of the USA established the aforementioned minimum contact
rule in the landmark judgment of International Shoe v. Washington10 wherein, the premier
judicial body laid down that a defendant must have ‘minimum contact’ with the domestic
jurisdiction for a national tribunal to try a case which involves an international party from
outside the local jurisdiction. As per the codified letter of the law detailing the civil procedure,
defendant must not be tried and thereby made subject to the jurisdiction unless he voluntarily
accessed and made himself subject to the local jurisdiction by having minimum contacts with the
associated forum. This observation consequentially raises an immediate question regarding the
nature of minimum contact and the measure of its tangibility. The subsequent decisions
propounded by the courts within the USA further elaborate and better explain the concept of
minimum contact, and therefore help answer the aforementioned question. In the landmark case
of Zippo Manufacturing Co. v Zippo Dot com Inc,11 the esteemed courts laid down that in order
to establish the nature of personal jurisdiction, it is of paramount importance to categorize the
characteristics and elements that make up the commercial activity/transaction. The courts, in this
judgment, established a distinction between passive, non transactional forums which are
purposed to essentially educate and market the products by making relevant information
available to the parties, and the other type of active, transactional forums that facilitate and
provide for economic activity. While the latter was propounded to have fulfilled the element of
minimum contact, the former was clarified as not possessing the key elements which constitute
minimum contact, and thereby precludes the party from being subjected to personal jurisdiction.
Thus, it is a fair conclusion to draw that the extent of inter-activity and commercial traffic is a
key factor in decoding the enigma of jurisdiction. There must exist a persistent and systematic

10
cf vishwanathan (n 9) 291
11
Ibid 296
measure of inter-activity between the defendants and associated extraneous legislations in order
to establish personal jurisdiction.12

When it comes to the European continent, the European Union has a very distinct way of looking
into and resolving the question of jurisdiction. The EU has evolved a two pronged approach to
combat the jurisdictional dilemma when the commercial transactions of an E-Commerce
conducted via the internet though online forums are concerned. The courts within the EU have
devised two key directives which lay down the legal structure for e-commerce to function within:
the Consumer Rights Directive (2011) and the Electronic Commerce Directive (2000).13 While
on the one hand, the consumer rights directive aims to encode the equity and rights of consumers
within any commercial transaction with any entity within the jurisdictional boundary of
European Union, the electronic commerce directive, on the other, lays down the framework or
rules, regulation and directives which regulate and govern the functioning and redressals arising
out of electronic commerce from jurisdiction to judgment. These directives establish the concept
of distance contracts and therein provide the basic requirements and essentials for the necessary
data which is to be supplied in such contracts under Art.6. Furthermore, they go on to determine
the basic requirements and essentials which necessitate the distance consumer contracts as
mentioned in Art 8. Another task which is performed by the virtue of these directives is the
regulation and intimation of the rights to withdrawal under Art. 9-16.14

In a sharp departure from the Indian laws, these consumer oriented directives developed by the
European Union lay down the necessity and thereby mandate a duty upon the merchant to clarify
and intimate the consumer of the opportunity to pay, and also necessitates that the specific
consumer categorically acquiesces to this obligation. In instances where electronic buttons are
implemented to initiate payment gateways at the click or touch of the consumer, clear, proper
and straight forward labelling must be incorporated to dispel any confusion within the
consumer’s mind. This bit of wisdom which promotes clarity and demotes contention and
conflict is laid down under Art. 815. The article further provides for the specific scenarios where
in the labeling is a little complicated due to a limitation on display size or medium, such as in
case of mobile phone screens, or other such limited forums. Art. 8(4) further propounds the
12
cf vishwanathan (n 9) 297
13
Andrej Savin, EU Internet Law (1st edn, Edward Elgar Publishing 2013) 166
14
ibid
15
cf (n 35) 167
obligation upon the vendor to display and/or convey at least the basic minimum data which is
essential for the consumer under the buttons so as to enable the consumer to make a sound and
informed decision, and not be duped by any malpractice. Art. 22 of the consumer directives sets
out to, and lays down the codified law which promotes the vendor to abolish clandestine and
unjustified transaction charges and costs as a whole. The aforementioned article lays down the
obligation upon the vendors to duly inform the consumers, in advance, of any hidden charges or
costs, as they may be, which are payable over and above the agreed/displayed/advertised
remuneration. The Article also necessitates the intrinsic and essential obligation upon the vendor
to obtain an acceptance specifically for these clandestine overhead charges16. Furthermore, Art
19 and Art. 27 complement the previous article in its endeavor to abolish hidden charges by
safeguarding the consumers against the perils of unwanted and needless hikes in price caused by
vendors charging extra remuneration for a particular mode of payment, and also relieves the
consumers from any obligations that may bind them to pay for any unsolicited good that has now
been packaged with the products chosen by the consumer.17

