5.1 Case Study: Corporate Phishing Attack
This case study walks you through a sophisticated phishing attack on a corporate entity — from initial client contact through FIR registration, investigation support, and eventual prosecution. Follow along and learn the practitioner's approach.
The CFO Impersonation Attack
Facts
ABC Pharmaceuticals Ltd. (Mumbai) receives an email appearing to be from their CFO instructing the accounts team to urgently transfer ₹2.5 crores to a "new vendor" for "time-sensitive equipment." The email address was "cfo@abc-pharma.co" (note the hyphen) instead of the legitimate "cfo@abcpharma.co". The accounts manager, under pressure, processed the transfer. The money was distributed across 12 accounts in Jharkhand and West Bengal within hours.
Initial Client Meeting — What to Ask
- Timeline: Exact date/time of email receipt, when transfer was made, when fraud discovered
- Email Headers: Request full email with headers (not just screenshot)
- Banking Details: Beneficiary account numbers, bank names, IFSC codes
- Internal Actions: What has company already done? (Critical for evidence preservation)
- IT Infrastructure: Email provider, any security logs, authentication records
- Employee Statements: Who received/processed the email, any witnesses
Immediate Actions (First 24 Hours)
- Call 1930 immediately — Report to National Cyber Crime Helpline for potential fund freeze
- Bank complaint — Written complaint to company's bank requesting recall of funds
- Preserve evidence — Screenshot emails, export with headers, preserve server logs
- Internal memo — Instruct IT to preserve all relevant logs (do NOT investigate internally yet)
- Draft FIR complaint — Prepare detailed complaint for police filing
Applicable Provisions
| Offence | Provision | Punishment |
|---|---|---|
| Cheating by personation using computer | S.66D IT Act | 3 years + ₹1 lakh |
| Identity theft | S.66C IT Act | 3 years + ₹1 lakh |
| Cheating | S.318 BNS | 7 years + fine |
| Forgery (fake email domain) | S.336 BNS | 2 years / 7 years |
| Criminal conspiracy | S.61 BNS | Same as substantive offence |
Forum Selection Analysis
Options: Mumbai (victim company HQ), Jharkhand/West Bengal (where money went), or wherever accused is traced.
Recommendation: File Zero FIR at Mumbai Cyber Cell (BKC). Mumbai has well-equipped cyber infrastructure, proximity to client for coordination, and jurisdiction is proper as "effects" occurred in Mumbai. If investigation reveals accused in Jharkhand, case can be transferred or parallel investigation coordinated.
5.2 Case Study: Data Breach Response
Data breaches require rapid, coordinated legal response across multiple fronts — criminal law, regulatory compliance (DPDPA), contractual obligations, and reputation management. This case study demonstrates the multi-track approach.
E-Commerce Platform Data Breach
Facts
ShopEasy (a mid-size e-commerce platform with 2 million users) discovers that their customer database has been compromised. A threat actor accessed customer names, emails, phone numbers, addresses, and partial payment card data. The breach was discovered when a security researcher notified them that data was being sold on the dark web.
Track 1: Criminal Law Response
- Register FIR at Cyber Cell — S.43 (damage to computer system), S.66 (hacking)
- Preserve server logs, access records, vulnerability assessment reports
- Engage forensic expert for S.63 BSA compliant evidence collection
- Prepare S.63(4) BSA certificate for all electronic evidence
- Coordinate with CERT-In if critical information infrastructure affected
Track 2: DPDPA Compliance (Regulatory)
Under DPDPA 2023, failure to notify breach can result in penalties up to ₹200 crores. Even if unsure about breach scope, err on the side of notification. Late notification is better than no notification, but timely notification is best.
5.3 Defence Practice: Bail in Cyber Cases
Securing bail in cyber cases requires understanding both general bail jurisprudence and cyber-specific considerations. This section provides a framework for bail applications across different cyber offences.
Bail Classification in Cyber Offences
| Offence | Provision | Max Punishment | Bail Type |
|---|---|---|---|
| Hacking (S.66) | IT Act | 3 years | Bailable |
| Identity Theft (S.66C) | IT Act | 3 years | Bailable |
| Cheating by Personation (S.66D) | IT Act | 3 years | Bailable |
| Cyber Terrorism (S.66F) | IT Act | Life | Non-Bailable |
| Obscenity (S.67) | IT Act | 3/5 years | Bailable / Non-Bailable |
| CSAM (S.67B) | IT Act + POCSO | 5/7 years + POCSO | Non-Bailable |
| Cheating (S.318 BNS) | BNS | 7 years | Non-Bailable |
- No flight risk: Accused has deep roots, family, employment in jurisdiction
- No tampering risk: All electronic evidence already seized/mirrored; accused cannot tamper with what's in police custody
- Bailable offence: Most IT Act offences (S.66, 66C, 66D, 67) are bailable — bail is matter of right
- Long incarceration: If trial unlikely to complete soon, bail should be granted
5.4 Frequently Asked Questions
These FAQs address common questions that arise in cyber law practice. Use these as ready references when advising clients or preparing for court.
