SUBMITED BY,

SIDDU
HALASHETTI
B.A. LLB
JKA22053
JSS LAW COLLGE

ONLINE FRAUD
SUBMITED TO,
USHARANI M.C
ASSISTANT
PROFESSOR
DEPARTMENT OF
LAW
JSS LAW COLLEGE
 TABLE OF CONTENT

SL. No Contents Page. No

1. Table Of Contents 1

2. Introduction to Online Fraud 2

Types of Online Fraud

3.
1. Phishing scams
2. Vishing scams 3
3. Smishing scams
4. UPI fraud scams

4. Laws relating to online fraud 8

5. Famous case laws relating to online fraud 9

6. Conclusion 13

1
 Introduction To Online Fraud
Fraud that is committed using the internet is “online fraud.”  Online fraud can involve financial fraud
and identity theft.
Online fraud comes in many forms.  It ranges from viruses that attack computers with the
goal of retrieving personal information, to email schemes that lure victims into wiring
money to fraudulent sources, to “phishing” emails that purport to be from official entities
(such as banks or the Internal Revenue Service) that solicit personal information from
victims to be used to commit identity theft, to fraud on online auction sites (such as Ebay)
where perpetrators sell fictional goods.  The methods used by perpetrators of online fraud
are constantly evolving.

On this page, “Online Fraud” is used as an umbrella term to encompass both financial fraud
and identity theft.  Financial fraud and identity theft can be separate or related crimes. 
Identity theft happens when a person’s identity is used to commit, aid, or abet any unlawful
activity.  Often financial fraud can lead to identity theft.  For example, an offender may send
an email to a victim, pretending to be from a bank and ask for the victim’s bank account
information.  If the victim releases that information and the offender drains the victim’s
bank account, a financial fraud has been committed.  The offender may then also use the
victim’s personal information to create additional bank accounts through which money is
laundered, or to open additional credit cards.  This second piece is identity theft.  It is
important to recognize that the crimes of financial fraud and identity theft are distinct
crimes, but that at times they may be interrelated.  You should follow steps to protect
yourself against both types. 

2
 Types Of Online Fraud
Cyber criminals use a variety of attack vectors and strategies to commit internet fraud. This
includes malicious software, email and instant messaging services to spread malware,
spoofed websites that steal user data, and elaborate, wide-reaching phishing scams.
Internet fraud can be broken down into several key types of attacks, including:
1. Phishing and spoofing: The use of email and online messaging services to dupe
victims into sharing personal data, login credentials, and financial details.
2. Data breach: Stealing confidential, protected, or sensitive data from a secure
location and moving it into an untrusted environment. This includes data being
stolen from users and organizations.
3. Denial of service (DoS): Interrupting access of traffic to an online service, system, or
network to cause malicious intent.
4. Malware: The use of malicious software to damage or disable users’ devices or steal
personal and sensitive data.
5. Ransomware: A type of malware that prevents users from accessing critical data
then demanding payment in the promise of restoring access. Ransomware is
typically delivered via phishing attacks.
6. Business email compromise (BEC): A sophisticated form of attack targeting
businesses that frequently make wire payments. It compromises legitimate email
accounts through social engineering techniques to submit unauthorized payments.

3
Let’s now delve into the types of online fraud that are committed against the consumers
these are the major once: -
1. phishing scams
2. vishing scams
3. smishing scams
4. UPI fraud scams

1. PHISHING SCAMS
This is probably the method cybercriminals use the most. It involves sending fraudulent
emails sending customers to a fake website that looks like their bank’s. This may also
occur in Facebook with fake fan pages that post fraudulent content and request confidential
information from users.
Phishing cybercriminals frequently use fake campaigns to update customer data, or ask
customers to sign up for a sweepstakes that the bank is supposedly holding. Fraudulent
websites request information like IDs, online banking passwords, credit card numbers, and
even the security code, with which they can make online purchases unbeknownst to the
customer.
The first line of defence against phishing is using common sense to not provide confidential
information. If you are already a customer of the bank, the financial institution handles this
information securely and would never send an email requesting this data. Banks never send
emails like “you won a prize” or “unblock your account”. Finally, if you do click on the link,
always check the URL of the website. It should have the icon of a lock before the name and
start with “https”.

4
2.VISGHING SCAMS
This term comes from the combination of two words: voice and phishing. It refers to the
type of threat that involves a fraudulent phone call using information previously obtained
online.
This method consists of two steps. First, the cybercriminal steals confidential information
by email or on a fraudulent website (phishing), but needs the SMS password or digital
token to carry out and validate an operation. This is when the second step takes place. The
cybercriminal calls the customer on the phone, claiming to work for the bank. Using
particularly alarming messages the cybercriminal tries to get the customer to reveal the SMS
password or digital token needed to authorize transactions.
In these circumstances, a customer should never reveal this kind of information to
anyone because they are the key to authorizing transactions. The customer should hang up
immediately and contact their bank to report what happened. The bank will never contact
customers to request sensitive and confidential information on passwords and pins .

