In computing, phishing is a form of social engineering, characterized by
attempts to fraudulently acquire sensitive information, such as passwords and
credit card details, by masquerading as a trustworthy person or business in an
apparently official electronic communication, such as an e-mail or an instant
The purpose behind phishing is to lure personal information and steal the user's
identity, critical passwords, robbing bank accounts and consequently taking over
the computer to perform an activity that may not be legal. The term phishing and
its concept can be traced back to the 90s through America Online (AOL). A group
of hackers called themselves as warez community and impersonated as AOL
employees. This group is also known as the first "phishers." They collected
login credentials and personal information from AOL users.
Phishing attacks are the practice of sending fraudulent communications that
appear to come from a reputable source. It is usually done through email. The
goal is to steal sensitive data like credit card and login information, or to
install malware on the victim's machine.
Phishing is an attack that attempts to steal your money, or your identity, by
getting you to reveal personal information -- such as credit card numbers, bank
information, or passwords -- on websites that pretend to be legitimate.
How does Phishing work?
In phishing a victim is first lured using a fraudulent email or other
communication method The message is made to look as though it comes from a
trusted sender. If it fools the victim, he or she is coaxed into providing
confidential information, often on a scam website. Sometimes malware is also
downloaded onto the target's computer.
Types of phishing attacks
The most common type of phishing. In this case, attacker attempts to obtain
confidential information from the victims. Attackers use the information to
steal money or to launch other attacks. Common example is a fake email from a
bank asking you to click a link and verify your account details..
It targets specific individuals instead of a wide group of people. Attackers
often research their victims on social media and other sites.They can customize
their communications and appear more authentic. Spear phishing is often the
first step used to penetrate a company's defenses and carry out a targeted
Attackers go after a "big fish" example- CEO or president of a company. These
attackers often spend considerable time profiling the target to find the
opportune moment and means of stealing login credentials. Whaling is of
particular concern because high-level executives are able to access a great deal
of company information.
Similar to phishing, pharming sends users to a fraudulent website that appears
to be legitimate. However, in this case, victims do not even have to click a
malicious link to be taken to the bogus site. Attackers can infect either the
user's computer or the website's DNS server and redirect the user to a fake site
even if the correct URL is typed in.
California became the first state in the USA to pass an anti phishing law:
Anti-Phishing Act of 2005. The act further states victims of phishing in
California are entitled to relief under the act to the greater of either the
actual cost of the damages they have suffered or $500,000.
California's Anti-Phishing Act of 2005. Define phishing as:
It shall be unlawful for any person, by means of a Web page, electronic mail
message, or otherwise through use of the Internet, to solicit, request, or take
any action to induce another person to provide identifying information by
representing itself to be a business without the authority or approval of the
In India, Phishing is a fraud that is recognized as cybercrime and attracts many
penal provisions of the Information Technology Act, 2000 (hereinafter referred
to as 'IT Act').
Following sections of the IT Act apply to phishing:
Section 43: If any person without the permission of the owner of the computer,
computer system, computer network; accesses, downloads, introduces, disrupts,
denies, or provides any assistance to other people can be held liable under this
Section 66: This section provides for punishment if the accounts of a victim are
compromised by the phisher, who does any act mentioned in Section 43 of the IT
act, shall be imprisoned for a term which may exceed up to three years or with a
fine which may exceed up to five lakh rupees or both.
Section 66C: This provision prohibits the use of electronic signatures,
passwords, and any other feature which is a unique identification of a person. Phishers disguise and portray themselves as the true owners of the accounts and
perform fraudulent acts.It is related to Identity Theft by phisher.
Section 66D: The provision provides punishment for cheating by personating using
communication devices or computer sources. Fraudsters use URLs that contain the
link for a fake website of banks and organizations and personate themselves as
the bank or the financial institution.
All the provisions of the IT Act, 2000 which are relevant to the phishing scams
are however made bailable under Section 77B of the IT Act (Amendments 2008).
Furthermore, as per the Indian Penal Code, Phishing can also be held liable
under Cheating (Section 415), Mischief (Section 425), Forgery (Section 464), and
Abetment (Section 107).
Case Law: National Association of Software and Service Companies v. Ajay Sood &
In a landmark judgment in the case of National Association of Software and
Service Companies vs Ajay Sood & Others, (119 (2005) DLT 596) delivered in
March, 2005, the Delhi High Court declared `phishing' on the internet to be an
illegal act, entailing an injunction and recovery of damages.
This case was one of the leading cases of phishing. Herein an agency
head-hunting and recruitment were operated by the defendants. Defendants in
NASSCOM'S name sent an email to a third party to obtain personal data for
headhunting. Held damages of Rs.16 lakhs were made.
The judgment authored by Justice P Nandrajog stated that:
Internet has spawned novel and interesting methods to defraud individuals and
companies, 'Phishing' is a form of internet fraud. In a case of 'Phishing', a
person pretending to be a legitimate association such as a bank or an insurance
company in order to extract personal data from a user such as access codes,
passwords etc. which are then used to his own advantage, misrepresents on the
identity of the legitimate party. Typically 'Phishing' scams involve persons who
pretent to represent online banks and siphon cash from e-banking accounts after
conning consumers into handing over confidential banking details .
According to the findings of a global survey titled 'Phishing Insights 2021' by
Sophos, a cybersecurity company. Around 83% of IT teams in Indian organizations
said the number of phishing emails targeting their employees increased during
2020. This finding not only shows the growing trend of phishing in india and
around the world but also alerts the organizations and individuals on need to
prevent falling prey to these attacks
- Lance James, "Phishing Exposed", Elsevier 2005
- Section 66 in The Information Technology Act, 2000- Computer related offences.
-If any person, dishonestly or fraudulently, does any act referred to in section
43, he shall be punishable with imprisonment for a term which may extend to
three years or with fine which may extend to five lakh rupees or with both
Section 66C in The Information Technology Act, 2000- Punishment for identity
theft. -Whoever, fraudulently or dishonestly make use of the electronic
signature, password or any other unique identification feature of any other
person, shall be punished with imprisonment of either description for a term
which may extend to three years and shall also be liable to fine with may extend
to rupees one lakh.
Section 66D in The Information Technology Act, 2000- Punishment for cheating by
personation by using computer resource. -Whoever, by means for any communication
device or computer resource cheats by personating, shall be punished with
imprisonment of either description for a term which may extend to three years
and shall also be liable to fine which may extend to one lakh rupees.
77B. Offences with three years imprisonment to be bailable.--Notwithstanding
anything contained in the Code of Criminal Procedure, 1973 (2 of 1974), the
offence punishable with imprisonment of three years and above shall be
cognizable and the offence punishable with imprisonment of three years shall be