Cybercrime & Laws

https://cybercrime.gov.in/
 Cybercrime
• Cyber is a prefix that denotes a relationship with information technology (IT).

• Crime implies a serious offence punishable by the law.

• Cybercrime is any criminal activity that involves a computer, networked device or a

network.

• Cybercrime either targets or uses a computer, a computer network or a networked device.

• Most of the cybercrimes are committed by cybercriminals or hackers who want to make
money.

• Occasionally cybercrime also aims to damage computers or networks for reasons such as
personal, political etc.
• Cybercrime can be carried out by individuals or organizations.

• Some cybercriminals are organized, use advanced techniques and are highly
technically skilled. Others are novice (beginner) hackers.

• Cybercriminals that target computers may infect them with malware to damage
devices or stop them from working.

• Cybercriminals may also use malware to delete or steal data.

• Cybercriminals may stop users from using a website or network or prevent a

business from providing a software service to its customers, which is called a
Denial-of-Service (DoS) attack.
 Types of cybercrime
• Phishing: Phishing is a type of fraud that involves stealing personal information such as Customer ID,
IPIN, Credit/Debit Card number, Card expiry date, CVV number, etc.

• Ransomware: Ransomware is a form of malware that encrypts a computer or files and then demands
payment in exchange for the computer or files to be decrypted.

• Malware: Malware is any software intentionally designed to cause disruption to a computer, server,
client, or computer network, leak private information, gain unauthorized access to information or
systems, deprive access to information, or which unknowingly interfere with the user's computer
security and privacy. Examples of malware include viruses, worm etc.

• Identity theft: Identity theft occurs when a cybercriminal uses another person’s personal data like credit
card numbers or personal pictures without their permission to commit fraud or a crime.
• Denial-of-Service (DoS) attack: A denial-of-service attack is a cyber-attack in which the
perpetrator (culprit) seeks to make a machine or network resource unavailable to its intended
users by temporarily or indefinitely disrupting the services of a host connected to a network.
Distributed DoS attacks are used to make an online service unavailable and take the network
down by overwhelming (crushing)the site with traffic from a variety of sources.

• Cyber pornography: Cyber Pornography means the publishing, distributing or designing

pornography by using cyberspace.

• Hacking: Hacking is a broad term for a range of activities that aim to compromise computers
and networks, by identifying and then exploiting security weaknesses. it is the unauthorised
access to or control over computer network security systems for some illicit purpose.
• Cyberbullying: Cyberbullying or cyberharassment is a form of bullying or harassment using electronic
means. Cyberbullying and cyberharassment are also known as online bullying or Internet bullying.

• Botnet: Botnets are networks from compromised (negotiated) computers that are controlled
externally by remote hackers. The remote hackers then send spam or attack to other computers
through these botnets. Botnets can also be used to act as malware and perform malicious tasks.

• Cyberstalking: Cyberstalking is often used to describe the act of stalking (following) a person online,
such as by repeatedly sending them unwanted messages or using the Internet to track their
location.

Please note: A compromised computer is defined as any computing resource, for which the
confidentiality, integrity or availability has been adversely impacted, either intentionally or
unintentionally, by an untrusted source.
• Social engineering: Social engineering is one of the most classic types of cyber attack that can be
launched against individuals or organizations. This method includes using lies and manipulation to
trick people into revealing their personal information.

• Cyberterrorism: Cyberterrorism is the use of the Internet to conduct violent acts that result in, or
threaten, the loss of life or significant bodily harm, in order to achieve political or ideological gains
through threat or fear.

• Spyware: Spyware is a type of unwanted, malicious software that infects a computer or other device
and collects information about a user’s web activity without their knowledge or consent.

• Cryptojacking: Cryptojacking is the act of exploiting a computer to mine cryptocurrencies, often

through websites, against the user's will or while the user is unaware. One notable piece of software
used for cryptojacking was Coinhive.

Please note: A cryptocurrency is a digital currency, which is an alternative form of payment created
using encryption algorithms.
• Software piracy: Software piracy can be defined as the use of software that is not properly
licensed. That might include copying, modifying, distributing or selling the software in ways
that break copyright laws or license terms.

