Knowledge Centre

Category List

Phishing and Cybersquatting

Phishing (brand spoofing) is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic


The purpose behind phishing is to divulge personal information and steal the user’s identity, passwords, robbing bank account & consequently take over the computer.


The following factors might be helpful in recognizing phishing:

  1. Financial loss occurs;

  2. Data loss occurs;

  3. Introduction of virus/ malware into the computer system occurs;

  4. Illegal use of the user’s details occurs.


The following safeguards are to be implemented against phishing:

  1. Use of anti-spam software;

  2. One should not to click hyperlinks in e-mail through unknown/ unverified source;

  3. Use of firewalls should be there;

  4. Use of phishing filters;

  5. Use of digital certificates should be emphasized upon;

  6. E-mail protocols should be secured;

  7. Reliability of the websites should be ensured;

  8. Use a Web browser with anti-phishing detection;

  9. Be aware of phishing phone calls;

  10. Be aware of links in the mail box.


The phishing fraud essentially is a cybercrime and it attracts many penal provisions of the Information Technology Act, 2000 as amended in 2008 adding some new provisions to deal with the phishing activity. The following Sections of the Information Technology Act, 2000 are applicable to the Phishing Activity:

Section 66: The account of the victim is compromised by the phisher which is not possible unless & until the fraudster fraudulently effects some changes by way of deletion or alteration of information/data electronically in the account of the victim residing in the bank server. Thus, this act is squarely covered and punishable u/s 66 IT Act.

Section 66A: The disguised email containing the fake link of the bank or organization is used to deceive or to mislead the recipient about the origin of such email and thus, it clearly attracts the provisions of Section 66A IT Act, 2000.

Section 66C: In the phishing email, the fraudster disguises himself as the real banker and uses the unique identifying feature of the bank or organization say Logo, trademark etc. and thus, clearly attracts the provision of Section 66C IT Act, 2000.

Section 66D: The fraudsters through the use of the phishing email containing the link to the fake website of the bank or organizations personates the Bank or financial institutions to cheat upon the innocent persons, thus the offence under Section 66D too is attracted.

The Information Technology Act, 2000 makes penal provisions under the Chapter XI of the Act and further, Section 81 of the IT Act, 2000 contains a non obstante clause, i.e. “the provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force”. The said non obstante clause gives an overriding effect to the provisions of the IT Act over the other Acts including the Indian Penal Code. The aforesaid penal provisions of the IT Act, 2000 which is attracted to the phishing scam are however been made bailable by virtue of Section 77B IT Act intentionally in view of the fact that there is always an identity conflict as to the correct or accurate identity of the person behind the alleged phishing scam and there is always a smokescreen behind the alleged crime as to the identity of the person who has actually via these online computer resources have or have not committed the offence and in view of the possible misuse of the penal provision for cyber offences as contained in the IT Act, the offence is made bailable.



Cybersquatting is the practice of registering names, especially well-known company or brand names, as internet domains, in the hope of reselling them at a profit. It is the bad-faith registration and use of a domain name that would be considered confusingly similar to an existing trademark. Cybersquatting occurs when people buy domain names with the purpose of selling them on to trade mark owners for a profit.


The purpose behind cybersquatting is to make profit from the well-merited goodwill of a corporation and stealing business characteristics or name to make instant money and using the names of existing businesses with the intent to sell the names for a profit to those businesses.


The following factors might be helpful in recognizing cybersquatting:

  1. Checking where the domain name takes;

  2. Contacting the domain name registrant;

  3. Paying, if it makes sense.


The following safeguards are to be implemented against phishing:

  1. One should have a registered trademark;

  2. The proper domain ownership should be recorded;

  3. Buying up the variations of the domain name;

  4. More than one extension should be registered;

  5. To fight back through arbitration.


The cases of cybersquatting are dealt under the Trademark Act, 1999.

In the case of Satyam Infoway Ltd v. Sifynet Solutions Private Limited, it was observed by the Hon’ble Supreme Court that:

“As far as India is concerned, there is no legislation which explicitly refers to dispute resolution in connection with domain names. But although the operation of the Trade Marks Act, 1999 itself is not extra-territorial and may not allow for adequate protection of domain names, this does not mean that domain names are not to be legally protected to the extent possible under the laws relating to passing off”.


  • Arbitration under ICANN’s (Internet Corporation for Assigned Names and Numbers) rules
  • Issuance of cease-and-desist letters to cyber squatters.


Disputes pertaining to domain name may be resolved under UDRP (on an international level) or INDRP (national level).

UDRP: Disputes such as Cybersquatting that involve illegal/ bad- faith registrations of domain names are resolved via the Uniform Domain Name Dispute Resolution Policy (UDRP) process that has been made by the ICANN. As per the guidelines of UDRP in context of Cybersquatting, at the time of registration of a domain name, the applicant gives his agreement to submit to proceedings in case they are initiated under the UDRP of ICANN.

A complaint may be brought by an individual/organization before the administrative dispute resolution service providers if:

  1. A domain name is identical or similar to the trademark in which the complainant has rights
  2. The owner of the domain has no direct or legitimate interest in the domain name
  3. The domain name has been registered and is being used illegally or in bad faith

INDRP: A case could be filed with the .in registry handled by National Internet Exchange of India (NiXI) who brings the matter to fast track dispute resolution process whereby decisions are transferred within 30 days of filling a complaint.

Though there is no legal compensation under the IT Act, .in registry has taken proactive steps to grant compensation to victim companies to deter squatters from further stealing domains. Most squatters however operate under guise of obscure names.

Under NIXI, the IN Registry functions as an autonomous body with primary responsibility for maintaining the .IN ccTLD (country code top-level domain) and ensuring its operational stability, reliability, and security.

- As on 1st July 2019