Phishing As a Telecommunication-Driven Cybercrime and Its Legal Regulation in India.

ABSTRACT

Phishing is one of the most common cybercrimes today. It is defined as “the art of pretending to be a trustworthy person in order to trick people into giving up private information through electronic communication.” As the number of mobile phone users in India grows to over 1.17 billion, the number of internet users grows, and the cyber legal framework grows, phishing has also grown. Legal measures have progressed from foundational provisions to combat elementary email scams to more evolved types such as smishing and vishing, as reflected in legislative enactments such as the Information Technology Act, 2000; the Indian Penal Code, 1860; and emerging regulations such as the Digital Personal Data Protection Act, 2023. This research examines phishing as a cybercrime in telecommunications and presents an argument for the implementation of international comparative norms, regulations, and judicial precedents in India.

KEYWORDS: Phishing, Cybercrime, Information Technology Act, Smishing, Vishing, Data Protection, TRAI, CERT-In, India

I. INTRODUCTION

The citizens of Ujjain woke up to the bitter reality that hundreds of bank account holders had been duped by phishing . This phishing had been carried out by an array of SMSs, which had imitated some of the biggest public sector banks operating within India. These SMSs had requested account holders to update their KYC information by clicking on the link provided. The link, however, did not direct account holders to their intended destination. In due course, within the space of mere hours, lakhs of rupees had been transferred from the accounts. The importance of the incident, however, does not lie within the amount of money transferred, but within the mechanism by which it had been transferred. This, therefore, is an example of the anatomy of phishing. It does not involve the use of sophisticated equipment, but the exploitation of digital communication. This, it is imperative to note, is an infrastructure that India has developed with great ambition and speed. Today, it boasts one of the biggest telecommunications infrastructures within the world, with over 1.17 billion subscribers , with internet penetration touching every corner of the country. While it has had a positive effect on the lives of citizens, it has also led to an expansive surface area that is prone to cybercrime. Phishing, by its very definition, is an act of cybercrime that exploits telecommunications. It is an act that cannot occur without it. The regulatory environment with respect to phishing within India is incremental. The Information Technology Act, 2000, amended in 2008, contains provisions that partially address the issue . The Indian Penal Code, 1860, contains some provisions that address the issue. Regulators, including the RBI and TRAI, have issued directives that address the issue. The key issue that is addressed within this article is whether or not the multi-layered structure is an adequate structure or merely an incremental structure that cybercriminals have learned to exploit.

II. UNDERSTANDING PHISHING: ANATOMY AND TYPOLOGY

A. What is phishing?

Phishing is a social engineering attack that relies on the technique of impersonation. An attacker takes on the disguise of a trusted entity, a bank, a government, a courier service, or even a friend, and uses this disguise to trick victims into revealing sensitive information. According to the Anti-Phishing Working Group, there were more than 4.9 million phishing attacks globally in 2023. Financial services and social media were the most frequently attacked industries. What sets phishing apart as a telecommunication-driven attack is the way it is conducted. Unlike traditional fraud, which relies on proximity or complex letter-writing techniques, phishing relies on electronic communication. Phishing emails, SMS, voice calls, IM, and social media have become common channels for phishing. Each of these channels presents a different set of vulnerabilities and has spawned a different type of phishing.

B. Variants of Phishing Relevant To India

The most common types of phishing prevalent in the context of India are as follows
Smishing Or Sms Phishing: This is the most common type of phishing prevalent in India. This is due to the high percentage of mobile users in the country, even in rural areas. Phishing using Short Message Service with the names of TRAI, SBI, India Post, or UIDAI has resulted in millions of victims. According to the CERT-In report issued in 2023, it is stated that there is an increase in the number of smishing cases targeting people receiving government benefits.

Vishing: This is where the hackers assume the roles of bank employees, insurance agents, and government workers. Vishing has become much more complex.
Some cybercriminals use AI to clone voices to make themselves sound more like real people. This makes me very worried about the standards used to gather evidence in criminal trials.