However, even this may not be a full proof as there are caller-ID spoofing devices that mask
the real number and allow the scamster to display a fake number. So I will give you a simple
tip; enter the wrong pin number when asked for. A genuine system would already have your
PIN in the database, and would say incorrect PIN, but a fake one would not.

3. SMISHING SCAMS

5
Just as phone calls are a means to try to trick customers, so are messages on WhatsApp or
text messages (SMS). This is where the method known as smishing get its name.
This threat takes place when the customer receives a text message supposedly from their
bank saying that a suspicious purchase was made with his or her credit card. The text
message asks the customer to contact their bank, and gives a fake phone number. The
customer then returns the call and that’s when the cybercriminal, pretending to be the
bank, requests confidential information to cancel the purchase. Sometimes the message
also includes a link to a fraudulent website to request sensitive information.
The solution to smishing is to never pay attention to messages requesting data, a phone
call or an operation.

4. UPI Fraud Scams

UPI or the Unified Payment Interface created by National Payments Corporation of India
(NPCI) is a digital payment platform that facilitates real time cashless funds transfer
between two bank accounts via mobile phones and is regulated by the Reserve Bank of
India.
Leveraging this leap there has been an increase in the number of scams, where scammers
have devised new phishing techniques to dupe users of their money.
One of the, most common way the scammers do this is through ‘Request money’ or ‘Collect
money’ links it typically involves the following steps
Step 1. Scammer disguised as a genuine buyer contacts the user who wants to sell goods
online.

6
Step 2. Showing keen interest in purchasing the item, scammer would inquire the UPI ID
details for making the payment or an advance for booking.
Step 3. Instead of sending funds to the UPI ID, scammer will instead send a ‘receive money’
request of the like amount that was negotiated with the seller
Step 4. Scammer would call the user stating that the fund have been sent and request the
user to accept the request on his phone. Unsuspecting user not aware of the facts that he is
in fact accepting to ‘pay’ the scammer, accepts the payment request and loses, money form
account

Laws dealing with Online fraud

7
Most of the phishing attack involve identity theft, cheating and forgery as the main offences.
The specific offences of online identity theft and cheating by personation using a computer
resource are covered under the Information Technology Act, 2000. Based on the facts of the
case, phishing cybercrime may also attract the provision under Sec. 420 of the IPC for
cheating and dishonestly inducing delivery of valuable and dishonestly inducing delivery of
valuable property and Sec. 463/468 of IPC for forgery of the electronic record, if applicable.

Information Technology Act, 2000

66C. Punishment for identity theft. - Whoever, fraudulently or dishonestly make use of the
electronic signature, password or any other unique identification features of another
person, shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to rupees one lakh.

66D. Punishment for cheating by personation by using computer resource. – Whoever, by

means of any communication device or computer resource cheats by personation, shall be
punished with imprisonment of either description for a term whish may extend to three
years and shall also be liable to fine which may extend to one lakh rupees.

Indian penal code, 1860

8
420. Cheating and dishonestly inducing delivery of property. – Whoever cheats and
thereby dishonestly induces the person deceived to deliver any property to any person, or
to make, alter or destroy the whole or any part of valuable security, or anything which is
signed or sealed, and which is capable 103 of being converted into a valuable security, shall
be punished with imprisonment of either description for a term which may extend to seven
years, and shall also be liable to fine.
463. Forgery. – [Whoever makes any false document or false electric record or part of a
document or electronic record, with intent to cause damage of injury] to the public or to
any person, or to support any claim or title, or to cause any person to part with property, or
to enter into any expressed or implied contract, or with intent to commit fraud or that fraud
may be committed, commits forgery.
468. Forgery for purpose of cheating. – Whoever commits forgery, intending that the
[Document or electronic record forged] shall be used for the purpose of cheating, shall be
published with imprisonment of either description for a term which may extend to seven
years, and shall also be liable to fine.

Famous case laws relating to online fraud

ZERAN V. AMERICA ONLINE, INC. (1998)

 About a week after the Oklahoma City bombings in April 1995, posts appeared on an AOL
messageboard offering items for sale that were printed with multiple exclamation point
witticisms such as, "Visit Oklahoma ... It’s a BLAST!!!" and "McVeigh for President 1996." The
posts directed users to contact Seattle resident Kenneth M. Zeran and listed the guy’s home
phone number. The posts were a bizarre prank — Zeran claimed not to know anything
about the messageboard or the items ostensibly for sale — but the phenomenon went viral
after an Oklahoma City radio DJ encouraged his listeners to express their outrage in Zeran’s
direction. For a while, Zeran received hundreds of angry phone calls per day and eventually
required protective assistance from the FBI at his home. He sued the radio station’s owners
for amplifying the prank and AOL for publishing the prank in the first place.

