In computing, phishing is a form of social engineering, characterized by attempts to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an e-mail or an instant message.

The purpose behind phishing is to lure personal information and steal the user's identity, critical passwords, robbing bank accounts and consequently taking over the computer to perform an activity that may not be legal. The term phishing and its concept can be traced back to the 90s through America Online (AOL). A group of hackers called themselves as warez community and impersonated as AOL employees. This group is also known as the first "phishers." They collected login credentials and personal information from AOL users.

Technical definition

Phishing attacks are the practice of sending fraudulent communications that appear to come from a reputable source. It is usually done through email. The goal is to steal sensitive data like credit card and login information, or to install malware on the victim's machine.

Phishing is an attack that attempts to steal your money, or your identity, by getting you to reveal personal information -- such as credit card numbers, bank information, or passwords -- on websites that pretend to be legitimate.

How does Phishing work?

In phishing a victim is first lured using a fraudulent email or other communication method The message is made to look as though it comes from a trusted sender. If it fools the victim, he or she is coaxed into providing confidential information, often on a scam website. Sometimes malware is also downloaded onto the target's computer.

Types of phishing attacks

Deceptive Phishing

The most common type of phishing. In this case, attacker attempts to obtain confidential information from the victims. Attackers use the information to steal money or to launch other attacks. Common example is a fake email from a bank asking you to click a link and verify your account details..

Spear Phishing

It targets specific individuals instead of a wide group of people. Attackers often research their victims on social media and other sites.They can customize their communications and appear more authentic. Spear phishing is often the first step used to penetrate a company's defenses and carry out a targeted attack.

Whaling

Attackers go after a "big fish" example- CEO or president of a company. These attackers often spend considerable time profiling the target to find the opportune moment and means of stealing login credentials. Whaling is of particular concern because high-level executives are able to access a great deal of company information.

Pharming

Similar to phishing, pharming sends users to a fraudulent website that appears to be legitimate. However, in this case, victims do not even have to click a malicious link to be taken to the bogus site. Attackers can infect either the user's computer or the website's DNS server and redirect the user to a fake site even if the correct URL is typed in.

Legal definition

California became the first state in the USA to pass an anti phishing law:
Anti-Phishing Act of 2005. The act further states victims of phishing in California are entitled to relief under the act to the greater of either the actual cost of the damages they have suffered or $500,000.

California's Anti-Phishing Act of 2005. Define phishing as:

It shall be unlawful for any person, by means of a Web page, electronic mail message, or otherwise through use of the Internet, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the authority or approval of the business.

In India, Phishing is a fraud that is recognized as cybercrime and attracts many penal provisions of the Information Technology Act, 2000 (hereinafter referred to as 'IT Act').

Following sections of the IT Act apply to phishing:

• Section 43:

  If any person without the permission of the owner of the computer, computer system, computer network; accesses, downloads, introduces, disrupts, denies, or provides any assistance to other people can be held liable under this section.
   

• Section 66:

  This section provides for punishment if the accounts of a victim are compromised by the phisher, who does any act mentioned in Section 43 of the IT act, shall be imprisoned for a term which may exceed up to three years or with a fine which may exceed up to five lakh rupees or both.
   

• Section 66C:

  This provision prohibits the use of electronic signatures, passwords, and any other feature which is a unique identification of a person. Phishers disguise and portray themselves as the true owners of the accounts and perform fraudulent acts.It is related to Identity Theft by phisher.
   

• Section 66D:

  The provision provides punishment for cheating by personating using communication devices or computer sources. Fraudsters use URLs that contain the link for a fake website of banks and organizations and personate themselves as the bank or the financial institution.

All the provisions of the IT Act, 2000 which are relevant to the phishing scams are however made bailable under Section 77B of the IT Act (Amendments 2008).
Furthermore, as per the Indian Penal Code, Phishing can also be held liable under Cheating (Section 415), Mischief (Section 425), Forgery (Section 464), and Abetment (Section 107).

Case Law: National Association of Software and Service Companies v. Ajay Sood & Others

In a landmark judgment in the case of National Association of Software and Service Companies vs Ajay Sood & Others, (119 (2005) DLT 596) delivered in March, 2005, the Delhi High Court declared `phishing' on the internet to be an illegal act, entailing an injunction and recovery of damages.

This case was one of the leading cases of phishing. Herein an agency head-hunting and recruitment were operated by the defendants. Defendants in NASSCOM'S name sent an email to a third party to obtain personal data for headhunting. Held damages of Rs.16 lakhs were made.

The judgment authored by Justice P Nandrajog stated that:

Internet has spawned novel and interesting methods to defraud individuals and companies, 'Phishing' is a form of internet fraud. In a case of 'Phishing', a person pretending to be a legitimate association such as a bank or an insurance company in order to extract personal data from a user such as access codes, passwords etc. which are then used to his own advantage, misrepresents on the identity of the legitimate party. Typically 'Phishing' scams involve persons who pretent to represent online banks and siphon cash from e-banking accounts after conning consumers into handing over confidential banking details .

Conclusion
According to the findings of a global survey titled 'Phishing Insights 2021' by Sophos, a cybersecurity company. Around 83% of IT teams in Indian organizations said the number of phishing emails targeting their employees increased during 2020. This finding not only shows the growing trend of phishing in india and around the world but also alerts the organizations and individuals on need to prevent falling prey to these attacks

Reference:

• Lance James, "Phishing Exposed", Elsevier 2005
• https://blog.ipleaders.in/what-is-phishing-and-how-does-it-work/
• https://www.phishprotection.com/resources/history-of-phishing/
• https://www.cisco.com/c/en_in/products/security/email-security/what-is-phishing.html
• https://www.cisco.com/c/en_in/products/security/email-security/what-is-phishing.html
• https://support.microsoft.com/en-us/windows/protect-yourself-from-phishing-0c7ea947-ba98-3bd9-7184- 430e1f860a44
• https://www.cisco.com/c/en_in/products/security/email-security/what-is-phishing.html
• Section 66 in The Information Technology Act, 2000- Computer related offences. -If any person, dishonestly or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both Section 66C in The Information Technology Act, 2000- Punishment for identity theft. -Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine with may extend to rupees one lakh.
  Section 66D in The Information Technology Act, 2000- Punishment for cheating by personation by using computer resource. -Whoever, by means for any communication device or computer resource cheats by personating, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees.
  77B. Offences with three years imprisonment to be bailable.--Notwithstanding anything contained in the Code of Criminal Procedure, 1973 (2 of 1974), the offence punishable with imprisonment of three years and above shall be cognizable and the offence punishable with imprisonment of three years shall be bailable.
• http://www.indiancybersecurity.com/case_study_nasscom_ajay_sood.php
• https://www.livemint.com/news/india/83-organizations-in-india-saw-rise-in-phishing-attacks-during-pandemic-11632119876206.html