Spear Phishing: This is where cybercriminals target specific people or entities using information they have collected from social media or by conducting data breaches. The common targets are corporate espionage, password stealing, or ransomware.
Pharming and clone phishing: Both pharming and clone phishing are ways of tricking you with phishing they alter the DNS (which tells your computer where to go on the internet) and send you to a copycat website that looks exactly like the legitimate one, and you don’t even realize it’s happening. Banks and their customers are common targets for these, and also for smishing. The Reserve Bank of India’s (RBI) Annual Report says that the number of complaints about digital fraud, such as phishing, has gone up a lot . So, a lot of people who use banks have lost money.

III. THE LEGAL FRAMEWORK: AN ARCHITECTURE WITH MANY LAYERS

A. The Information Technology Act of 2000

In India, the Information Technology Act is the main law that deals with cybercrimes. Section 43 of this Act talks about getting into computer systems without permission. Section 66 also talks about crimes that have to do with computers. The maximum punishment for these crimes is three years in prison and a fine. The 2008 Amendment added 66C and 66D, which are the most important rules about phishing attacks. Section 66C says that “identity theft,” which is when someone uses another person’s unique identification feature in a dishonest way, is punishable by three years in jail and a fine of one lakh rupees. Section 66D punishes “cheating by impersonating someone else using computer resources,” which is also a jail term and a fine. These parts of the act are important for phishing attacks because the attacker pretends to be someone else (Section 66D of the act) and then uses the victim’s credentials (Section 66C of the act) once the attack is successful. These parts of the act are the main parts that fight phishing, even though their definitions are limited. Commentators have said that the act’s anti-phishing rules don’t cover the social engineering part of phishing attacks. Section 69A of the act gives the government the power to block online content. This has been used to shut down phishing sites, but people are worried about how fast and open the process is. Section 70B of the act says that the CERT-In is the national nodal agency for handling cyber security incidents, such as phishing attacks CERT-In’s rules say that all cybersecurity incidents must be reported right away, even phishing attacks on important infrastructure. April 2022 was the start date for these rules.

B. The 1860 Indian Penal Code

Phishing offences are still governed by the IPC, which contains provisions for offences such as deceiving someone into giving you valuable items (Section 420) and impersonating someone who believes you are them (Section 419). Parts of the Information Technology Act are also used by the law. It is best to file a case using both Section 66D of the Information Technology Act and Section 420 of the IPC when there is financial fraud in phishing. This is due to the fact that Section 420 has already been applied in court cases and carries a heavier penalty.
Also, sections 463 (forgery), 468 (forgery for the purpose of cheating), and 471 (using as genuine any document known to be forged) can be used when phishing schemes make fake documents or fake websites. These laws are an attempt to connect old case law about fraud with fraud that happens online. To do this well, judges need to know how to use these laws, which is still a work in progress.

C. Sector-Specific Regulatory Interventions

In addition to the IPC and IT Act, a number of sectoral authorities have improved their regulatory efforts. For instance, although they have undergone some modifications, the Telecom Regulatory Authority of India (TRAI) developed the Telecom Commercial Communications Customer Preference Regulations in 2018 . For all commercial SMS communications, including the registration of message templates and headers, these regulations now mandate the use of a Distributed Ledger Technology (DLT) platform.

The intent behind this regulation is to curb the proliferation of smishing attacks. By making it harder for malicious actors to send mass messages using valid sender IDs, the hope is to reduce the incidence of these scams. This regulation is aimed at controlling the spread of smishing since it would become more difficult for attackers to carry out bulk messaging using legitimate sender IDs. Though the implementation is not perfect with many loopholes, the DLT platform is a structurally sound attempt to regulate the telecommunications channel through which the attackers spread their malware. The Reserve Bank of India’s Master Direction on Digital Payment Security Controls, 2021, requires banks to have multifactor authentication, customer awareness, and reporting. Though this is not aimed at attackers, it does require banks to have responsibilities that reduce the overall damage caused by phishing. It is a clearer delineation of responsibilities in case of non-compliance. The IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, require due diligence for significant social media intermediaries and digital platforms. This includes the removal of unlawful content expeditiously. Phishing websites and fraudulent content on digital platforms would be governed under this, but the implementation has been uneven.