Can police refuse to register FIR citing "not our jurisdiction" for cyber crimes?
No. Under BNSS Section 173, police must register a Zero FIR at any police station. They cannot refuse citing territorial jurisdiction. The FIR must be transferred to the appropriate jurisdiction within 15 days.
Is Section 66A still being used for FIRs? What should I do?
Section 66A was struck down by the Supreme Court in Shreya Singhal v. Union of India (2015). Any FIR citing S.66A is a nullity and should be immediately challenged via quashing petition under Section 528 BNSS.
What is the "golden hour" for cyber fraud reporting?
The "golden hour" refers to the critical first few hours after a financial cyber fraud when funds can potentially be frozen before being withdrawn. Reporting to 1930 helpline or cybercrime.gov.in within 1-2 hours significantly increases recovery chances.
Do I need a Section 65B/63 certificate for WhatsApp screenshots?
Yes. Per Anvar P.V. v. P.K. Basheer (2014), electronic evidence requires a Section 65B (now Section 63 BSA) certificate for admissibility. The only exception is if you produce the original device before the court.
How long does MLAT/LR process take for US-based evidence?
MLAT requests to USA typically take 12-18 months. For faster alternatives: (a) Direct Law Enforcement Requests to platforms (2-4 weeks); (b) Emergency Disclosure Requests for imminent threats (24-48 hours); (c) Preservation requests (immediate, valid 90 days).
5.5 Courtroom Strategies & Ethics
Effective cyber law practice requires not just legal knowledge but strategic courtroom skills. This section provides practical tips for arguing cyber cases.
Cross-Examination of Technical Witnesses
- Verify qualifications — are they certified forensic examiners? (CFCE, EnCE, etc.)
- Challenge chain of custody — was device sealed? Hash values verified?
- Question methodology — which forensic tool used? Is it court-accepted?
- IP attribution — does IP address conclusively identify the person (not just device)?
- Alternative explanations — malware, unauthorized access, shared network?
- Section 63 BSA compliance — is certificate proper? Who signed it?
Common Defence Strategies
| Strategy | When to Use | Key Arguments |
|---|---|---|
| Identity Challenge | IP-based attribution cases | IP identifies device/connection, not person; shared networks; VPN/proxy |
| Authorization Defence | Hacking charges (S.66) | Accused had legitimate access; exceeded authorization vs. no authorization |
| Evidence Exclusion | Improperly collected evidence | No S.63 certificate; chain of custody broken; illegal search |
| Constitutional Challenge | Speech/expression cases | S.66A (struck down); Art.19(1)(a) protection; Puttaswamy privacy |
"The cyber lawyer stands at the intersection of technology and justice. Our duty is not merely to win cases, but to ensure that the digital rights of individuals are protected while holding genuine wrongdoers accountable." Adv. (Dr.) Prashant Mali
🎯 Key Takeaways
- Golden Hour: Report financial fraud within 1-2 hours via 1930 for best recovery chances
- Evidence First: Preserve before investigating — forensic images, logs, emails with headers
- 72-Hour Rule: DPDPA requires breach notification to DPB within 72 hours
- Bail Strategy: Most IT Act offences are bailable; emphasize evidence already seized
- S.63 Certificate: Challenge missing/defective certificates — evidence becomes inadmissible
- Cross-Exam Focus: Chain of custody, hash values, IP ≠ person, alternative explanations
📝 Part 5 Assessment Quiz
Test your practical application skills in cyber law.
In the "golden hour" after financial fraud, the priority is to freeze funds before they're withdrawn. 1930 helpline can coordinate with banks to freeze recipient accounts.
Under DPDP Rules 2025, Data Fiduciaries must notify the Data Protection Board of personal data breaches within 72 hours of becoming aware.
Section 66 (hacking) is punishable with maximum 3 years imprisonment, making it a bailable offence.
Per Anvar P.V. v. P.K. Basheer, electronic evidence without Section 65B/63 certificate is inadmissible.
The strongest challenge is that IP identifies the device/connection, not the person. Multiple people may use the same network; devices may be compromised.
The 72-hour notification deadline under DPDPA starts from discovery. Waiting may cause missed deadlines and penalties up to ₹200 crores.
BEC fraud involves: S.66C (identity theft), S.66D (cheating by personation), S.318 BNS (cheating), and S.336 BNS (forgery). S.66A is struck down.
For bailable offences, bail is a matter of right. Once electronic evidence is seized and forensically imaged, the accused cannot tamper with it.
Per Shreya Singhal, S.79(3)(b) "actual knowledge" requires a court order — not mere user complaint.
Section 66A was struck down in Shreya Singhal (2015). File quashing petition under S.528 BNSS immediately.
🎉 Congratulations! You've Completed Module 1
You have successfully completed all 5 parts of the Foundations of Cyber Law Practice module. Take the comprehensive module quiz to test your mastery and earn your certificate.
Take Module Quiz (50 Questions) Review Module