Rupin Sharma, IPS
I have tried to simplify things but an element of complexity has also remained. That was essential so that we can understand things better.
The ambit of cyber-crimes can range from simple theft/ stealth of information or documents on a floppy disk, or CDs or pen-drives or even on larger external hard disks tolarge scale, complicated and sophisticated crimes like bringing down and disrupting power grids or nuclear power plants. The complexity and sophistication of cybercrimes, sometimes, is beyond the comprehension or imagination of ordinary citizens.
Let me briefly divide the crimes based on who can be potential targets:
- Individuals as targets
- Businesses as targets
- Governments as targets
- Social/social values as targets
- Crimes against Public Order
On the other hand, cybercrimes can also be broadly categorized on the basis oftypes of attacks:
- Physical Access to commit cyber-crimes
- Remote Access to commit crimes
- Denial of Computer Systems/ Networks
Another classification could be based on the outcomes of cyber-crimes:
- Theft of hardware
- Damage or Sabotage or vandalism
- Theft of software/codes/source codes etc
- Denial of Access to services
- Denial to particular services/websites etc
- Denial to large scale networks
- Incidents causing direct monetary loss
- Incidents indirectly causing monetary damage
These categorizations are not exhaustive, nor complete. Since cyber-crimes are an evolving field, the variations will always remain. Different experts also categories cyber-crimes differently.
The way IT networks are built, the chances of disruptions due to human errors or accidents are not uncommon. However, those disruptions are not what we are concerned about. These disruptions may be caused because of natural disasters like heavy rains or landslides or storms or snow or human activities like digging of earth where cables may be laid, whether for pipelines or electricity lines or construction of roads or bridges. Electricity outages in developing countries can be a major cause of disruption of global internet or localized internet connectivity. These may qualify as crimes e.g., Mischief and damage to property but unless such disruption is intentional vandalism or sabotage, these would not be called cyber-crimes.
THEFT VS SOCIAL ENGINEERING:
The traditional connotations and definition of theft as per the Indian Penal Code, would also ipso facto apply to all cyber-crimes. Therefore, where a theft of any computer system or network or any part thereof takes place, IPC would be applicable. It may be pertinent here to briefly look at and analyze the definition of theft: -
Section 378 in the Indian Penal Code
378. Theft -Whoever, intending to take dishonestly any moveable property out of the possession of any person without that person’s consent, moves that property in order to such taking, is said to commit theft.
Explanation 1 - A thing so long as it is attached to the earth, not being movable property, is not the subject of theft; but it becomes capable of being the subject of theft as soon as it is severed from the earth.
Explanation 2 - A moving effected by the same act which affects the severance may be a theft.
Explanation 3 - A person is said to cause a thing to move by removing an obstacle which prevented it from moving or by separating it from any other thing, as well as by actually moving it.
Explanation 4 - A person, who by any means causes an animal to move, is said to move that animal, and to move everything which, in consequence of the motion so caused, is moved by that animal.
Explanation 5 - The consent mentioned in the definition may be express or implied, and may be given either by the person in possession, or by any person having for that purpose authority either express or implied.
This definition has the following essential ingredients for an act/ omission to be considered as a theft:
- The accused must have a dishonest intention to ‘take’ the property;
- The property must be movable;
- The property must be ‘taken out’ of the possession of another person, resulting in wrongful gain by one and wrongful loss to another;
- The property must be ‘moved’ on order to such taking i.e., obtaining property by deception;
- Taking must without that person’s consent – express or implied;
If this basic definition of theft is to be applicable to cyber-crimes, it is immaterial whether the property is physical or corporal (that which can be touched) or incorporeal (which cannot be touched. While the former would imply computers or pen drives or CDs, hard disks, mobiles etc., the latter would cover software, passwords, OTPs etc.
When the above conditions are met, then besides the dishonest act being a ‘cyber-crime’, sections of IPC would also apply.
Similarly, if someone is working in an organization or business or for a person and is ‘enlisted with property’, if he CONVERTS that property to his own use and causes wrongful loss to the person or organization, IPC sections pertaining to Criminal Misappropriation and Criminal Breach of Trust may be applicable besides cheating.
In all these circumstances, it is IRRELEVANT whether the property is corporal or non-corporal and sections of IT Act may also be applicable – Usually, together.
While cheating and trickery are its closest cousins, the concept of social engineering has massive implications in the world of cyber-crimes and information security.
- Social Engineering is the psychological manipulation of people into performing actions or divulging confidential information
- It is a type of confidence trick for the purpose of information gathering, fraud or system access in cyber world
- It is any act that influences a person to take an action that may or may not be in their best interests
A large proportion of cyber-crime is rooted in social engineering. The attacker manipulates his victim (person or organization or employer or banker or government etc.) to cause harm or loss, which, at the time of the manipulation taking place, the victim has no idea about.
While greed is one of the basic instinctsexploited by the criminal besides lust or pornography, there are other human attributes which make us vulnerable. Robert Cialdini propounded his ‘theory of influence’ where he lists six principles of human attributes which make us vulnerable to social engineering attacks:
- Commitment and consistency
- Social proof
- Liking and
While details of these attributes are beyond the scope of this series, let me briefly introduce these because any of these attributes or their combination would be definitely exploited by an attacker:
- Reciprocity – It is human nature to ‘return favours’. Therefore, tricksters would typically offer a reward in return for help/ assistance to them;
- Commitment and Consistency –Making a commitment or promise pushes people to honour their words/ actions or commitments and behave in a consistent, predictable manner. Tricksters abuse these habits by seeking commitments, rescinding their own part but extracting consistent behaviour from victims;
- Social Proof–This is more commonly known as CONFORMITY. i.e., people are entrapped to do things which they see others doing. Thus, there is a tendency to behave like the others or a majority;
- Authority – Humans tend to obey and follow instructions or orders from ‘authority figures’ or ‘influencers’ or ‘powerful people’. Thus, if an unknown caller asks someone that his boss want s to do something, the chances of Compliance are greater;
- Liking – people are likely to be persuaded by those whom they like contrary to this, they may end up doing just the opposite of what is said by an enemy or adversary.
- Scarcity – if a situation of perceived scarcity is created, it is easier to extract certain behaviour e.g., ‘limited period offers’ or ‘limited stocks’ sales or offers on internet or ‘first come first serve’ offers are examples.
All these tactics essentially exploit human frailties and vulnerabilities, the chief among which is GREED or AVARICE. Most of the social engineering triggered cyber-crimes exploit our greed. Some, however, also exploit our CARELESSNESS: In fact, most are a clever combination, preying on our greed and carelessness.
Therefore, we need to be careful about people trying to manipulate us to defraud us. Being caution, careful, alive and updates are the best insurance against social media frauds besides greed and gullibility.