The electronic commerce oriented directives also perform identically and help codify the laws
and regulations that serve as the framework for the functioning and operation of E-commerce
within their sovereign and jurisdictional boundaries by propounding laws on controversial and
conflicting topics including, but not limited to: transparency of information flow, data
necessitated from online vendors by the authorities and the consumers, acknowledgment of
contracts executed within these electronic forums via the internet and lay down the cap on the
liabilities which can be imposed on the intermediaries. 18 The directives meted out under Art. 5
seek to secure, verify, and authenticate key aspects of E-commerce such as the vendor’s identity,
place of incorporation and pricing policies as a means to promote and inculcate transparency
within the foggy marshes of internet marketing and commercial forums.

Shortcoming of the current state of enforcement

On top of all the obvious barriers and complications which involve the governance of the internet
and the commercial transactions that take place on it such as lack of spatial knowledge, questions
with respect to jurisdiction, daily technological advancements, lack of any physical identity etc,

16
cf (n 35) 168
17
ibid
18
cf vishwanathan (n 9) 308
these scenarios are also further complicated by the mood and temperament of the victims. More
often than not, in these cases, the victims do not report such instances of online scamming. The
average consumer chooses to switch up social media websites, or create a new account rather
than to try and recover their previous account. The average consumer is hesitant to acknowledge
that they have been duped of their data and personal details be a fake website created by a
stranger on the internet, and instead of reporting the infraction to the relevant authorities, chooses
to go to alternate channels to update those details or start anew, for example a person who has
been fraudulently made to send this ATM card details, will more of than not, choose to call hi
bank and get the ATM card blocked, instead of, or in addition to calling and reporting the
incident to the relevant authorities set up to deal with such crimes. This lack of reporting and
cavalier attitude towards such incidents of phishing and identity theft has left the average
consumer in a false sense of security regarding the possibility of them being a victim, and this in
turn has left them unaware of the methods and mechanisms which exist to protect, and defend
them from such instances over the internet. It is very common to see stories on social media
platforms which talk about a failed scam call, or of a successful identity theft which was inflicted
upon someone else. It is very rare to come across a post that details a phishing scam which the
person themselves were a victim to.19

This pattern of victim behavior is influenced by the stigma associate with getting duped on the
internet, by what is considered trap only the negligent and naïve fall for. Therefore, the reported
cases of phishing scams remain just a drop in the ocean of actual number of successful scams
that are inflicted every day. The plight of the naïve comsumer is exacerbated by a severe lack of
any concrete and foolproof framework or legislation at the international level which governs
these murky waters. The internet is becoming very commonplace, and we are all associated to it
in one way or another, children and adults alike. The arena of E-commerce, and online
interaction cannot be allowed to remain in the dark ages. There exists an urgent need within this
sphere for a unilateral and unifying piece of binding legislations which functions across
sovereign boundaries, since the protection and legal enforcement offered to the victims today is
limited by its geographical and spatial jurisdiction.20

conclusion
19
cf (n 4) 12
20
cf (n 4) 12
In the internet era, it has become very easy for certain black hearted individuals to create false
identities and masquerade as reputable and goodwilled entities, which in turn gives them the
power and the opportunity to manipulate and dupe certain naïve victims into (in most cases)
voluntarily giving up their confidential information. Phishing runs rampant within the sphere of
e-commerce and internet transactions. Data suggests that phishing has become the easiest
method to steal data21. It is a modern day, internet age crime that evolves on a daily basis, and
needs constant and vigilant governance. The entire world is on high alert when it comes to these
phishing attacks, however India still lags behind when it comes to any aspect of this cyber crime.

The lack of any binding and complete legislation on the matter coupled with the hesitancy and
unfamiliarity if the Indian courts have resulted in an atmosphere where the lack of knowledge
about these crimes is now a major contributory factor. It becomes very improbable for the
authorities to raise awareness on an issue which is technical, and seems to never be reported
within the popular media. The legislature is only now recognizing the need for an over
encompassing framework which is capable of not only regulating these matters, but also packs
the punch of penal implications. The judiciary has also in recent times made a few landmark
judgments which has cleared up the air surrounding such attacks, and so there light at the end of
the tunnel.

Finally, moving forward, we need to understand that these crimes are (for the time being) here to
stay, especially with the state of international legislature on this issue. Raising awareness, and
constant vigilance is the only way forward. Rules and Laws are welcome, but they generally
impact post facto, whereas these crimes can be averted, in the most part by raising awareness,
and exercising caution, and it is towards these ideals that we must make our first step.

21
https://economictimes.indiatimes.com/tech/internet/phishing-is-the-most-common-way-to-steal-information-
report/articleshow/70796928.cms