Digital Technology has become an integral part of our daily lives. It is unimaginable to separate digital platforms and interfaces from our daily routine. With the advent of next gen mobile technology innovations for the betterment of our lives, we have the world literally at our fingertips. Technology is changing how we live in the digital and connected world. With these developments the criminals have also become Hi-Tech. Phishing in the cyber world has become bolder, organized and sophisticated from what it was a decade ago. In this article, we discuss on Phishing, its types and variations (including UPI Fraud, Online Job Scams, Online Lottery Scams, Bank KYC and Insurance Scams, Nigerian 419 Scams), how to avoid phishing scams and the legal remedies available for victims of phishing (and UPI Fraud) scams in India.
What is Phishing?
Phishing in the virtual world refers to the attempt to defraud individuals by disguising as a trusted entity. Targets are lured through any of the online communication medium like email, websites, mobile calls, text messages and social media. The intention is to extract sensitive details that includes personally identifiable information (PII), financial details – credit cards and banking information along with account passwords. The primary objective is identity theft and financial gain through the extracted information.
Phishing is the online equivalent of the offence of cheating by personation and often involves forgery.
What are different types of Phishing methods?
Phishing scams use spoofing techniques to entice the users to accept the bait offered. There are various types of phishing techniques, most prevalent are as following:
Email Spoofing or Deceptive Phishing
Email Spoofing involves masquerading the sender identity through forgery in the email header so that the recipient believes it to be from a legitimate trusted source (individual or company). The correspondence resembles a genuine and forthright communication which at the first glance, and in the absence of specific checks by the recipient, does not raise any eyebrows.
Examples:
Nigerian Scams or 419 Scams or Advance Fee Scams– sender pretending to be a senior government official typically offers huge sum of money, in lieu of assistance in financial transfer. The recipient is encouraged to send the personal financial details along with money in installments to facilitate the transfer of large sum of money out of Nigeria (or any other country). The name of this scam has been derived from the section 419 of the Nigerian Penal Code. Millions of Dollars are swindled every year through this notorious scam.
Advance fee scams have multiple variations in the narrative presented to the recipient. It can be an advance fee that is a pre-requisite to claim large winnings from a lottery, a jackpot prize or a person seeking to donate millions in charity through your assistance. Sender needs custom fees, processing fees or taxes from you upfront before you can receive the astronomical amount in your account.
Business Email Compromise (BEC)
A form of Email Spoofing that specifically targets Companies and Government Entities involved in payments to suppliers through wire transfers. The criminals send a message that appears from a legitimate partner or supplier contact. The request seems genuine as there is a history of regular correspondence with the supplier. It is realized only at a later stage that the message was fake, after the financial loss has happened.
Examples:
A recent example of BEC Email Spoofing has been the swindling of INR 60,00,000 (6 Million Indian Rupees) from a leading online beauty and wellness retailer Nykaa in India. As reported in Mumbai Mirror, the fraudsters spoofed the email ID of an Italian Supplier and asked the retailer to make payment for a consignment to a different bank account. Only upon inquiry by the supplier regarding the pending payment, it was realized that the email was spoofed and the company had been defrauded. An FIR has been registered under the provisions of IPC and IT Act.
Spear Phishing
Spear Phishing is another form of phishing that targets specific individuals. Victim profiles and posts are researched on social media sites and internal networks (through malware). The message is customized and typically involves information about the recipient’s name, designation and personal details. That is done to infuse confidence regarding the authenticity of the message. The targets are tricked to click on malicious attachments or URLs provided in the email message body.
Examples:
“Urgent” Messages in your inbox that include credible information about you and could be related to your tax return refunds, bank accounts or credit cards. Only upon a closer look at the content and header information you will realize the email is spoofed and is not legitimate.
Whaling
Whaling attacks target Senior Executives at the CXO level. The modus operandi is similar to spear phishing – attackers research the profile to be targeted and send a customized message to trick the victim. As CXOs are privy to higher degree of confidential information, the return in Whaling attacks is substantially higher than spear phishing.
Vishing
Voice Phishing or Vishing or Phone Scams is a step forward from the Email phishing scams. This is a bolder form of phishing wherein the targets are called on their phones and are lured into the scam. The scammers spoof a legitimate number pretending to be from a trusted agency to trick the individuals into the scam. This is most prevalent form of phishing scam to extract financial details and swindle money from the accounts.
Examples:
This includes UPI Payment Scams, Insurance Call Scams, Bank KYC Update scams, Income Tax Refund Scams, Remote Access of Mobile Scams among others.
IRS Phone Scams have been a cause of great concern for the US Federal agencies. Gullible Senior Citizens or Immigrants are targeted and victimized through phone calls with scammers impersonating as IRS officers and threatening legal action for tax evasion. In a major crackdown, coordinated effort with US Federal agencies and Indian agencies have led to busting of bogus call centers indulged in committing Vishing frauds. Read the reports here and here.
