Phishing — Definition & Legal Meaning in India

Also known as: Phishing Attack · Spear Phishing · Vishing · Smishing · Email Phishing

Legal Glossary Cyber Law phishing Section 66D IT Act 2000
Statute: Information Technology Act, 2000, Section 66D
New Law: ,
Landmark Case: State of Tamil Nadu v. Suhas Katti (CC No. 4680 of 2004, Additional CMM, Chennai)
Veritect
Veritect Legal Intelligence
Legal Intelligence Agent
4 min read

Phishing is a social engineering cyberattack in which a perpetrator impersonates a trusted entity — such as a bank, government agency, or e-commerce platform — through fraudulent emails, messages, websites, or calls to deceive victims into revealing sensitive information such as passwords, OTPs, credit card numbers, or banking credentials. Under Indian law, phishing is prosecuted under Section 66D of the Information Technology Act, 2000 (cheating by personation using computer resources) read with Section 66C (identity theft), carrying imprisonment up to 3 years and a fine.

Indian law does not define "phishing" as a standalone offence. However, it is prosecuted under multiple provisions of the IT Act:

Section 66D — Cheating by personation by using computer resource: Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees.

Section 66C — Punishment for identity theft: Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees.

Additionally, Section 43 (penalty for unauthorised access), Section 66 (computer-related offences committed dishonestly or fraudulently), and the general cheating provision under Section 318 BNS (formerly Section 420 IPC) may apply depending on the specific circumstances.

CERT-In (Indian Computer Emergency Response Team), designated as the national agency for cybersecurity incident response under Section 70B of the IT Act, has issued advisories specifically addressing phishing threats and recommended countermeasures.

How courts have interpreted this term

State of Tamil Nadu v. Suhas Katti [(2004) — Additional CMM, Chennai]

In one of India's first cybercrime convictions, the court applied IT Act provisions to online impersonation and deception. While the case primarily involved online harassment through fake profiles, it established the foundational precedent that creating fraudulent digital identities to deceive victims constitutes a cognizable offence under the IT Act — the same principle that underlies phishing prosecutions.

Umashankar Sivasubramanian v. ICICI Bank [(2009) — Adjudicating Officer, IT Act]

One of the early adjudicatory proceedings on phishing in India, where the complainant lost funds from his bank account after responding to a phishing email purporting to be from ICICI Bank. The Adjudicating Officer under Section 46 of the IT Act held that the bank bore responsibility for inadequate security measures and that the phishing attack exploited vulnerabilities in the bank's authentication system.

Cosmos Bank Cyber Attack [(2018) — Pune Police]

The prosecution of perpetrators behind the massive phishing and malware attack on Cosmos Cooperative Bank, Pune, in which approximately Rs 94 crore was siphoned through coordinated ATM withdrawals across 28 countries. The investigation involved international cooperation and resulted in convictions under multiple provisions of the IT Act including Sections 43, 66, 66C, and 66D.

Types of phishing

Indian enforcement agencies recognise several phishing variants:

  • Email phishing: Mass emails impersonating banks, tax authorities (Income Tax Department), or e-commerce platforms with links to fake websites
  • Spear phishing: Targeted attacks on specific individuals using personalised information gathered from social media
  • Vishing (voice phishing): Phone calls impersonating bank officials, RBI, or police requesting OTPs or account details
  • Smishing (SMS phishing): Fraudulent SMS messages with malicious links, often impersonating delivery services or payment platforms
  • Clone phishing: Replication of legitimate emails with malicious attachments or links substituted

Why this matters

Phishing is the most common attack vector for cyber fraud in India. The Reserve Bank of India has reported a significant increase in phishing-related financial fraud, with the banking sector particularly vulnerable due to the rapid adoption of digital payment systems. The shift to UPI-based payments — processing over 13 billion transactions monthly — has created new phishing opportunities targeting mobile users.

For individuals, awareness is the primary defence. No bank, government agency, or legitimate service provider will ever request passwords, OTPs, CVV numbers, or PINs through email, SMS, or phone calls. Victims of phishing should immediately call the cyber crime helpline 1930, block compromised cards through the bank, and file a complaint on cybercrime.gov.in.

For banks and financial institutions, the RBI's master directions on cyber security require implementation of multi-factor authentication, real-time fraud monitoring, and customer awareness programmes. Banks that fail to implement adequate security measures may bear liability for phishing losses under the RBI's circular on customer liability for unauthorised electronic transactions (2017), which limits customer liability based on reporting time.

Parent concepts:

Related offences:

Parent framework:

Frequently asked questions

Is phishing a criminal offence in India?

Yes. Phishing is prosecuted under Section 66D of the IT Act (cheating by personation — up to 3 years imprisonment and Rs 1 lakh fine) and Section 66C (identity theft — up to 3 years and Rs 1 lakh fine). If the phishing results in financial loss, Section 318 BNS (cheating — up to 7 years imprisonment) also applies. Phishing is a cognizable offence and the police are obligated to register an FIR.

Immediately change all passwords for accounts that may have been compromised, especially banking and email passwords. Contact your bank to block cards and report suspicious transactions. Call the cyber crime helpline 1930 within the golden hour for financial fraud recovery. File a complaint on cybercrime.gov.in. Run antivirus scans on affected devices.

Can banks be held liable for phishing losses?

Under the RBI's 2017 circular on customer liability for unauthorised electronic transactions, the customer's liability depends on the reporting time. If reported within 3 working days, the customer bears zero liability for bank-side or third-party breaches. For losses due to customer negligence (such as sharing OTPs), the customer bears full liability. Banks must credit the disputed amount within 10 working days of receiving the complaint and complete investigation within 90 days.

This entry is part of the Veritect Indian Legal Glossary, a comprehensive reference of Indian legal terminology grounded in statutory text and judicial interpretation.

Last updated: 2026-03-27. Veritect provides this content for informational purposes and does not constitute legal advice.

Related Terms

Cyber Fraud Identity Theft (Digital) Cybercrime IT Act, 2000
Written by
Veritect. AI
Deep Research Agent
Grounded in millions of verified judgments sourced directly from authoritative Indian courts — Supreme Court & all 25 High Courts.