This document provides an overview of online financial fraud, cyber laws in India, and how to file a cybercrime complaint. It discusses common types of online financial fraud like phishing and lottery scams. It also summarizes key aspects of cyber laws in India like the Information Technology Act and sections of the Indian Penal Code related to cybercrimes. Regarding filing complaints, it outlines steps to register complaints with local police or online through the National Cybercrime Reporting Portal and types of information and documents required.

1. Masterclass on Online Financial Fraud

2. • Fraud:
Fraud essentially involves using deception to make a personal gain dishonestly for oneself
and/or create a loss for another.
Fraud would also mean unlawful acts wherein the equipment transforming the information be
it a computer or a mobile is either a tool or a target or both.
As per Section 17 of the Indian Contract Act, 1872, “Fraud” means and includes any of the
following acts committed by a party to a contract, or with his connivance, or by his agent,
with intent to deceive another party thereto or his agent, or to induce him to enter into the
contract:
• the suggestion, as a fact, of that which is not true, by one who does not believe it to be
true;
• the active concealment of a fact by one having knowledge or belief of the fact;
• a promise made without any intention of performing it;
• any other act fitted to deceive;
• any such act or omission as the law specially declares to be fraudulent.

3.  Types of online financial fraud:
• Assured approval of a credit card loan: email scams that tell you to pay an upfront fee and that assures to give you a loan or
credit card.
• Employment opportunities: they promise to give you an employment offer letter if you agree to pay a certain fee.
• Lottery scams: the email will say that you have won a lottery and you have to pay a processing fee.
• Phishing: the meaning of phishing is to get access to your confidential information like date of birth, credit card number,
passwords, etc. through email, SMS or calls.
• Free vacation: you may get an email saying that you have received a free vacation to an exotic location with a hotel room
booking. You will then be asked for payment later.
• Many other kinds of financial fraud: these days they hack your phone and transfer money
 Need for cyberlaws in India:
• Almost all Indian companies have electronic records. A company may need this law to prevent the misuse of such data
• All the transactions associated with stocks are now executed in demat format, anyone who is involved with these transactions is
protected by cyber law in the event of any fraudulent transactions
• Various government forms are being filled out electronically, such as income tax returns and service tax returns
• Misuse of credit/debit cards
• Misuse of digital signatures and electronic contracts can be easily accomplished by anyone involved with them.

4. • SYNOPSIS OF INFORMATION TECHNOLOGY ACT, 2000 (“IT Act”)
• The Indian cyber law is governed by the IT Act. The principal impetus of this
Act is to offer reliable legal inclusiveness to eCommerce, facilitating registration
of real-time records with the Government.
The object of the IT Act is to provide legal recognition for transactions carried
out by means of electronic data interchange and other means of electronic
communication, commonly referred to as electronic methods of communication
and storage of information, to facilitate electronic filing of documents with the
Government agencies and further to amend the Indian Penal Code, the Indian
Evidence Act, 1872, the Banker’s Book Evidence Act, 1891 and the Reserve
Bank of India Act, 1934 and for matters connected therewith or incidental
thereto.
• IT Act highlights the grievous penalties and sanctions that have been enacted
by the Parliament of India as a means to protect the e-governance, e-banking,
and e-commerce sectors. It is important to note that the IT Act’s scope has now
been broadened to include all the latest communication devices.

5. Provisions of IT Act
• The IT Act guides the entire Indian legislation to govern cyber crimes
rigorously:
• Section 43 - Applicable to people who damage the computer systems
without permission from the owner. The owner can fully claim
compensation for the entire damage in such cases.
• Section 66 - Applicable in case a person is found to dishonestly or
fraudulently commit any act referred to in section 43. The imprisonment
term in such instances can mount up to three years or a fine of up to Rs. 5
lakh.
• Section 66B - Incorporates the punishments for fraudulently receiving
stolen communication devices or computers, which confirms a probable
three years imprisonment. This term can also be topped by a Rs. 1 lakh
fine, depending upon the severity.
• Section 66C - This section scrutinizes the identity thefts related to
imposter digital signatures, hacking passwords, or other distinctive
identification features. If proven guilty, imprisonment of three years
might also be backed by a Rs.1 lakh fine.
• Section 66 D - This section was inserted on-demand, focusing on
punishing cheaters doing impersonation using computer resources.

6. • Information Technology (The Indian Computer Emergency Response Team
and Manner of Performing Functions and Duties) Rules, 2013 (the CERT-In
Rules):
• There are several ways in which the CERT-In rules provide for the working of
CERT-In. In accordance with Rule 12 of the CERT-In rules, a 24-hour Incident
response helpdesk must be operational at all times. Individuals, organisations and
companies can report cybersecurity incidents to Cert-In if they are experiencing a
cybersecurity incident. The Rules provide an Annexure listing certain incidents that
must be reported to Cert-In immediately.
• Another requirement under Rule 12 is that service providers, intermediaries, data
centres, and corporate bodies inform CERT-In within a reasonable timeframe of
cybersecurity incidents. As a result of the Cert-In website, Cybersecurity Incidents
can be reported in various formats and methods, as well as information on
vulnerability reporting, and incident response procedures. In addition to reporting
cybersecurity incidents to CERT-In in accordance with its rules, Rule 3(1)(I) of the
Information Technology (Guidelines for Intermediaries and Digital Media Ethics
Code) Rules, 2021 also requires that all intermediaries shall disclose information
about cybersecurity incidents to CERT-In.