UPI Payments Fraud
UPI or the Unified Payment Interface created by National Payments Corporation of India (NPCI) is a digital payment platform that facilitates real time cashless funds transfer between two bank accounts via mobile phones and is regulated by the Reserve Bank of India.
Leveraging the digital technology for making instant fund transfer through mobile phones is a major leap in the direction of achieving cashless economy. However, with the increased usage of the platform, scammers have devised new phishing techniques to dupe users of their money.
For UPI transaction all you need is a UPI ID and a UPI PIN. The transactions can be initiated two ways – you can initiate a ‘send money’ transaction as well as a ‘receive money’ transaction.
Some common scams involving UPI platform are:
‘Request money’ or ‘Collect money’ links:
This is a common form of UPI fraud that is widely reported in India nowadays. The scam typically involves the following steps (with some variations):
Step 1. Scammer disguised as a genuine buyer contacts the user who wants to sell goods online.
Step 2. Showing keen interest in purchasing the item, scammer would inquire the UPI ID details for making the payment or an advance for booking.
Step 3. Instead of sending funds to the UPI ID, scammer will instead send a ‘receive money’ request of the like amount that was negotiated with the seller (user)
Step 4. Scammer would call the user stating that the funds have been sent and request the user to accept the request on his phone. Unsuspecting user not aware of the fact that he is in fact accepting to ‘Pay’ the scammer, accepts the payment request and loses money from account.
Fake or Malicious URLs
Fraudsters send unauthorized payment links through text messages or social media platforms. QR codes that point to such fake links are also shared through social media platforms or direct messages. The fake links are replica of the genuine URLs and may have a similar name with a slight variation that is difficult to notice at the first glance. For a user who has the UPI payment application installed on his phone, these links will direct the user to accept an ‘Auto Debit’ for the application. If the user permits, the amount gets debited from the account.
Remote screen access applications
Impersonating as customer support executives from your bank, for the purpose of any query resolution the scammers will ask users to download and install 3rd party applications for account verification. These applications provide remote access to user’s mobile and the scammers can extract the financial details from the device.
Fake UPI Handles/IDs
Fake UPI IDs have been created in the name of PM Citizen Assistance and Relief and other institutions asking for donations during the COVID pandemic.
UPI Vishing
Apart from these, there is traditional vishing technique wherein the scammers call the users while posing as a bank representative and request for personal and financial details including the UPI ID and PIN. Calls can be for KYC verification process, Loan Moratorium or any other prevailing activity being done by the banks.
Smishing
SMS Phishing or Smishing method leverages the text message mode of communication to lure gullible individuals into the scam. Malicious URLs are often sent along with the messages with spoofed SMS Sender ID. Individuals are informed of huge financial gains through lottery or a jackpot prize along with a request to clear registration payment to claim the big prize money.
Example:
Text Message with your name announcing winning of a jackpot along with malicious link concealed in tiny URL.
Pharming or Website Spoofing
A more sophisticated form and involves finer technical dexterity, this method targets the Domain Name System server (DNS poisoning) or the user’s computer (local host) and redirects the intended website request to a malicious fake website that is a replica of the original website. In this case, neither the users are contacted nor there is any solicitation or enticement through any of the communication modes rather the users are defrauded with presenting of a fake website when they were intending to open a genuine website in their browsers.
Example:
Home Page, Login or Landing Page of a Bank Website is a typical target for Pharming Scammers. Login credentials of users are captured for swindling money.
Angler Phishing
A relatively newer method wherein the individuals are targeted over social media and other platforms through masquerading of the legitimate customer service accounts of organizations. The scammers trick the individuals to divulge their sensitive personal details under the disguise of being customer service team.
What are the common features among most Email, Message and Phone Phishing Scams?
Some of the most common features among most of the Email, SMS and Phone Phishing scams are:
- Masquerading or disguise of a Trusted Entity
In most cases the sender, taking benefit from the nuances of the virtual world, disguises under the identity of a trusted source. The objective is to instill trust and gain confidence of the recipient in taking the next step of acknowledging and exchanging further communication. Impersonation could be through a spoofed email address of your bank, your insurance provider, vendors and suppliers that organizations have been working with or a self-proclaimed person of influence (like in 419 scams).
- Extremely Lucrative or attention catching offers
Scammers exploit emotions of the recipient. The entire narrative is woven in such a manner so as to instigate emotions of Fear, Obligation and Greed that are common traits in human psychology. These scams are thus also called as Social Engineering scams.
The offers that scammers present are too good to be true, something that you do not want to miss. These offers generate curiosity in human mind and the gullible individuals want to check and take the next step.
- Request for Personal and Financial Details
Almost all phishing scams as their primary objective seek to obtain personal and financial details of susceptible individuals. This can include name, address, phone number, social security details, bank account information, insurance information etc.
