By Nikhil Issar on 9 April, 2020
COVID-19 has brought the world to a stand-still. It is rightly being called “infodemic” due to the efflux of related (mis)information on the internet. Since January 2020, 16,000 coronavirus-related domains have been registered, with over 6,000 new domains registered last week1. There is widespread fear and panic caused by high incidences of viral fake news and constant media coverage. With organizations transitioning to compulsory work-from-home models, corporate networks and data are being accessed through not-so-secured means at the risk of unauthorized access and use. Despite deployment of effective VPNs and firewall technology, no measure can account for the weakest link in a security chain i.e., the people who use, administer and operate computer systems. This atmosphere is conducive for cybercriminals to exploit human fear and ‘phish’ for personal information. The objective is either to gain access to a computer system and its data, or defraud a person of their assets. In these desperate times, phishing e-mails have spiked by over 600%, and old malwares are getting a novel COVID-makeover for attacking curious, fearful, or empathetic humans.2 Therefore, it will not be an exaggeration to state that cybersecurity risks are at an all-time high.
This blog seeks to examine types of coronavirus related phishing scams, review applicable Indian laws, examine practicality of legal response, affix liability and enlist best practices to be followed by individuals and corporates.
1. Identifying phishing hooks: Cybercriminals are using COVID-19 related click baits for infecting computers/mobiles with malware. Malwares can access e-mail, banking login credentials and credit card information. Apart from malwares, online scammers are claiming to sell cures, face-masks, as well as elicit investment in vaccine companies. The modus operandi is to obtain credit card details through any possible means, and thereafter, either trade the information on dark-web, or commit fraud. The top originator of COVID-19 spam is Vietnam, followed by USA, China, India and Russia.3 Illustratively, cybercriminals have adopted the following COVID-19 linked phishing techniques across a pandemic and paranoid globe:
• Free Netflix: E-mails offering “Free Netflix” for lock-down period are being circulated.4 To avail this offer, individuals have to click and fill a “survey” and forward it to 10 WhatsApp users. The users, who filled the survey, obviously did not get a free Netflix subscription, but ended up sharing their personal information with cybercriminals.
• COVID apps: Users are downloading COVID themed apps from links shared in social media, or e-mails. Such apps rarely pass through the strict scrutiny of legitimate app stores such as Google Play Store. In fact, Google Play Store has a “sensitive events” policy which prohibits app developers from capitalizing on natural calamities like the COVID-19 pandemic.5 Similar policy is observed by the iOS app store. Due to such policies, only government approved applications have been permitted to use “coronavirus” or any associated term in its app name. Therefore, as on date, no COVID-19 related malware app is available on Play Store. Nevertheless, COVID-19 themed apps are doing rounds on the internet. One such app, the “Coronavirus Finder”, claimed that on payment of a small fee, it would tell the location of the nearest coronavirus patient.6 The app collected credit card information for monetization, and did not actually charge the ostensibly small fee.
• Relief donations: Cybercriminals are luring individuals for donating in fraudulent COVID-19 relief funds. Hackers targeted the recently launched “PM-Cares” fund, by creating similar sounding UPI ID’s for receiving payments, such as pmcares@pnb and email@example.com
• Obtaining government relief: A UK scam capitalized on the worsening economic situation by circulating text messages to individuals offering a “goodwill payment” from the UK government. The goodwill payment was preconditioned on users providing their credit card information for verification by the ostensible “UK Government”. Needless to say, credit card details were monetized.8
• Impersonating organizations: E-mails purportedly from the UN and other international organizations are regular feature in phishing attacks. Recently, IBM Security discovered genuine looking e-mails purportedly from the World Health Organization, encouraging users to click on a link to know “WHO approved safety measures regarding spread of coronavirus”. On clicking the link, a malicious attachment was planted on the system.9
• Accessing health services or products: The US Justice Department initiated a civil complaint against a website “coronavirusmedicalkit.com”. The site claimed to offer consumers free World Health Organization’s vaccine kits only if the shipping charge of $4.95 is paid by credit card.10 In some instances, scammers purportedly sold COVID-19 test slots at real hospitals. The victims discovered the fraud when they later visited these hospitals for their non-existent appointments.
