Cybersecurity Scams: A Comparative Legal Analysis of Indian and International Law

Abstract

Cybersecurity Scams: A Comparative Legal Analysis of Indian and International Law

Abstract

As the digital landscape expands, cybersecurity scams have multiplied, threatening individuals, businesses, and national economies by exploiting weak security, stolen information, and social engineering. This article analyzes India’s legal response to cyber scams, compares it with key international frameworks, highlights practical gaps, and recommends reforms to strengthen cross-border cooperation and enforcement. Key takeaway: harmonize laws, build capacity, and run targeted public awareness campaigns to reduce the number of successful attacks. For guidance and reporting, see CERT-In advisories and national reports.

1. Introduction

The explosion of internet use over the last decade has coincided with a sharp increase in cyber scams. From phishing emails that trick people into revealing credentials to ransomware that locks corporate data and business email compromise that redirects payments, attackers exploit both technical flaws and human error. India—home to one of the world’s largest online populations—has seen cybercrime reports grow significantly (see NCRB and CERT-In data later). Because these scams cross borders, effective responses require stronger domestic law enforcement and faster international cooperation. This article examines how legal systems can better address evolving threats, and links to a short primer on phishing for readers seeking practical guidance.

2. Understanding Cybersecurity Scams

What Are Cybersecurity Scams?

Cybersecurity scams use deceptive digital methods to steal money, personal information, or system access. They rely on technical exploits and social engineering—fake emails, malicious links, fraudulent websites, spoofed phone calls and text messages—to trick people into revealing passwords, account numbers, credit card details, or other sensitive information. Common types include:

• Phishing / Phishing attacks: Fraudulent emails, text messages, or websites that impersonate trusted organizations to harvest credentials or personal information. Example: a phishing email claiming to be from a bank that asks the recipient to click a link and enter account numbers and passwords.
• Ransomware: Malicious software that encrypts files on computers or servers and demands money for decryption. Example: an employee opens a malicious attachment and an entire company network is locked until a ransom is paid.
• Business Email Compromise (BEC): Targeted phishing that spoofs executives or vendors to request money transfers or change payment details. Example: an email that imitates a supplier asking the finance team to redirect a bank account for payment.
• Crypto Frauds: Fake exchanges, fraudulent investment schemes, and wallet thefts that convert stolen funds into cryptocurrencies.
• Tech Support / Vishing / Smishing: Scammers pose as IT support (phone calls or texts) to gain access or extort money. Example: a call claiming to be from IT support asking for remote-access permission to “fix” a computer.

Impact

India has witnessed a steady rise in these incidents: official records indicate a sharp increase in cybercrime reports over recent years (National Crime Records Bureau, 2023). Globally, reported losses from internet-enabled scams run into the billions (Federal Bureau of Investigation, 2023), but the true number is likely higher because many victims do not report incidents or cannot pursue cross-border recovery. If you receive a suspicious email, message, or call requesting passwords, bank account details, or credit card numbers, do not reply or click links—verify directly with the company and report the attempt to CERT-In and your bank.

3. The Indian Legal Framework

The Information Technology Act, 2000

India’s Information Technology Act, 2000 provides the statutory backbone for addressing digital offences and protecting information security. Key provisions frequently used in cyber scam investigations include:

• Sections 43 & 66: Address unauthorized access, system hacking, and data theft; Section 66 emphasizes criminal liability when intent is proven. Remedies can include compensation for affected companies and affected accounts.
• Sections 66C & 66D: Penalize identity theft and cheating by impersonation—provisions often invoked for phishing attacks that harvest identity or authentication credentials.
• Section 66E & Section 67: Protect digital privacy and prohibit illegal dissemination of intimate or obscene content—relevant in cyber extortion and doxxing incidents.
• Section 69: Grants authorities powers for interception, monitoring, and decryption in the interest of security or investigation—used in complex investigations to trace scammers across systems.
• Section 70B: Designates CERT-In as the national nodal agency for cyber incident response, coordinating technical information sharing and advisories (Ministry of Law and Justice, 2000).

Indian Penal Code, 1860

The Indian Penal Code complements the IT Act for traditional offences that underpin many cyber scams:

• Section 420: Addresses cheating and wrongful gain by deception—commonly applied where money or bank accounts are obtained through fraudulent messages or emails.
• Sections 463–471: Cover forgery, including falsified digital documents or invoices used to deceive companies and divert money.

Recent Developments

The Digital Personal Data Protection Act, 2023 introduces stronger obligations for companies handling personal information, including security safeguards and breach reporting requirements—measures that reduce large-scale vectors for scams by incentivizing better data protection practices (Ministry of Electronics and Information Technology, 2023).