7. • INDIAN PENAL CODE, 1860
• Section 420: This section talks about cheating and dishonestly inducing
delivery of property. Seven-year imprisonment in addition to a fine is
imposed under this section on cybercriminals doing crimes like creating fake
websites and cyber frauds. In this section of the IPC, crimes related to
password theft for fraud or the creation of fraudulent websites are involved.
• Section 463: This section involves falsifying documents or records
electronically. Spoofing emails is punishable by up to 7 years in prison
and/or a fine under this section.
• Section 465: This provision typically deals with the punishment for
forgery. Under this section, offences such as the spoofing of email and the
preparation of false documents in cyberspace are dealt with and punished
with imprisonment ranging up to two years, or both.
• Section 468: Fraud committed with the intention of cheating may result in
a seven-year prison sentence and a fine. This section also punishes email
spoofing.

8.  RBI on consumer awareness of cyber threats and frauds
• RBI regularly publishes notifications urging the members of public to practice safe digital banking by taking all due
precautions, while carrying out any digital (online / mobile) banking / payment transactions.
• RBI has published a booklet for Banks & NBFCs to create awareness about the modus operandi adopted by fraudsters to
defraud public and mislead them. The booklet also lists down the precautions to be taken while carrying out financial transactions.
• The booklet lists modus operandi of various online frauds like phishing, frauds using online sales platforms or unknown mobile
apps, ATM card skimming, SIM cloning, scam through QR Code, fake advertisement extending loans, OTP based frauds, etc.
 General precautions suggested by RBI
• Be aware of suspicious looking pop ups
• Always check for a secure payment gateway (https:// - URL with a pad lock symbol) before making online payments /
transactions
• Avoid saving card details on websites / devices / public laptop / desktops
• Turn on two-factor authentication where such facility is available
• Never open / respond to emails from unknown sources as these may contain suspicious attachment or phishing links
• Do not share copies of chequebook, KYC documents with strangers

9. RBI has also
suggested the
following actions to
be taken after
occurrence of a fraud:
Block not only the debit card / credit card but also freeze the debit in the bank account
linked to the card by visiting your branch or calling the official customer care number
available on the bank’s website. Also, check and ensure the safety of other banking
channels such as Net banking, Mobile banking etc., to prevent perpetuation of the fraud
once the debit/ credit cards, etc., are blocked following a fraud.
Dial helpline number 155260 or 1930 or report the incident on National Cybercrime
Reporting Portal (www.cybercrime.gov.in). Reset Mobile: Use (Setting-Reset-Factory
Data) to reset mobile if a fraud has occurred due to a data leak from mobile

10.  Cyber crime & Security:
Cybersecurity can be defined as the collection of technologies, processes, and practices that are intended to prevent networks, devices,
programs, and data from being attacked, damaged or accessed by unauthorized persons. Alternatively, cyber security may also be referred to as
information technology security.
The following must be included in cybersecurity strategies:
• Ecosystem:
The ecosystem of an organisation needs to be strong in order to prevent cyber crime. By developing a safe and strong system, the organisation
would be likely to protect these components and could not be attacked by malware, attrition, hacks, insider attacks, and equipment thefts.
• Framework:
A framework for compliance with security standards is an assurity that can help to ensure that these standards are adhered to.
• IT Mechanisms:
End-to-end protection measures, association-based protection, link-based protection, and data encryption are a few of the measures.
• Infrastructure:
As part of cybersecurity, protecting the infrastructure is one of the most crucial steps. Cyber crime is often perpetrated against outdated
infrastructure.

11. Data Breach
1. Air India data breach highlights third-party risk
• Date: May 2021
• Impact: personal data of 4.5 million passengers worldwide
2. CAT applicant’s data leaked
• Date: May 2021
• Impact: 190,000 CAT applicants’ personal details
3. BigBasket user data for sale online
• Date: October 2020
• Impact: 20 million user accounts
4. Unacademy data breach
• Date: May 2020
• Impact: 22 million user accounts
5. SBI data breach
• Date: January 2019
• Impact: three million text messages sent to customers divulged