The radio station suit was interesting enough but the suit against AOL was monumental; it
had the potential to change everything about the web. Like Reno, it called into question an
element of the then- brand-new Communications Decency Act. But this time it wasn’t the
indecency provision, it was the law’s controversial section 230, which held that, "No
provider or user of an interactive computer service shall be treated as the publisher or
speaker of any information provided by another information content provider." A ruling in
Zeran’s favor would have called Section 230 into question and likely required every website
to vet every piece of content it published. This case allowed website owners to host third-

9
party content without having to worry about being prosecuted if someone published
something illegal on that website.
ZIPPO MANUFACTURING CO. V. ZIPPO DOT COM, INC. (1997)
 Zippo Manufacturing, the well-known Pennsylvania lighter company, sued Zippo Dot Com, a
California web company that provided about 140,000 users with access to USENET
newsgroups. The court battle involved perceived trademark violations: The lighter company
wanted the web company to stop using the name Zippo.
A main point in this case, the lighter company operated exclusively in Pennsylvania while
the internet company only conducted about two percent of its business in Pennsylvania
(where it had registered about 3,000 users).
Keeping that in mind, a Pennsylvania federal district court made the distinction between a
"passive" website and an "interactive" one. Because the internet company conducted an
interactive business — via forums, etc. — with the 3,000 or so Pennsylvania users, that was
enough to establish personal jurisdiction and force the internet company to relinquish the
Zippo name in Pennsylvania.
Zippo Dot Com (the USENET company, not the lighter manufacturer) went out of business
not long before the case ended but the decision established the Zippo Test, which asked
courts to consider whether a site was "passive," "interactive," or "commercial" as a way to
decide whether or not it should be held liable under a certain state’s laws.
Yes, the Zippo Test has evolved — and there are similar personal jurisdiction cases that are
worth knowing about and that call zippo test into question for being too simplistic — but
the Zippo case had a huge impact on the internet for a long time.
SONY.SAMBANDH.COM CASE
India saw its first cybercrime conviction in 2013. It all began after a complaint was filed by
Sony India Private Ltd, which runs a website called www.sony-sambandh.com, targeting
Non-Resident Indians. The website enables NRIs to send Sony products to their friends and
relatives in India after they pay for it online.
The company undertakes to deliver the products to the concerned recipients. In May 2002,
according to the cybercrime case study, someone logged onto the website under the
identity of Barbara Campa and ordered a Sony Colour Television set and a cordless
headphone. She gave her credit card number for payment and requested the products to be
delivered to Arif Azim in Noida. The payment was duly cleared by the credit card agency,
and the transaction was processed. After following the relevant procedures of due diligence
and checking, the company delivered the items to Arif Azim.
At the time of delivery, the company took digital photographs showing the delivery being
accepted by Arif Azim. The transaction closed at that, but after one and a half months the
credit card agency informed the company that this was an unauthorized transaction as the
real owner had denied having made the purchase.
The company lodged a complaint about online cheating at the Central Bureau of
Investigation which registered a case under Section 418, 419 and 420 of the Indian Penal
Code. The matter was investigated, and Arif Azim was arrested. Investigations revealed that
Arif Azim while working at a call centre in Noida gained access to the credit card number of