• Insider threat: An insider threat is a perceived threat to an organization that comes from people
within the organization, such as employees, former employees, contractors or business
associates, who have inside information concerning the organization's security practices, data
and computer systems.

• Man-in-the-middle (MITM) attack: A man-in-the-middle attack is a cyberattack where the

attacker secretly relays and possibly alters the communications between two parties who
believe that they are directly communicating with each other, as the attacker has inserted
himself/herself between the two parties.
• Internet fraud: Internet fraud is a type of cybercrime that makes use of the Internet and it can be
considered a general term that groups all of the crimes that happen over the Internet like spam, banking
fraud, theft of service, etc.

• Data breach: A data breach is any security incident in which unauthorized parties gain access to sensitive
data or confidential information, including personal data (Social Security numbers, bank account numbers,
healthcare data) or corporate data (customer data records, intellectual property, financial information).

• Cyber espionage: Cyber espionage or cyber spying is a type of cyber attack that malicious hackers
carry out against a business or government entity. Cyber espionage steals classified, sensitive data
or intellectual property to gain an advantage over a competitive company or government entity.

• Vishing: Vishing or Voice over Internet Protocol (VoIP) phishing is a form of phishing that uses phone calls
instead of emails to convince victims to act in a specific way, often giving fraudsters their private
information or access to bank accounts.
• Smishing: Smishing or SMS phishing is a type of fraud that uses mobile phone text messages to trap
victims into calling back on a fraudulent phone number, visiting fraudulent websites or downloading
malicious content via phone or web. The term “smishing” is a combination of “SMS”—or “short
message service,” the technology behind text messages—and “phishing.”

• Sexting: Sexting is an act of sending sexually explicit digital images, videos, text messages, or emails,
usually by cell phone. Cybersex is any type of sexual activity that uses the Internet. Sexting is a type
of cybersex.

• SIM (Subscriber Identity Module) swap scam: SIM swapping is also known as SIM splitting, SIM
jacking, or SIM hijacking. A scammer manages to get access to your SIM card. They trick the
network provider into linking your number to the SIM card they have in possession. For example,
by impersonating the victim using personal details to appear authentic and claiming that they have
lost their phone.
Checklist for reporting cybercrime at
cybercrime police station
Checklist
Checklist for reporting cybercrime online
Checklist

https://youtu.be/3e4JdZyrJGg
Phishing
• Phishing is when attackers attempt to trick users into doing 'the wrong thing',
such as clicking a bad link that will download malware, or direct them to a dodgy
(unreliable) website.
• Analogous to fishing, phishing is also a technique to “fish” for usernames,
passwords, and other sensitive information, from a “sea” of users.
• A phishing attack aims to trick the recipient into falling for the attacker's desired
actions, such as revealing financial information, system login credentials, or other
sensitive information.
• Phishing is a predominant type of social engineering.
• Successful phishing attacks can:
• cause financial loss for victims.
• put the personal information of victims at risk
• put an organization’s data and systems at risk.
• Phishing is the practice of sending fake communications that appear to
come from a legitimate and reputable source, usually through email and
text messaging.
• The attacker's goal is to steal money, gain access to sensitive data and
login information, or install malware on the victim's device.
• Phishing is one of the leading causes of data breaches.
• Clone phishing: It is a newer type of email-based threat where attackers
clone a real email message with attachments and resend it pretending to
be the original sender. The attachments are replaced with malware but
look like the original documents.
• Hybrid phishing: It is a type of phishing attack where cybercriminals use a
combination of tactics, such as emails, text messages, and phone calls to
deceive users into providing their login credentials or sensitive
information.
• AI phishing attacks: AI phishing attacks, also known as AI-powered
phishing or AI-driven phishing, are sophisticated (refined)
cyberattacks that leverage artificial intelligence and machine
learning algorithms to craft and execute highly convincing phishing
attempts. These attacks are designed to deceive individuals or
employees into revealing sensitive information, such as login
credentials, financial details, personal data etc.
Real-life examples of phishing
• CEO fraud
• Evil twin phishing
• Dyre phishing scam
• The Nordea bank incident
• Google and Facebook phishing attack
Types of phishing (Any 5)
https://youtu.be/iPu5r-ZRES8
Student-centric activity --- Assignment 1
• Spear phishing
• Vishing or voice phishing
• Pharming
• Whaling attack
• Watering hole phishing
• Angler phishing
• Quishing
How to protect ourselves from phishing attacks?
Student-centric activity --- Assignment 2
Phishing emails

• Phishing is an attempt to steal personal information or break into

online accounts using deceptive emails, messages, ads, or sites that
look similar to sites you already use.