• Absurd scams: Digital fraudsters have been peddling “anti-virus” software claiming to cure coronavirus.11 The alleged anti-virus claimed “Our scientists from Harvard University have been working on a special AI development to combat the virus using a windows app.” If a user installed the anti-virus, his PC was enslaved as a bot and used for other nefarious activities.
2. Overview of available remedies in India: Phishing attacks and scams are not new in India. Indian laws provide remedies for the affected person and the subsequent paragraphs provide an overview:
• Information Technology Act, 2000: The aggrieved person can resort to civil and criminal remedies under the Information Technology Act, 2000 (IT Act). Section 43 provides penalty and compensation against cybercriminals for (a) accessing computer system, network or resource without consent, (b) introducing computer virus into a computer network, (c) disrupting a computer or a computer network, etc. While the cited provision allows compensation claims for phishing attacks resulting from installation of malware, it does not address the situation where an individual is simply coaxed to provide their personal or financial information. Such aggrieved user can nonetheless seek criminal prosecution against the online fraudsters under Section 66C of IT Act. It categorizes dishonest or fraudulent use of passwords or any unique identification as a criminal offence, and entails imprisonment of three years and/or a fine of INR 100,000. Further, offence may also be made out under section 66D of IT Act i.e., cheating by personation. Both the criminal penalty sections provide for cognizable offences i.e., the police can immediately lodge FIR for such offences and begin investigation.
• Reserve Bank of India regulations: The Reserve Bank of India states that liability for any unauthorized transaction which has resulted due to customer’s negligence will be borne by the customer until the time she reports the transaction to her bank.12 Any loss occurring after the reporting of the unauthorized transaction shall be borne by the bank. “Phishing” attacks are by definition successful due to customer’s negligence. But, this is not an iron clad principle and specific facts will be taken into account. In IDBI Bank vs. Sudhir S. Dhupia,13 the Telecom Disputes Settlement and Appellate Tribunal held that IDBI Bank was liable for loss caused to its customer by a phishing attack, because the phishing e-mail was sent through a domain name which was actually registered with IDBI. Thus, if it can be reasonably proved that the loss has not been caused by the customer’s negligence, a claim for compensation can be made against the concerned bank.
• Indian Penal Code, 1860: FIR can be lodged under the Indian Penal Code for theft, cheating by personation, cheating, and other applicable provisions with the cybercrime cell of a police station.
• Personal Data Protection Bill, 2019: The Personal Data Protection Bill, 2019 (“PDP Bill”) defines “data fiduciaries” as any person, including individuals, who determine the purpose and means of processing personal data. As cybercriminals usually collect and misuse sensitive financial data as per their own design, they are data fiduciaries. Thus, upon implementation of PDP Bill as is, cybercriminals will be in breach of a fundamental obligation to process personal data for specific, clear and lawful purpose. Accordingly, the aggrieved data principal can resort to the civil and criminal remedies envisaged against defaulting data fiduciaries. Clause 64 permits the data principal to approach the concerned adjudicating officer (AO) for compensation claims for any loss caused by data fiduciary’s breach. The claim determination will account for a variety of factors – nature, duration and extent of violation, harm suffered, intention, and previous history of violations.
For initiating criminal process – Clause 57(2)(a) states that any person violating processing principles shall be liable for a penalty up to INR 150 million or 4% of the data fiduciary’s worldwide turnover in the preceding fiscal year, whichever is higher. However, aggrieved individuals cannot directly make a complaint to AO. Only the proposed Data Protection Authority of India (“DPA”) can initiate such prosecution. Therefore, the aggrieved user first has to approach DPA. The process of how a complaint can be made is absent in the PDP Bill, and probably this will be captured in the final text or the rules. To provide the process, clue can be taken from the complaint mechanism under Competition Act, 2002.14 Assuming such a process is provided, aggrieved user can file complaint, followed by investigation. If investigation results in a prima facie case against the data fiduciary, criminal prosecution can be initiated.
