Phishing is a type of impersonation in which a website poses as a legitimate source and gathers personal information. "Band spoofing" and "carding" are other terms for it. The act is divided into two parts, the first of which is the theft of identity and the second of which is the collecting of confidential information. As a result, it's also known as a "two-fold swindle" or "cybercrime double play." With the rising use of the internet and online transactions, the number of phishing victims and losses has skyrocketed. This was amplified by the introduction of COVID-19, which expanded people's use of the internet. Cybercrime is expected to cost $10.25 trillion in total damage by 2025, according to current estimates.
Despite the fact that laws are ineffective, having them is necessary. It is preferable to recognise a crime as such and punish those who perpetrate it rather than to ignore it because it is more difficult to regulate. The legislation has two options. It has the ability to prevent phishing from occurring in the first place, as well as attack and penalize phishing that has already occurred.
The United States of America — While legislation such as the CAN-SPAM Act of 2003, the US Safe Web Act of 2006, and the I-SPY Prevention Act of 2007 exist at the federal level, there is no explicit law that specifically penalizes phishing. In 2005, a bill called the Anti-Phishing Act of 2005 was proposed. It has not, however, been made enforceable. This bill suggested making phishing emails and websites illegal regardless of whether the recipient or visitor incurred any harm. Senator Leahy introduced this bill, stating, "The Act safeguards the integrity of the Internet in two ways." For starters, it makes the bait illegal. It makes it criminal to send out a faked email that contains links to bogus websites with the aim to commit a crime. Second, it makes phony websites, which are the genuine crime scene, illegal." This act, however, was never passed. Many states in the United States, however, have anti-phishing legislation.
India's legislative response resembles that of Australia and the United States. India is currently one of the most popular targets for phishers. While no regulation specifically targets phishing, there are laws that cover phishing-related actions. The Delhi High Court, in the well-known case of NASSCOM v. Ajay Sood, in 2005, identified the behaviour as phishing. According to the court, there are no statutes against "phishing," but laws against misrepresentation and passing off are employed to combat phishing. The Information Technology Act of 2000 was later updated in 2008 to include measures for identity theft and impersonation cheating. The amendment, however, included no mention of "phishing." Legislations that criminalize phishing are the IT Act 2000, the Indian Penal Code and Information Technology (Reasonable security practices and procedures and personal data or information) Rules, 2011 (SPDI rules) regulate the corporate bodies that handle personal data. Also, it is to be noted that the Reserve Bank of India regulates payment gateways and payment aggregators.
To conclude, it is to be noted that companies that fall victim to phishing are affected seriously. Not only do they lose data, but also face monetary loss, productivity loss, customer loss, IP theft, and most importantly, the reputation and company value are severely affected. Also, when companies fall victim, they are held responsible. Heavy fines must be paid by an organisation on account of mishandling customers’ data. For example, Sony paid millions of dollars in 2014. The data that was leaked contained personal information about Sony Pictures employees, emails between employees, information about executive salaries at the company, copies of then-unreleased Sony films, plans for future Sony films, scripts for certain films, etc.