IV. THE JUDICIAL LANDSCAPE: HOW COURTS HAVE RESPONDED

The Delhi High Court said that phishing is a type of “passing off” in the civil arena in the case of Nasscom v. Ajay Sood & Ors . It said that using a company’s name to trick people into giving up private information was wrong. Even though this was a civil court decision, it was the first time that phishing was looked at in an Indian court and found to be against the law. The reason for this decision, which said that phishing was bad for both the person and the business whose name was being used, has since become a topic of discussion. In the case of Syed Asifuddin & Ors. v. State of Andhra Pradesh, the Andhra Pradesh High Court investigated the use of electronic records to deceive users. It’s similar to phishing. It said that Section 65 of the IT Act, which deals with modifying computer source documents, would cover this.

This makes the meaning of this provision broader than what the words literally mean The Supreme Court’s ruling in the case of State of Maharashtra v. Dr. Praful B. Desai didn’t have anything to do with cybercrimes, it was important because it set rules for what electronic evidence can be used in court, which is important for phishing cases. . The biggest problem in phishing cases, according to the Supreme Court, has been that electronic evidence has not been well certified. The Supreme Court’s judgment in the case of Shreya Singhal v. Union of India mainly concerned whether Section 66A of the Information Technology Act is constitutional. Even though the Supreme Court in its judgment in State of Maharashtra v. Dr. Praful B. Desai made some pronouncements on free speech, there is some connection to the balance in the law between free speech and cybercrime, particularly in the context of Section 69A of the Information Technology Act, which prohibits information on phishing. The trial courts and sessions courts have been handling phishing cases, which are charged under both the IT Act and the IPC. The courts are more comfortable with digital evidence now. But it’s worrying that there aren’t many convictions, which is partly because police in different states don’t get enough training in digital forensics.

RELEVANCE TODAY: THE CHANGING THREAT LANDSCAPE

Phishing is still a big problem for the law and the government in India. There have been a lot of important things that have happened lately. First, the COVID-19 pandemic has caused India to quickly go digital, creating a population of millions of first-time internet users who don’t know how to spot internet fraud because they don’t know how to use the internet. This group of people has become the main target for phishing. Phishing is one way that people steal money, and it is still the most common type of cybercrime. Second, the Unified Payments Interface (UPI) transactions in India are growing very quickly (PTI says there will be more than 100 billion UPI transactions in 2023). This has made phishing for payment information a very high-end crime. Phishers have come up with very advanced ways to trick people, like QR code phishing and UPI handle spoofing. The most worrying thing about them is that AI-assisted phishing, which uses AI to write phishing emails in the correct grammar of different Indian languages, takes away one way that even tech-savvy people can tell if someone is trying to phish them (bad grammar). Vishing attacks that use AI to copy voices are also very scary because they can sound like people or groups that the victim knows. Fourth, the DPDP Act of 2023, which was passed not too long ago, is setting new rules for people who work with data. These rules will help stop data breaches that could lead to phishing. The DPDPA’s main goal is to protect data, not to stop cybercrime.
However, it does add another level of responsibility that can be important for phishing attacks where a regulated entity’s data is stolen and used to get the victim’s information. Fifth, TRAI’s ongoing consultation on the regulatory framework for OTT communication services is important from a phishing regulation point of view because a large and growing number of phishing attacks happen on WhatsApp, Telegram, and other similar platforms that are not covered by TRAI’s current rules.

VI. CRITICAL GAPS IN INDIA’S REGULATORY ARCHITECTURE

Even with the frameworks that have been discussed in the previous sections, there are still large gaps in the law. The first of these is that there is no law that states phishing is illegal. The IT Act, the IPC, and other laws in India address different types of crimes, such as social engineering attacks and the use of trusted identities in the commission of crime. The accuracy of the law and the penalty in relation to it would be improved if there is a law against phishing, as is exemplified in the Computer Fraud and Abuse Act in the United States and the Phishing Act in Australia, which might even reduce the incidence of the crime in India. There is a large jurisdictional gap in the laws in India. Phishing attacks on India come from infrastructure in other countries, and the people in charge of the attack infrastructure may not be able to help India legally because they are in different jurisdictions. India’s own laws don’t do a good job of dealing with the issue of extra-territoriality, and the country hasn’t signed the Budapest Convention on Cybercrime, which is the best set of rules for countries to work together on cybercrime investigations. This creates a gap that advanced phishing schemes will exploit to circumvent India’s laws and the physical location of cybercrime infrastructure. Third, there aren’t enough good ways to pay back people who have been hurt by phishing schemes. If someone falls for a phishing scheme and loses money, they have to go through a long and annoying process to get their bank to fix the problem. The RBI’s Banking Ombudsman scheme is how this is done, but it doesn’t work very well. The Parliamentary Standing Committee on Finance’s 2023 report says that there is no separate fund for victims of cyber crime in India. Fourth, there is always a part of the phishing prevention plan that teaches people how to use technology properly, and this is always left out.