10
an American national which he misused on the company's site.
The CBI recovered the colour television and the cordless headphone, in this one of a kind
cyber fraud case. In this matter, the CBI had evidence to prove their case, and so the
accused admitted his guilt. The court convicted Arif Azim under Section 418, 419 and 420 of
the Indian Penal Code - this being the first time that cybercrime has been convicted.
The court, however, felt that as the accused was a young boy of 24 years and a first-time
convict, a lenient view needed to be taken. The court, therefore, released the accused on
probation for one year. The judgment is of immense significance for the entire nation.
Besides being the first conviction in a cybercrime matter, it has shown that the Indian Penal
Code can be effectively applied to certain categories of cyber crimes which are not covered
under the Information Technology Act 2000. Secondly, a judgment of this sort sends out a
clear message to all that the law cannot be taken for a ride.
 BSNL, Unauthorized Access
In a leading cybercrime case, the Joint Academic Network (JANET) was hacked by the
accused, after which he denied access to the authorized users by changing passwords along
with deleting and adding files. Making it look like he was authorized personnel, he made
changes in the BSNL computer database in their internet users’ accounts.
When the CBI carried out investigations after registering a cybercrime case against the
accused, they found that the broadband Internet was being used without any authorization.
The accused used to hack into the server from various cities like Chennai and Bangalore,
amongst others. This investigation was carried after the Press Information Bureau, Chennai,
filed a complaint.
In the verdict by the Additional Chief Metropolitan Magistrate, Egmore, Chennai, the
accused from Bangalore would be sent to prison for a year and will have to pay a fine of Rs
5,000 under Section 420 IPC and Section 66 of the IT Act.
Nasscom vs. Ajay Sood & Others 
In a landmark judgment in the case of National Association of Software and Service
Companies vs Ajay Sood & Others, delivered in March, ‘05, the Delhi High Court declared
`phishing’ on the internet to be an illegal act, entailing an injunction and recovery of
damages.
Elaborating on the concept of ‘phishing’, in order to lay down a precedent in India, the court
stated that it is a form of internet fraud where a person pretends to be a legitimate
association, such as a bank or an insurance company in order to extract personal data from
a customer such as access codes, passwords, etc. Personal data so collected by
misrepresenting the identity of the legitimate party is commonly used for the collecting
party’s advantage. court also stated, by way of an example, that typical phishing scams
involve persons who pretend to represent online banks and siphon cash from e-banking
accounts after conning consumers into handing over confidential banking details. 
The Delhi HC stated that even though there is no specific legislation in India to penalise
phishing, it held phishing to be an illegal act by defining it under Indian law as “a
misrepresentation made in the course of trade leading to confusion as to the source and

11
origin of the e-mail causing immense harm not only to the consumer but even to the person
whose name, identity or password is misused". The court held the act of phishing as passing
off and tarnishing the plaintiff’s image.
The plaintiff in this case was the National Association of Software and Service Companies
(Nasscom), India’s premier software association. The defendants were operating a
placement agency involved in head-hunting and recruitment. In order to obtain personal
data, which they could use for purposes of head-hunting, the defendants composed and
sent e-mails to third parties in the name of Nasscom.
The high court recognised the trademark rights of the plaintiff and passed an ex-parte ad-
interim injunction restraining the defendants from using the trade name or any other name
deceptively similar to Nasscom. The court further restrained the defendants from holding
themselves out as being associates or a part of Nasscom.
The court appointed a commission to conduct a search at the defendants’ premises. Two
hard disks of the computers from which the fraudulent e-mails were sent by the defendants
to various parties were taken into custody by the local commissioner appointed by the
court.The offending e-mails were then presented as evidence in court.
During the progress of the case, it became clear that the defendants in whose names the
offending e-mails were sent were fictitious identities created by an employee on
defendants’ instructions, to avoid recognition and legal action. On discovery of this
fraudulent act, the fictitious names were deleted from the array of parties as defendants in
the case.
Subsequently, the defendants admitted their illegal acts and the parties settled the matter
through the recording of a compromise in the suit proceedings. According to the terms of
compromise, the defendants agreed to pay a sum of Rs1.6 million to the plaintiff as
damages for violation of the plaintiff’s trademark rights. The court also ordered the hard
disks seized from the defendants’ premises to be handed over to the plaintiff who would be
the owner of the hard disks.
This case achieves clear milestones: It brings the act of “phishing” into the ambit of Indian
laws even in the absence of specific legislation; It clears the misconception that there is no
“damages culture” in India for violation of IP rights; This case reaffirms IP owners’ faith in
the Indian judicial system’s ability and willingness to protect intangible property rights and
send a strong message to IP owners that they can do business in India without sacrificing
their IP rights.

Conclusion

Technology has changed the way we live in this digital and connected world. Unfortunately,
while we reap its benefit there are various aspects of it still to be clarified and there is also a

12
need of law to curb cyber security issues especially with respect data of the users which are
hoarded by gigantic organizations, there is also an increase in cybercrime related to
extortion cases involving pornography, honey trap, etc.
Now as the mobile phone is turning out to be an imperative for smooth functioning of life
and inevitable part of our lives, this which carry personal data that has been compromised
by a scammer can cause great damage to an individual today than anyone could have
imagined a decade ago.
The need of hour is to impart security and legal awareness among the individuals so that
they can avoid this pitfall. Also, the laws need to keep pace with the next gen tech
innovation that are inundating the cyber world. We have come a long way from the
inception of the Information Technology Act in the year 200. There are effective redressal
mechanisms for effectively resolving their issues. The available legal remedies, if enforced
properly, ensure that the cyber fraud perpetrators are brought to justice and victims loss is
compensated.

13