3. Are Indian laws enough? As it may be, the question that remains is are these remedies adequate and can they be enforced efficiently? The first and biggest hurdle in prosecuting cybercriminals is unmasking their identity. Oftentimes, cybercriminals use secure software to remain anonymous which are proxy servers hiding location and routes of transmission across jurisdictions. This makes direct detection evasive. They register websites through domain name registrars who do not disclose the website owner’s personal information in the publicly available who-is database. Further, they trade their exploits i.e. credit card information, over the dark-web, i.e. the encrypted part of the internet where users cannot be identified. To face this challenge, the Indian cyber-police have stepped up their game. The Ministry of Electronics and Information Technology has set up cyber forensic labs in all metro cities for training and building awareness of cybercrime investigation.15 However, with the current nation-wide lockdown in place, domestic legal remedies (other than those related to RBI) are not accessible. Thus, as of date, the only available tool for fighting online phishing scams are training and raising awareness about such scams in the Indian population. It is extremely probable that an Indian is defrauded by COVID-19 scam by a foreigner. Assuming the user identifies the overseas cybercriminal (which in itself is a considerable achievement!!) and initiates a civil or criminal action, the cybercriminal would simply not submit to the jurisdiction of Indian courts. Unlike multi-national corporations, cybercriminals with no presence in India cannot be coerced by Indian courts. Regardless, if the user pursues the civil case against the foreign internet fraudster, it may result in ex-parte decree of damages. Such decree will have to be enforced in the internet fraudster’s home-country, which may or may not be a reciprocating territory (i.e. a nation which recognizes judgments of Indian courts). Even if such country is a reciprocating territory, the ex-parte decree of damages will have to undergo legal scrutiny as per applicable law of the fraudster’s home country before enforcement. In view of such arduous procedure, it is unlikely that any individual would seek civil remedies against a foreign internet fraudster. Further, criminal remedies are even more unlikely as only the Ministry of External Affairs can request for extradition of a suspected foreign criminal. Therefore, the remedies available under Indian law for foreign cybercriminals are theoretical, and the practical issues render it a distant reality.
4. Best practices for corporates and individuals: The inadequacy of enforcing remedies makes the proverb “prevention is better than cure” apt. Thus, organizations and individuals must focus on preventing phishing attacks than to remedy their consequences. Relying on the Indian Computer Emergency Response Team guidelines for detecting and preventing phishing attacks based on novel coronavirus,16 and other best practices, the following are recommended to manage the COVID-19 phishing crisis:
• Thoughtfully designed security awareness campaigns must be organized for employees that stress the avoidance of clicking on links and e-mails with attachments =>SENSITIZATION IS THE SALVATION!!! To this end, organizations should periodically run phishing drills wherein dummy phishing e-mails should be sent to employees and if any one clicks on the link, they should be alerted and sent to mandatory training.
• Update all systems with malware and anti-virus protection programs.
• Check all services and devices used for remote access for updates of firmware and security patches.
• Install and use genuine applications provided by trusted vendors.
• Never reply to any suspicious e-mails or SMSs.
• Use safe browsing techniques to avoid visiting malicious websites.
• Visit official websites for obtaining information.
• Report any suspicious e-mails or messages
5. Conclusion: Phishing attacks exploit the human psyche of fear in uncertain times. The best mode for preventing phishing attacks is to replace such fear with correct information and implement best practices. There is a need to develop a scientific temperament, and critical thinking abilities to distinguish online scamsters from genuine vendors. Remember, in a world full of fishers, don’t be a phish.