CERT-In and the RBI are telling people about the dangers of phishing scams, but there is no instruction for telecom companies and internet service providers to do the same. They are the ones who are bringing phishing to people, so they need to get to them when they are most vulnerable.

VII. THE ROAD AHEAD: RECOMMENDATIONS AND FUTURE DIRECTIONS

To solve the phishing problem in India, we need to work on a lot of different things at the same time. The most important thing that needs to happen is for lawmakers to act. The Information Technology Act would need to include a section on phishing that covers social engineering, raises penalties for attacks on critical infrastructure or vulnerable groups, and gives the law more power in cases where other countries attack Indian people or businesses. India’s stance on the Budapest Convention has to be reassessed. The provisions on mutual legal assistance would be highly useful, and these provisions are more significant than any questions of sovereignty that have prevented any country from becoming a party to this treaty. There is a need to improve coordination in the government. For instance, phishing is an area where the Meity, MHA through I4C, TRAI, RBI, and SEBI all need to work together, each with their own data silos. A single national task force to deal with anti-phishing problems will make the approach to dealing with phishing much more effective. Regulators also need to work better with telecom service providers and digital platforms. This is because the distributed ledger technology framework has shown that regulatory intervention in the communication pipeline can be effective in dealing with phishing messages. Telecom service providers and digital platforms need to be subject to similar regulatory actions, such as requiring them to use AI-based phishing detection tools in the SMS gateway, caller ID authentication, and flagging of suspicious URLs. These actions can be taken by the TRAI and the upcoming DPDPA enforcement regime. In addition, there is the need to increase the capacity in the courts. Digital forensics and procedure training programs should be modified to ensure that judges and prosecutors are required to take them, as opposed to being able to choose to do so. Continuous non-compliance with Section 65B in prosecutions involving electronic evidence is indicative of a situation that cannot be addressed through the law.

The importance of digital literacy, including the ability to not only understand the issue of phishing but also to effectively resist it, is arguably the most effective anti-phishing intervention available. The Indian school system, the Jan Dhan initiative for financial inclusion, and the Common Service Centres network are underutilized avenues for the promotion of digital literacy in cybercrime. The law provides the basis upon which the regulatory intervention must function; education is what makes the law operable in practice.

VIII. CONCLUSION

Phishing, therefore, is an integral part of cybercrime, not an ancillary part. It is, in many ways, the cybercrime that is most directly threatening the prospects of India’s digital economy. Trust, or the lack thereof, is at the heart of digital communication. Trust is at the heart of every digital communication, every digital transaction, every digital service, from banking to healthcare, from welfare to commerce. Phishing, by definition, attacks the heart of digital communication. When a farmer in Rajasthan loses his insurance money to phishing using the PMFBY message, or a senior citizen in Chennai loses his pension savings to vishing, it’s not just money that is lost; it’s trust that is lost. The country is committed to investing in the digital communication system, which has lost trust. In the last twenty years or so, the laws and rules for stopping and looking into phishing have changed a lot. They started out as very few under the original Information Technology Act and have grown into a very complicated system. It is a structure that depends on rules from the Information Technology Act, the IPC, the TRAI’s Distributed Ledger Technology framework, the RBI’s digital security directions, and CERT-In’s incident response directions. The courts have also made the law more broad over the years. There is still a lot to do, though, especially when it comes to having specific rules, working together internationally, compensating the victim, and coordinating between different authorities. So, to come up with a solution, we need to think of phishing not just as a problem that technology can fix, or as a problem that law and law enforcement can fix, but as a problem that comes from the intersection of telecommunications, law, education, and institutional design. It is one that the country can handle.