Phishing and Cybersquatting

Phishing (brand spoofing) is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.

Intention Behind Phishing:

The purpose behind phishing is to divulge personal information and steal the user’s identity, passwords, rob bank accounts & consequently take over the computer.

Recognizing Phishing:

The following factors might help recognize phishing:

• Financial loss occurs;
• Data loss occurs;
• Introduction of virus/ malware into the computer system occurs;
• Illegal use of the user’s details occurs.

Safeguards Against Phishing:

The following safeguards are to be implemented against phishing:

• Use of anti-spam software;
• One should not click hyperlinks in e-mail through unknown/ unverified sources;
• Use of firewalls should be there;
• Use of phishing filters;
• Use of digital certificates should be emphasized upon;
• E-mail protocols should be secured;
• Reliability of the websites should be ensured;
• Use a Web browser with anti-phishing detection;
• Be aware of phishing phone calls;
• Be aware of links in the mailbox.

PHISHING - A CYBERCRIME, THE PROVISIONS OF INFORMATION TECHNOLOGY ACT, 2000

Phishing fraud essentially is cybercrime and it attracts several  penal provisions of the Information Technology Act, 2000 as amended in 2008 adding some new provisions to deal with the phishing activity. The following provisions of the Information Technology Act, 2000 apply to the Phishing Activity:

Section 66: The account of the victim is compromised by the phisher which is not possible unless & until the fraudster fraudulently affects some changes by way of deletion or alteration of information/data electronically in the account of the victim residing in the bank server. Thus, this act is squarely covered and punishable u/s 66 IT Act.

Section 66A: The disguised email containing the fake link of the bank or organization is used to deceive or to mislead the recipient about the origin of such email and thus, it attracts the provisions of Section 66A IT Act, 2000.

Section 66C: In a phishing email, the fraudster disguises himself as the real banker and uses the unique identifying feature of the bank or organization say  logo, trademark etc. and thus, clearly attracts the provision of Section 66C IT Act, 2000.

Section 66D: The fraudsters through the use of the phishing email containing the link to the fake website of the bank or organizations personates the Bank or financial institutions to cheating upon innocent persons, thus the offence under Section 66D too is attracted.

The Information Technology Act, 2000 makes penal provisions under the Chapter XI of the Act and further, Section 81 of the IT Act, 2000 contains a non-obstante clause, i.e., “the provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force”. The said non-obstante clause gives an overriding effect to the provisions of the IT Act over the other Acts including the Indian Penal Code. The aforesaid penal provisions of the IT Act, 2000 which is attracted to the phishing scam are however been made bailable under Section 77B IT Act intentionally since there is always an identity conflict as to the correct or accurate identity of the person behind the alleged phishing scam and there is always a smokescreen behind the alleged crime as to the identity of the person who has actually via these online computer resources have or have not committed the offence and given the possible misuse of the penal provision for cyber offences as contained in the IT Act, the offence is made bailable.

Cybersquatting

Meaning:

Cybersquatting is the practice of registering names, especially well-known company or brand names, as internet domains, in the hope of reselling them at a profit. It is the bad-faith registration and use of a domain name that would be considered confusingly similar to an existing trademark. Cybersquatting occurs when people buy domain names to sell them to trademark owners for a profit.

Intention Behind Cybersquatting:

The purpose behind cybersquatting is to make profit from the well-merited goodwill of a corporation, steal business characteristics or name to make instant money and use the names of existing businesses with the intent to sell the names for a profit to those businesses.

Recognizing Cybersquatting:

The following factors might help recognize cybersquatting:

• Checking where the domain name takes;
• Contacting the domain name registrant;
• Paying, if it makes sense.

Safeguards Against Cybersquatting:

The following safeguards are to be implemented against phishing:

• One should have a registered trademark;
• The proper domain ownership should be recorded;
• Buying up the variations of the domain name;
• More than one extension should be registered;
• To fight back through arbitration.

Legal Position  of Cybersquatting  in India:

The cases of cybersquatting are dealt with under the Trademark Act, 1999.

In the case of Satyam Infoway Ltd v. Sifynet Solutions Private Limited, it was observed by the Hon’ble Supreme Court that:

“As far as India is concerned, there is no legislation which explicitly refers to dispute resolution in connection with domain names. But although the operation of the Trade Marks Act, 1999 itself is not extra-territorial and may not allow for adequate protection of domain names, this does not mean that domain names are not to be legally protected to the extent possible under the laws relating to passing off”.

Options Available to Cybersquatting Victims in India:

• Arbitration under ICANN’s (Internet Corporation for Assigned Names and Numbers) rules
• Issuance of cease-and-desist letters to cyber squatters.

Dispute Resolution in  Cybersquatting Cases:

Disputes about domain names may be resolved under UDRP (on an international level) or INDRP (national level).

UDRP: Disputes such as Cybersquatting that involve illegal/bad-faith registrations of domain names are resolved via the Uniform Domain Name Dispute Resolution Policy (UDRP) process that has been made by the ICANN. As per the guidelines of UDRP in the context of Cybersquatting, at the time of registration of a domain name, the applicant gives his agreement to submit to proceedings in case they are initiated under the UDRP of ICANN.

A complaint may be brought by an individual/organization before the administrative dispute resolution service providers if:

• A domain name is identical or similar to the trademark in which the complainant has rights
• The owner of the domain has no direct or legitimate interest in the domain name
• The domain name has been registered and is being used illegally or in bad faith

INDRP: A case could be filed with the .IN registry handled by the National Internet Exchange of India (NiXI) bringing the matter to fast-track dispute resolution process whereby decisions are transferred within 30 days of filing a complaint.

Though there is no legal compensation under the IT Act, .in registry has taken proactive steps to grant compensation to victim companies to deter squatters from further stealing domains. Most squatters however operate under the guise of obscure names.

Under NIXI, the IN Registry functions as an autonomous body with primary responsibility for maintaining the .IN ccTLD (country code top-level domain) and ensuring its operational stability, reliability, and security.