Email Related Crimes – Akhil Bhartiya Cyber Suraksha Sangathan (Regd.)

✉️ EMAIL RELATED CRIMES — OVERVIEW

Email remains the single most exploited channel for cyber crime in India and worldwide. Cybercriminals use email to deliver phishing attacks, spread malware, carry out financial fraud, extort victims, conduct corporate espionage and harass individuals. Every day, billions of fraudulent emails are sent globally — and millions of Indians receive them. A single click on a malicious email attachment or link can result in complete loss of bank savings, data theft, ransomware infection or identity fraud. Email crimes range from simple spam scams to sophisticated Business Email Compromise (BEC) attacks costing crores of rupees. Awareness, vigilance and prompt reporting are the only effective defences. Email-related crimes are serious criminal offences under the IT Act 2000 and Bharatiya Nyaya Sanhita 2023.

3.4 Bn

Phishing Emails Sent Daily Worldwide

$2.9 Bn

Lost to BEC Fraud Globally (2023)

94%

Malware Delivered via Email Attachments

1930

National Cyber Helpline 24×7

⚠️ How Email Crimes Are Carried Out

Sending fake emails impersonating banks, government agencies or known contacts
Attaching malware, ransomware or keyloggers in email attachments (PDF, Word, Excel)
Embedding malicious links that redirect to fake login pages to harvest credentials
Spoofing sender email addresses to appear legitimate and bypass suspicion
Sending bulk threatening or abusive emails to harass or intimidate victims
Business Email Compromise — impersonating CEOs or vendors to authorise fraud transfers
Email bombing — flooding inbox with thousands of emails to disrupt operations
Sending fake invoices with altered bank account details to divert payments

✅ How to Protect Yourself from Email Crimes

Always verify the sender's full email address — not just the display name
Never click links or download attachments from unknown or suspicious senders
Enable spam filters and multi-factor authentication (MFA) on your email account
Verify payment instructions from vendors or executives via direct phone call
Use email security gateways with anti-phishing and sandboxing capabilities
Check for HTTPS before entering credentials on any page linked from an email
Never share OTP, password or banking details in response to any email request
Report suspicious emails to your IT department or email provider immediately

🔍 Types of Email Related Crimes

🎣

Email Phishing

The most common email crime — attackers send mass emails disguised as messages from banks, IRCTC, income tax department, TRAI or popular services. The email contains a malicious link to a fake login page designed to steal your username, password and OTP. Spear phishing targets specific individuals with personalised content for higher success rates.

🎭

Email Spoofing

Attackers forge the "From" field of an email to make it appear as if sent from a trusted sender — your bank, a government agency, your boss or a known contact. The actual sending domain is different from what is displayed. Spoofed emails are used to deliver phishing links, malware or fraudulent payment instructions.

🏢

Business Email Compromise (BEC)

A sophisticated fraud where attackers hack or spoof a senior executive's or vendor's email to instruct employees or finance teams to transfer funds to a fraudulent account. BEC attacks cause billions in losses globally. Indian companies have lost crores through fake "CEO instructions" or "vendor bank account change" emails.

🦠

Malware / Ransomware via Email Attachments

Cybercriminals send emails with infected attachments — disguised as invoices, job offers, delivery notifications, court notices or government orders. When opened, the attachment installs malware, ransomware, keyloggers or remote access trojans (RATs) on the victim's device — often without any visible symptoms until damage is done.

💸

Advance Fee Fraud (419 Scam / Nigerian Scam)

Victim receives an email claiming they have won a lottery, inherited money from a deceased relative abroad, or been selected for a lucrative business deal. The fraudster asks for a small "advance fee" to release a large sum of money. Once paid, the scammer disappears or demands more fees with new excuses — the promised money never arrives.

💣

Email Bombing

The attacker floods the victim's email inbox with thousands or millions of emails in a very short time — crashing the email server, making the account inaccessible and hiding important transaction alerts or OTPs among the flood. Email bombing is used as a cyber harassment tool and to conceal fraudulent banking transactions from the victim.

😰

Sextortion Email Scam

Victim receives an email claiming the attacker has hacked their device camera and recorded them watching adult content. The email threatens to send the video to all contacts unless cryptocurrency is paid within a deadline. In most cases it is a bluff — attackers use real passwords sourced from old data breaches as "proof." These are fabricated extortion attempts. Do NOT pay.

👔

Fake Job Offer Email Fraud

Fraudsters send professional-looking job offer emails impersonating HR departments of reputed companies — offering high-paying jobs with immediate joining. Once the victim shows interest, they are asked to pay registration fees, training fees, medical tests or background verification charges — all going directly to the fraudster.

