Phishing is a type of cybercrime where attackers impersonate a legitimate person, brand, or organization to trick individuals into revealing sensitive information such as:
- Login credentials
- Bank account or credit card numbers
- Aadhaar or PAN details
- OTPs or PINs
- Personal identification details
The attacker typically uses emails, SMS, phone calls, or fake websites to carry out the attack. It is called “phishing” because it’s like “fishing” for victims by luring them with bait.
2. How Phishing Works (Step-by-Step)
- Bait Creation
The attacker creates a fake but convincing message, link, or website that resembles a trusted entity (e.g., a bank, government agency, or employer). - Delivery
The phishing message is sent via email, SMS, social media, or fake websites. - Victim Interaction
The user clicks a link or downloads an attachment, thinking it’s safe. - Data Theft or Malware Execution
- User is asked to “log in” on a fake site, giving away credentials.
- Or, malware is installed on the user’s system for spying or stealing.
- Exploitation
The attacker uses the stolen information for:- Identity theft
- Bank fraud
- Unauthorized purchases or fund transfers
- Gaining access to secure systems
3. Types of Phishing Attacks
| Type | Description | Example |
|---|---|---|
| Email Phishing | Fake emails with malicious links or attachments | “Your bank account is blocked. Click here to verify.” |
| Spear Phishing | Targeted phishing aimed at specific individuals using personal data | “Dear Mr. Rao, your tax report needs verification.” |
| Whaling | Targets senior executives or high-profile individuals | CEO gets an email from a fake “legal department” |
| Smishing | Phishing via SMS (SMS + Phishing) | “Your PAN card is suspended. Call 1234567890.” |
| Vishing | Voice phishing using fake calls | “This is RBI. Confirm your account number to avoid suspension.” |
| Pharming | Redirecting users to fake websites by manipulating DNS | A user enters a bank URL and lands on a fake login page |
| Clone Phishing | Duplicates a real email with a malicious link or attachment | Forwarding a legitimate newsletter with altered links |
4. Real-Life Phishing Examples in India
- IRCTC Fake Emails: Users received fake ticket booking links mimicking IRCTC, stealing payment info.
- SBI Phishing SMS: SMS claiming to be from SBI asking to update KYC, leading to credential theft.
- Aadhaar Phishing: Fake websites asked for Aadhaar number and OTPs to link bank accounts.
5. Prevention and Safety Tips
✅ For Individuals:
- Do not click on suspicious links in emails or SMS.
- Always check sender’s email address carefully.
- Verify URLs – phishing sites often use slight spelling variations.
- Use multi-factor authentication (MFA) on important accounts.
- Keep antivirus and browsers updated.
- Never share OTPs or PINs, even if the request seems urgent.
✅ For Organizations:
- Conduct cybersecurity awareness training.
- Use email filtering and anti-phishing tools.
- Implement strong access controls and network monitoring.
- Simulate phishing attacks to educate employees.
6. Legal Aspects in India
✅ Covered Under the Information Technology Act, 2000:
| Section | Provision | Punishment |
|---|---|---|
| Sec 43 | Penalty for unauthorized access to computers or networks | Civil liability and damages |
| Sec 66 | Computer-related offenses (data theft, fraud) | Up to 3 years imprisonment + fine |
| Sec 66C | Identity theft (using someone else’s password or signature) | Up to 3 years + ₹1 lakh fine |
| Sec 66D | Cheating by personation using a computer (Phishing, Vishing) | Up to 3 years + ₹1 lakh fine |
✅ Also covered under:
- Indian Penal Code (IPC) Sections 419 (cheating by impersonation), 420 (cheating and dishonestly inducing delivery of property)
7. Key Signs of a Phishing Attempt
Requests for confidential or financial information
Unusual or urgent language: “Immediate action required”
Fake domain names: g00gle.com, paypa1.net
Poor grammar or spelling
Unexpected attachments or shortened URLs
