Phishing is something called an act in which a FRAUDSTER is trying to pretend someone in order to steal/ access of some useful financial information/ inputs which can then be used for any financial gain.
Phishing comes from the word “FISHING” which essentially means to trap someone into a fake identity by using either fake website, links or via spearing etc. This is one of the major areas which need awareness and at the same time it is really crucial for all FORENSIC ACCOUNTANTS to understand the concept who go for any kind of financial investigation so that mindset of FRAUDSTER can be understood easily.
Significance of PHISHING ATTACKS –
The damages caused by phishing attacks are getting bigger in number day after day. The main objective is to gain financial information of VICTIM which ultimately would turn into a loss in many ways.
As per the survey conducted by the University of Portsmouth for the 2016 Annual Fraud Indicator report, fraud is taking place on an industrial scale and is one of the biggest crimes afflicting UK plc today-
“Private sector fraud losses are estimated to be £144 billion each year, or 74 percent of the total. The UK has seen a significant jump in phishing attacks in the past 12 months as cyber-criminals increasingly targeted consumers and company staff with online scams. Get Safe Online discovered that phishing attacks rose by more than a fifth (21 percent) last year and were estimated to cost British companies over £280 million”
“Email phishing accounted for 77 percent of all reported incidents. Nearly a third (29 percent) of these were found to contain a potentially malicious link that could deliver malware directly to the user’s computer or request personal details”
Source: University of Portsmouth
How it works and affects VICTIMS
These are kind of fake emails or links that are passes to the targeted VICTIM by which FRAUDSTER would be able to gain details of username or password or other financial information of the VICTIM without letting him know. Soon the VICTIM would realize the fact, the FRAUDSTER would have stolen the money or other financial gains. FRAUDSTER usually sends some LOOKALIKE website or email links which are very difficult to trace by a COMMON user and hence it gets trapped and use that FAKE link putting its confidential details.
Some example of phishing attacks
Some of PHISHING incidence in India – REAL & REPORTED INCIDENCES
>Umashankar Sivasubramaniam Vs ICICI Bank (2010)
Facts: In this case, the adjudicator PWC Davidar held ICICI Bank liable to pay damages to the extent of Rs 12.85 lakh on an alleged “phishing” fraud incident involving fraudulent transfer of an amount of Rs 6.46 lakh. In the ICICI Bank phishing fraud case, the Adjudicator clearly documents reasons why he considers it necessary to hold the bank liable not only to repay the involved amount, but also interest and other expenses. In my opinion, ICICI Bank should be glad that it escaped with only a financial liability instead of also being held liable for criminal liabilities under several sections of the Information Technology Act 2000 (ITA 2000) and the Indian Penal Code (IPC).
Most professionals in the banking industry had so far failed to recognize the fact that “phishing” is an offence that falls within ITA 2000. Section 66 (as well as Section 43) can be invoked in such cases. This finding of the Adjudicator has really opened the eyes of the ignorant, and recognized the latent potential of the ITA 2000.
> Techie’s wife loses Rs 11 lakh to phishing, ends her life (2016)
>Phishing season: Cyber criminals have adopted innovative means to cheat people (2017)
Around a month ago, I got an SBI credit card. The man had details of my account. He knew the last four digits of my card, the registered phone number, my name and some other details. I was asked to share these details over the phone as part of the verification process. The man said my account would be blocked if this verification is not completed,
While I was talking to him, I got messages which showed that nearly Rs 2.5 lakh was withdrawn from my SBI and HSBC bank accounts. Another Rs 80,000 was withdrawn from my HSBC credit card while Rs 19,500 was withdrawn from my SBI account. Then I received yet another message saying that Rs 1,36,045 was withdrawn from my SBI credit card as well. When I asked him about the messages, I was told not to worry,”
General categories of PHISHING
It can be observed with the report facts as above that how significant is the threat is. It is indeed one of the major area of investigation for each FORENSIC ACCOUNTANT while investigation such financial losses. Now, Let’s understand the major type of PHISHING ATTACKS which are usually encountered by the VICTIMES-
– WEBSITES PHISHING >
FRAUDSTER would create a site which looks like a genuine and ask for registration and that’s how they start communicating with a VICTIM and soon the VICTIM gets familiar with the site, a FRAUDSTER would gain access of confidential information through links/ emails that it shares with VICTIMS,
– SPEAR – PHISHING >
It is very unique type of phishing in which FRAUDSTER start gathering some information about a VICTIM slowly and when it is ready for an attack , it uses the previously gathered information to convince the VICTIM and hence VICTIM got trapped and provide its useful financial information. A person calling VICTIM and asking OTP by telling its previously known bank account would come under this category,
– SOCIAL MEDIA >
It is one of the soft target, being the high level usage of social media now a days. FRAUDSTER would drop a link either at FACEBOOK, LINKEDIN or any other social media site by which if someone clicks on the link it start getting access of the VICTIM account and hence could gain access of his/ her account. Other incidence where FRAUDSTERS keep eye on friends/ relatives of a VICTIM and use that information to pretend that as if like the email has come from VICTIM’S close relative and it got trapped into.
There are many incidences and cases which have been reported across the world related to PHISHING…
Author is a Certified Forensic Auditor and passionate about sharing knowledge/ experiences writing articles. He can be reached at firstname.lastname@example.org or Whatsapp 9634706933