Let's Build a Responsible Cyber Society




G Gopalakrishna Working Group (GGWG) on Electronic Banking


Phishing Risks

The GGWG has made the following comment on Phishing Risks in its report

"Of late there have been many instances of 'phishing' in the banking industry, posing a major threat to customers availing internet banking facilities. Though Section 66D of the amended IT Act could broadly be said to cover the offence of phishing, the attempt to commit the act of phishing is not made punishable. It is suggested that there is a need to specifically provide for punishment for an attempt to phish as well, in order to deter persons from attempting it"

The suggestion of the Committee to make the "Attempt" as also punishable is to be noted.  I would however like to bring it to the notice of the observers that this has been addressed in ITA 2008.

Under Sec 84C of ITA 2008 effective from 27th October 2009, "attempt to commit offences" is punishable with a punishment equivalent to half the punishment meant for the offence.

The section states,

84C: Punishment for attempt to commit offences

Whoever attempts to commit an offence punishable by this Act or causes such an offence to be committed, and in such an attempt does any act towards the commission of the offence, shall, where no express provision is made for the punishment of such attempt, be punished with imprisonment of any description provided for the offence, for a term which may extend to one-half of the longest term of imprisonment provided for that offence, or with such fine as is provided for the offence or with both.

Additionally, ITA 2008 makes Phishing liable for punishment under several sections other than 66D.

Phishing is an offence which involves many parts. It may involve sending of an impersonated e-mail, creation of an impersonated website, downloading of credential information fraudulently collected by the Phishing website, and unauthorized access of the Bank account using the stolen credentials.

Phishing is therefore covered under Section 66A, Section 66 as well as Section 43 in addition to Section 66D.

Section 66A covers "any electronic mail or electronic mail message ......... to deceive or to mislead the addressee or recipient about the origin of such messages " and Phishing mail falls into this category.

Section 66 becomes relevant because the fraudster accesses the Bank account without authorization either from the Bank or the Customer. Merely being in posession of the password is not "authorizing" since the password would have been stolen by the Phisher through deceit and deception.

If the Phisher has changed the password, he will also cause denial of access to the genuine user, damage  and diminish the value of information information residing inside a computer.

Thus the apprehensions of the working group has  already addressed in ITA 2008. Convictions under ITA 2008 for Phishing are therefore easier than in the case of ITA 2000.

Additionally, the Working group has again endorsed the Mittal Report suggestion that "Legal Risk" in case of frauds where digital signatures are not used for authentication of electronic documents lies with the Bank.

The working group has also endorsed that at present, Banks are not exempted from liability due to technical failure as they are in case of EFT transactions under the Payment and Settlement Act.

These observations are relevant to an analysis of Phishing cases in future.



January 22, 2011

Copy of Full Report:

Copy of Executive Summary

 Comments are Welcome at naavi@vsnl.com