The 14 year saga of a Phishing Case reaches a significant milestone

November 9, 2022 was an important day when my 14 year old crusade for justice for S Umashankar who had lost money in a Phishing fraud at ICICI Bank reached a significant milestone. A judgement was pronounced by Madras High Court dismissing the appeal of ICICI Bank against the order of the TDSAT.

Copy of the judgement  is here

The episode started on 2nd September 2007 when the following e-mail was received by an NRI customer of ICICI Bank, Tuticorin. This was later identified as the phishing mail.

The mail had come from the same email from which the Bank was sending monthly statements and he considered it as having come from the  Bank and proceeded.

(Though the customer was perhaps not aware, it was later pointed out in the Trial  that the URL provided as the phishing link was a sub domain of ICICI Bank ( which meant that the ICICI Bank server had been hacked and mail was being sent from there. Such hacking  had been pointed out by earlier in one case of an educational institute.)

After the phishing mail having been responded, a sum of Rs 646000/- was transferred to a Mumbai Fort branch account of ICICI Bank  in 6 transactions of Rs 1 lakh each and one of Rs 46000/- in quick succession on 6th and 7th September 2007.

ICICI Bank refused to accept its responsibility for the fraud and the customer approached the Adjudicating officer in Tamil Nadu through Naavi as a power of attorney holder and filed the application in June 2008. This was the first case for Adjudication in India.

After several rounds of enquiry, the Adjudicator gave a speaking order in 2010 awarding compensation to the customer.

ICICI Bank went on appeal to Cyber Appellate Tribunal and after a series of hearings, the case was posted for judgement and 3 days before the judgement the Chairperson attained super annuation and the case got stuck up till TDSAT took over Cyber Appellate cases in 2018. After several hearings TDSAT  upheld the order of the Adjudicator .

This time ICICI Bank appealed in Madras High Court and the proceedings were held for about 2 years interrupted by the Covid and finally on 9th November 2022, the appeal was dismissed.

The case is considered historic as the first adjudication case and for the fact that Bank was held liable for negligence.

In both Adjudication, CyAT and TDSAT, the undersigned argued under a power of attorney.

In Madras High Court due to some technical issues,  Naavi was recognized as a consultant to assist the Court and the arguments were finally made by an advocate Mr M A Ranganath.

Finally the Appeal has been dismissed and TDSAT judgement prevails.

We need to wait and see if ICICI Bank goes on an appeal to Supreme Court or closes its fight.

Under ITA 2000 adjudication is expected to be completed in 4-6 months and Appeal in the Tribunal in 6 months. But this case went for 12 years in Adjudication and CyAT out of which major delay was the non appointment of the Chair person in CyAT.

The case indicates the inefficiencies in the system which needs correction.

Since 2007 to this day, things have changed even in Banks and better security measures have been introduced. RBI has also introduced the Zero Liability system and very recently measures have been initiated to stop payment at the transferee Banks.

The recklessness shown by ICICI Bank in this case is beyond imagination and is a great example of what should not be done. It is a good case study for Bankers which should be used in Bank Training Colleges.

The case has already been part of examination question in some premier Law Colleges and it will be more often be used now after the High Court decision.


About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.