12. Case studies:
1. Syed Asifuddin and Ors. v. State of Andhra Pradesh and Anr.
• The subscriber purchased a Reliance handset and Reliance mobile services. The subscriber was attracted by better tariff plans
of other service providers and hence wanted to shift to other service providers.
• The petitioners (staff members of TATA Indicom) hacked the Electronic Serial Number (“ESN”). The Mobile Identification
Number (MIN) of Reliance handsets were irreversibly integrated with ESN, the reprogramming of ESN made the device would
be validated by Petitioner’s service provider and not by Reliance Infocom.
Questions before the Court:
• i) Whether a telephone handset is a “Computer” under Section 2(1)(i) of the IT Act?
• ii) Whether manipulation of ESN programmed into a mobile handset amounts to an alteration of source code under Section 65
of the IT Act?
• Decision: Section 2(1)(i) of the IT Act provides that a “computer” means any electronic, magnetic, optical, or other high-speed
data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic,
magnetic, or optical impulses, and includes all input, output, processing, storage, computer software or communication facilities
which are connected or related to the computer in a computer system or computer network. Hence, a telephone handset is covered
under the ambit of “computer” as defined under Section 2(1)(i) of the IT Act.
• Alteration of ESN makes exclusively used handsets usable by other service providers like TATA Indicomm. Therefore,
alteration of ESN is an offence under Section 65 of the IT Act

13. 2. CBI v. Arif Azim (Sony Sambandh case)
• In May 2002, someone logged into the website www.sony-sambandh.com under the name of Barbara Campa and ordered
a Sony Colour TV set along with a cordless telephone for one Arif Azim in Noida. She paid through her credit card and the
said order was delivered to Arif Azim. However, the credit card agency informed the company that it was an unauthorized
payment as the real owner denied any such purchase.
• A complaint was therefore lodged with CBI and further, a case under Sections 418, 419, and 420 of the IPC was registered.
The investigations concluded that Arif Azim while working at a call center in Noida, got access to the credit card details of
Barbara Campa which he misused.
• The Court convicted Arif Azim but being a young boy and a first-time convict, the Court’s approach was lenient towards
him. The Court released the convicted person on probation for 1 year.
• This was one among the landmark cases of Cyber Law because it displayed that the Indian Penal Code, 1860 can be an
effective legislation to rely on when the IT Act is not exhaustive.

14. 3. Pune Citibank Mphasis Call Center Fraud
• In 2005, US $ 3,50,000 were dishonestly transferred from the Citibank accounts of four US customers through the internet to
few bogus accounts. The employees gained the confidence of the customer and obtained their PINs under the impression that they
would be a helping hand to those customers to deal with difficult situations. They were not decoding encrypted software or
breathing through firewalls, instead, they identified loopholes in the MphasiS system
• The Court observed that the accused in this case are the ex-employees of the MphasiS call center. Therefore, it is clear that the
employees must have memorized the numbers. The service that was used to transfer the funds was SWIFT i.e. society for
worldwide interbank financial telecommunication. The crime was committed using unauthorized access to the electronic accounts
of the customers.
• The IT Act is broad enough to accommodate these aspects of crimes and any offense under the IPC with the use of electronic
documents can be put at the same level as the crimes with written documents.
• The court held that section 43(a) of the IT Act, 2000 is applicable because of the presence of the nature of unauthorized access
that is involved to commit transactions. The accused were also charged under section 66 of the IT Act, 2000 and section 420 i.e.
cheating, 465,467 and 471 of The Indian Penal Code, 1860.

15. • Plea in Supreme Court seeking guidelines to curb online banking frauds:
• A writ petition in the SC has been filed seeking directions to the government to frame a legislative policy ensuring better
investigation of online banking frauds and constituting a special investigation team to deal with such matters.
• The petition seeks directions to the centre, RBI and other banks.
• The plea was filed by two petitioners, residents of UP and Delhi who became victims of online fraud while making online
payments for second-hand mobile phones advertised on OLX.

16. • Register a complaint with the local police or cyber crime authorities. Both online and
offline
• In case the victim does not have access to any of the cybercrime cells, he or she can
lodge the FIR at the local police station under Section 154 of Code of Criminal
Procedure.
• If the police officer refuses to file the complaint of the victim, the victim can make the
written complaint to the Judicial Magistrate of his/her district who in turn can direct the
police officer to commence the investigation.
• inform the bank immediately.
 Procedure for filing:
The written complaint shall be addressed to the Head of the Cybercrime Cell and shall be
accompanied with the following information of the victim or person registering the
complaint:
• Name,
• Contact details, and
• Mailing address.
• Other documents which are required to be attached with the complaint depends upon the
type of cybercrime committed against the victim. It is necessary to attach these
documents with the offline as well as with the online complaint.
How to file a cybercrime
complaint:

17.  Filing complaint on the portal:
• The cybercrime complaints can be registered on National Cyber Crime
Reporting Portal which is the initiative of the Government of India to
facilitate the nation-wide cybercrime complaints.
• Visit www.cybercrime.gov.in/ to file a complaint
• After registering on the portal, details of the incident are to be provided.
• The portal is so effective that it provides the different categories of
complaint which includes Online and social media related crime,
Hacking, Online Cyber Trafficking, Online Gambling, Ransomware,
Cryptocurrency crime, Cyber Terrorism, and any other related crime.
• Once all the details are provided along with any evidence or proof of the
suspect or the crime committed by him, the complaint is registered and
you receive the tracking ID of the reported crime.

18. Thank you