- Request for advance payment or registration fees
Scammers’ entire effort in establishing the communication and gaining your trust is focused to accomplish their main goal – extract money from you. It could be a request for advance fee, custom fee, tax fee, registration fee or assistance fee among others. This fee will often be a fraction of what you are presumably getting in return from them!
- Sense of Urgency
Phishing communication will show a sense of urgency. It could be a last chance to get the specific deal, an expiring offer, a time bound lottery or prize money, penalty or prosecution threat etc.
- Attachments or Hyperlinks
Phishing scam messages often contain attachments and hyperlinks that may contain malicious software including ransomware or viruses.
How can phishing scams be prevented?
Phishing attacks cannot be eliminated but can be prevented to a great extent. This can be briefly categorized under two heads:
- User Awareness – The most effective way to avoid any phishing scam is ‘User Awareness’. Organizations and Individuals need to be aware of the threats that all virtual modes of communication pose in today’s world. Education on how to detect phishing messages by scanning through the email message content along with header information and identifying malicious links, detecting fake phone calls is the best line of defense in avoiding phishing attacks.
- Adoption of Cyber Security Technologies – Apart from education, the second most important factor is web, network and email security technology adoption – this includes up to date antivirus, antimalware software, spam filters, URL filters, access control, two factor authentication, SSL/TLS encryption, email technologies like DMARC among other threat intelligence software options.
What is the Legal Recourse to victims of Phishing Scams in India?
Immediate Steps to take in case you become a victim of any Phishing or UPI Payment Fraud
In case you have become a victim of any phishing or UPI payment fraud, following are the immediate steps that you should take:
- Immediately contact your bank and request to block the compromised UPI ID/Credit or Debit Cards and any future transactions associated with the account
- Dispute the transaction with your Bank/Payment Wallet or the UPI Service Provider (in case of UPI fraud)
- In consultation with a cyber-law expert, file a complaint along with all the necessary particulars to your local police Cyber Cell to register an FIR. Alternatively, a complaint can be lodged at the National Cyber Crime Reporting Portal created by the Government of India as an initiative to tackle the menace of cyber crimes with special focus on cyber crimes against women and children. The complaint will be forwarded to the concerned Cyber Cell/Law Enforcement Agencies for further action.
- On the advice of a cyber-law expert, gather the key evidence required including the digital evidence from your device and present to cyber cell for assistance in the investigation
Legal provisions dealing with phishing and UPI Fraud offences in India
Most of the phishing attacks involve Identity theft, cheating and forgery as the main offences. The specific offences of online identity theft and cheating by personation using a computer resource are covered under the Information Technology Act, 2000. Based on the facts of the case, Phishing cybercrime may also attract the provision under Sec. 420 of the IPC for cheating and dishonestly inducing delivery of valuable property and Sec. 463/468 of the IPC for forgery of the electronic record, if applicable.
Information Technology Act, 2000
66C. Punishment for identity theft. –Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.
66D. Punishment for cheating by personation by using computer resource.– Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees.
Indian Penal Code, 1860
420. Cheating and dishonestly inducing delivery of property. —Whoever cheats and thereby dishonestly induces the person deceived to deliver any property to any person, or to make, alter or destroy the whole or any part of a valuable security, or anything which is signed or sealed, and which is capable 103 of being converted into a valuable security, shall be punished with imprisonment of either description for a term which may extend to seven years, and shall also be liable to fine.
463. Forgery. — [Whoever makes any false document or false electronic record or part of a document or electronic record, with intent to cause damage or injury], to the public or to any person, or to support any claim or title, or to cause any person to part with property, or to enter into any express or implied contract, or with intent to commit fraud or that fraud may be committed, commits forgery.
468. Forgery for purpose of cheating. —Whoever commits forgery, intending that the [document or electronic record forged] shall be used for the purpose of cheating, shall be punished with imprisonment of either description for a term which may extend to seven years, and shall also be liable to fine.
Conclusion
Technology has changed the way we live in this digital and connected world. Unfortunately, while we reap the benefits of the innovations in the cyber world, we are still at a nascent stage when it comes to adopting high end cyber security to safeguard our personal and financial interests against phishing and cyber frauds. Imagine an upscale house with no locks at the door! That is how some of us treat cyber security. A mobile phone with sensitive personal data that has been compromised by a scammer can cause great damage to an individual today than anyone could have imagined a decade ago.
The need of the hour is to impart security and legal awareness among the individuals so that they can avoid this pitfall. Also, the laws need to keep pace with the next gen tech innovations that are inundating the cyber world. We have come a long way from the inception of the Information Technology Act in the year 2000. There are effective redressal mechanisms available for cyber frauds, the need is to make the citizens aware of such legal remedies for effectively resolving their issues. The available legal remedies, if enforced properly, ensure that the cyber fraud perpetrators are brought to justice and victim’s loss is compensated.