Enforcement and Challenges

Despite this legal framework, enforcement faces practical hurdles: low public awareness leads to underreporting; many local police units lack forensic capacity to trace scams or recover money; and cross-border jurisdictional complexity slows evidence sharing. Remedies in practice can include criminal prosecution, restraint and confiscation of criminal proceeds, and civil claims for compensation—however, outcomes often depend on international cooperation and technical tracing of bank accounts and digital footprints.

4. International Legal Frameworks

The Budapest Convention on Cybercrime

The Budapest Convention (Council of Europe, 2001) is the most widely used treaty aimed at harmonizing definitions, offences, and procedural tools for cybercrime. It helps align national laws so investigators can more easily collect evidence from websites, trace digital traces, and pursue cross-border prosecutions. Typical strengths include:

• Alignment of national definitions and procedural powers that speed evidence gathering for electronic attacks and phishing-related crimes.
• Mechanisms to support cross-border collaboration, including expedited preservation of evidence and mutual assistance between participating countries.

Limitations: several major countries—India (which cites sovereignty and data-localization concerns), China, and Russia—are not signatories, reducing the treaty’s universality and complicating cooperation when scammers operate from nonparticipating states (Council of Europe, 2023).

United Nations and Regional Norms

The United Nations Office on Drugs and Crime (UNODC) promotes legal harmonization and best practices for investigating cyber-enabled crimes, encouraging member states to improve laws and share information for tracking transnational offenders (United Nations Office on Drugs and Crime, 2022). Regionally, instruments such as the EU’s NIS Directive set standards for companies and critical infrastructure to improve incident response and resilience, reinforcing security expectations for companies and websites handling sensitive data (European Union Agency for Cybersecurity, 2023).

Mutual Legal Assistance Treaties (MLATs)

MLATs and bilateral agreements remain important legal tools for exchanging evidence and freezing assets, but their formal procedures are often slow relative to the pace of digital scams. In practice, investigators increasingly call for “fast lanes” and operational protocols—streamlined information-sharing arrangements that can quickly preserve website logs, freeze bank transfers, and trace funds across borders (United Nations Office on Drugs and Crime, 2022).

Summary: international frameworks provide useful models and mechanisms to combat cross-border attacks and promote information sharing, but effectiveness depends on participation, political will, and practical arrangements that speed evidence exchange. If India remains cautious about formal accession to treaties, aligning domestic law and building operational fast lanes with partner countries would materially improve the ability to investigate and disrupt scams.

5. Comparative Analysis

Key takeaways: India has a broad domestic legal framework (IT Act, IPC, and recent data protection rules) but struggles to keep pace with new scam types and cross-border investigations. International norms—most notably the Budapest Convention and regional instruments—offer targeted procedural tools for fast evidence sharing and coordinated action, but their effectiveness depends on participation and operational arrangements. The table below summarizes the main contrasts and practical implications for investigators and companies.

FeatureIndian FrameworkInternational Norms
Legislation	IT Act, IPC, Digital Personal Data Protection Act (2023)	Budapest Convention, UN/Regional treaties and directives
Offence coverage	Broad coverage but less precise for emerging scam types (deepfakes, crypto-enabled fraud)	More frequently updated guidance and targeted procedural rules for new attacks
Enforcement	Central and state cyber cells with uneven technical capacity	Cross-border cooperation effective among signatories; relies on participation
Jurisdiction	Territorial and domestic rules; complex when victims, servers, and perpetrators are dispersed	Designed for cross-border cases but limited by nonparticipants and sovereignty concerns
Information sharing	Interpol requests, bilateral cooperation, CERT-In advisories	Streamlined channels for members; faster preservation of website logs and evidence
Effectiveness	Strength in domestic prosecution, hindered by bureaucratic redundancies when tracing funds or accounts	Strong among signatories; hampered by major nonparticipants
Participation	Not a formal Budapest Convention signatory (policy choice)	~70 member countries; varies over time

6. Case Studies

Pune Cosmos Bank, 2018

In 2018 attackers used coordinated malware to siphon funds from ATM networks that serviced Pune’s Cosmos Bank and other institutions across countries. The incident highlighted two practical problems: rapid movement of stolen money through bank accounts and crypto exchanges, and delays in cross-border evidence preservation and asset freezing. CERT-In’s reports (2019) note that fragmented international cooperation and procedural delays resulted in limited recovery of funds. Lessons learned: establish fast-lane evidence-preservation protocols with partner banking regulators, and improve real-time tracing of account numbers and transactions.