• For example, a phishing email might look like it's from your bank and
request private information about your bank account.

https://youtu.be/ytJjyswLRTc
Please note: Unsolicited attachment is an attachment that we’re not expecting. Do not
open unsolicited attachments.
Analyse cybercrime cases and identify section
applicable (as per IT Act)
1. ICICI Bank Phishing Case (2003):
Section Applicable: Section 66C (Identity theft) and Section 66D (Cheating by personation using computer
resources) of the Information Technology Act, 2000.
2. Titanium Cyber Fraud Case (2014):
Section Applicable: Sections 43(a), 43(b), 66, and 66D of the Information Technology Act, 2000, for unauthorized
access, damage to computer resources, and cheating by personation.
3. Aadhaar Data Breach Case (2017):
Section Applicable: Section 43 (Unauthorized access) and Section 66 (Computer-related offences) of the
Information Technology Act, 2000.
4. WannaCry Ransomware Attack (2017):
Section Applicable: Section 43 (Unauthorized access) and Section 66 (Computer-related offences) of the
Information Technology Act, 2000.
5. Kotak Mahindra Bank Phishing Case (2020):
Section Applicable: Section 43 (Unauthorized access), Section 66 (Computer-related offences), and Section 66C
(Identity theft) of the Information Technology Act, 2000.

https://youtu.be/t2mrPw3oW20
https://enhelion.com/blogs/2021/03/01/landmark-cyber-law-cases-in-india/
https://www.upguard.com/blog/cybersecurity-regulations-india
Data protection
• Data protection is the process of protecting sensitive information from damage,
loss, or corruption.
• A robust cybersecurity policy protects secure, critical or sensitive data and
prevents it from falling into the hands of malicious third parties.
• Vital information of organizations, individuals etc. are all data that should be
carefully stored and protected.
• Applying strong data protection measures and safeguards protects individuals'
or customers' personal data and your organization's data.
• Data protection safeguards sensitive data against loss, manipulation, and misuse.

• The Hon’ble Supreme Court of India established the right to privacy as a

fundamental right under Article 21 of the Constitution of India.

• The Information Technology Act, 2000 (IT Act) and Indian Contract Act, 1872 are

currently the data protection law in India.

Data protection laws in India
• The Information Technology Act (2000) (IT Act) contains provisions for the protection of
electronic data.

• The IT Act penalizes 'cyber contraventions or cyber breaches' (Section 43(a)–(h)), which attract
civil prosecution, and 'cyber offences' (Sections 63–74), which attract criminal action.

• The IT Act 2000 was enacted by the Parliament of India and administered or controlled by the
Indian Computer Emergency Response Team (CERT-In) to guide Indian cybersecurity legislation,
institute data protection policies, and govern cybercrime.

Please note: Civil prosecution refers to legal action taken by one person or organization against
another in a court.
• The CERT-In is the national nodal agency for cybersecurity.

• The CERT-In Rules prescribe the functions and responsibilities of CERT-In, as well
as procedures for incident reporting, response and information broadcasting,
etc.

• The MeitY (Ministry of Electronics and Information Technology) has authorized

the CERT-In to monitor and collect traffic data or information generated,
transmitted, received or stored in any computer resource
• In early August 2023, the Indian Parliament passed the Digital Personal Data
Protection (DPDP) Act, 2023.

• The new law is India's first cross-sectoral (cross-sectoral means involving

individuals, public and private institutions and communities working together)
law on personal data protection.

• DPAs (Data Protection Authorities) are independent public authorities that

monitor and supervise, through investigative and corrective powers, the
application of the data protection law.

• DPAs provide expert advice on data protection issues and handle complaints
that may have breached the law.