Global Ransomware Cases

High-profile breaches such as the Sony Pictures attack (2014) and successive global ransomware outbreaks demonstrate how perpetrators exploit cross-border infrastructure—using infected computers, command-and-control servers, and cryptocurrency to launder proceeds. These cases show that even well-resourced companies and governments can struggle to trace payments, freeze assets, or obtain timely logs from hosting providers and websites when investigations require multiple legal channels. Practical lessons include strengthening incident-response cooperation among companies, financial institutions, and law enforcement, and publishing clear reporting routes so victims can quickly report compromised bank accounts, credit card fraud, or phishing emails to mitigate losses.

7. Key Challenges

• Attribution: Advanced anonymization (VPNs, cryptocurrency mixers, anonymizing networks) and use of third-party hosting make it difficult to trace scammers to a person or number; investigators often must piece together scattered logs from multiple companies and websites. Example: a phishing attack that routes through several countries before landing in a cash-out account, complicating identification of the perpetrator.
• Jurisdiction: Attacks and scams routinely touch multiple countries—victims, servers, and bank accounts may be dispersed—creating legal conflicts and delays in collecting evidence or freezing assets.
• Adapting law to technology: Legislatures are challenged to define and criminalize new scam types quickly enough—deepfakes, AI-generated social engineering, and crypto-enabled laundering require updated legal definitions and targeted enforcement tools.
• Capacity: Many local law-enforcement units lack training, tools, and digital forensics to trace messages, phone calls, or compromised computers; building specialized cyber units and regular training is essential.

Mitigation steps (short-term): establish bilateral “fast lanes” for rapid preservation of logs and temporary freezing of suspicious transfers; create hotlines to report phishing emails, suspicious messages, or bank account attempts. Long-term measures: invest in forensic labs, regular training for investigators, stronger requirements for companies to retain website and transaction logs, and legal updates that criminalize emerging scam techniques.

8. Recommendations

• Modernize Indian Law (short-term & long-term): In the short term, issue targeted amendments or guided notifications clarifying how existing provisions apply to scams that use AI-generated content, deepfakes, or crypto payment rails. In the long term, expand the IT Act’s offence definitions to explicitly cover synthetic identity, automated social-engineering, and cryptocurrency laundering, and require companies to retain key logs for defined periods to aid traceability. Responsible parties: Ministry of Law & Justice, MeitY, and parliamentary committees.
• International Engagement: Even if formal accession to the Budapest Convention is politically sensitive, India should align its procedural tools—preservation orders, expedited evidence requests, and standards for mutual legal assistance—with international best practices to ease cross-border investigations. Responsible parties: MEA, Ministry of Home Affairs, CERT-In.
• Cooperation & fast lanes: Negotiate regional and bilateral “fast lanes” with trusted partners and financial regulators for rapid preservation of website logs, temporary freezing of suspicious transfers, and quick exchange of account numbers and transaction details. Create standard operating procedures for banks and payment platforms to act on verified requests. Responsible parties: RBI, financial intelligence units, CERT-In.
• Capacity Building: Invest in digital forensics labs, expand forensic training for local police, and run regular tabletop exercises with companies to trace email trails, links, and payments. Encourage public–private partnerships so companies can share anonymized indicators of compromise and suspicious account numbers. Responsible parties: Ministry of Home Affairs, National Forensic Sciences University, CERT-In.
• Public Awareness and practical CTAs: Run nationwide campaigns teaching strong passwords, multi-factor authentication, how to spot phishing emails and phishing attacks, and exactly how to report suspicious emails, text messages, or calls that request bank account or credit card details. Short-term CTA for readers: if you receive a phishing email or a suspicious call asking for passwords or account numbers, do not reply—contact your bank immediately and report the attempt to CERT-In.

9. Conclusion

Cyber scams highlight gaps in both traditional criminal law and modern regulatory approaches. Strengthening legal definitions, improving international and operational cooperation, building forensic capacity, and educating people and companies will reduce the number of successful scams and make it easier to recover money and hold scammers accountable. Practical steps—like using strong passwords, enabling multi-factor authentication, and promptly reporting a phishing email—help individuals protect their accounts and personal information now.

References

CERT-In. (2019). Annual Report 2018–2019. Ministry of Electronics and Information Technology, Government of India.

Council of Europe. (2001). Convention on Cybercrime (ETS No. 185). Budapest.

Council of Europe. (2023). Cybercrime – the Budapest Convention.

European Union Agency for Cybersecurity. (2023). EU Cybersecurity Initiatives.

Federal Bureau of Investigation. (2023). Internet Crime Report 2022.

Ministry of Electronics and Information Technology. (2023). The Digital Personal Data Protection Act, 2023. Government of India.

Ministry of Law and Justice. (2000). The Information Technology Act, 2000. Government of India.

National Crime Records Bureau. (2023). Crime in India 2022: Statistics. Ministry of Home Affairs, Government of India.

United Nations Office on Drugs and Crime. (2022). Comprehensive Study on Cybercrime. United Nations.