📄

Fake Invoice & Payment Diversion Fraud

Attackers intercept or spoof email communication between businesses and their vendors. They send fake invoices with altered bank account numbers, requesting payment to the fraudster's account instead of the legitimate vendor. By the time the fraud is discovered, the money has been transferred and withdrawn through multiple accounts.

⚠️

Email Harassment & Threatening Emails

Sending repeated threatening, abusive, defamatory or obscene emails to harass, intimidate or cause distress — including anonymous threatening messages, hate emails, and emails containing morphed images or private information used for blackmail or coercion against individuals.

🚩 RED FLAGS — HOW TO IDENTIFY A FRAUDULENT EMAIL

🔴

Sender's Email Address Does Not Match the Organisation

Display name says "SBI Bank" but actual email is sbibank@gmail.com or sbi-alert@bank-india.xyz — a clear sign of spoofing. Always check the full email address, not just the displayed name.

🔴

Urgency and Pressure Tactics

"Your account will be blocked in 24 hours", "Immediate action required", "Last warning before legal action" — legitimate organisations never use panic-inducing language to force immediate action without verification.

🔴

Generic Greeting — Not Addressed to You by Name

Emails starting with "Dear Customer", "Dear User" or "Dear Account Holder" instead of your actual name are usually mass phishing emails — not personalised communications from your bank or service provider.

🔴

Suspicious Links — URL Does Not Match Official Domain

Hover over links before clicking — if the URL shows something like www.sbi-secure-login.net instead of the official sbi.co.in, do not click. Fraudsters register similar-looking domain names to deceive victims.

🔴

Requesting Sensitive Information via Email

No legitimate bank, government agency or company will ever ask for your OTP, password, CVV, Aadhaar number or full bank details via email. Any email requesting this is a fraud attempt — delete immediately.

🔴

Poor Grammar, Spelling Errors and Unprofessional Formatting

Many fraudulent emails contain obvious spelling mistakes, grammatical errors, inconsistent fonts or poorly formatted layouts that genuine organisations would never use in their official communications.

🔴

Unexpected Attachments

An email with an unexpected attachment — especially .exe, .zip, .doc, .pdf or .xlsm files — even from a known sender could be malware. Attackers frequently compromise real email accounts and send infected files to the victim's entire contact list.

🔴

Too Good to Be True Offers

Emails offering lottery winnings, huge job salaries, free iPhone giveaways, government cash schemes or unclaimed inheritances from foreign relatives are almost always scams designed to extract fees or personal information.

📧 EXAMPLE — HOW A PHISHING EMAIL LOOKS (SAMPLE)

From: alerts@sbi-secure-banking.net ⚠️ NOT official SBI domain

To: you@youremail.com

Subject: URGENT: Your SBI Account Has Been Temporarily Suspended — Verify Now

Dear Valued Customer,

We have detected suspicious activity on your SBI account. To prevent permanent suspension, you must verify your account immediately by clicking the link below.

👉 Click Here to Verify: http://sbi-secure-alert.xyz/verify

Failure to verify within 24 hours will result in permanent account closure and legal action.

Regards,
SBI Customer Care Team
State Bank of India

⚠️ Red Flag 1: Sender domain is "sbi-secure-banking.net" — NOT the official sbi.co.in

⚠️ Red Flag 2: Creates panic with "24 hour" deadline and threat of "legal action"

⚠️ Red Flag 3: Generic greeting "Dear Valued Customer" — your actual name is not used

⚠️ Red Flag 4: Link URL is "sbi-secure-alert.xyz" — completely fake domain, not SBI's official website

✅ What to Do: Do NOT click the link. Delete the email. Report to SBI at report.phishing@sbi.co.in and to cybercrime.gov.in

🚨 If You Have Received or Fallen Victim to an Email Crime

Do NOT click any links, download attachments or respond to suspicious emails
If you clicked a link — immediately change passwords of all important accounts from a different device
If you paid money — call your bank immediately on the official helpline to freeze the transaction
Call National Cyber Helpline 1930 immediately for financial email fraud
File complaint at cybercrime.gov.in — select "Online Financial Fraud" or "Cyber Harassment"
Forward the phishing email to your bank's official phishing report email as an attachment
Report phishing to Google (Gmail) by clicking "Report Phishing" or to Microsoft via "Report" option
Take screenshots of the fraudulent email — including sender address, subject and full body — as evidence
File FIR at your nearest Cyber Crime Cell — bring printed copies and screenshots of the email
Run a full antivirus scan on all devices that received or opened the suspicious email

📰 REAL EMAIL FRAUD CASES — INDIA

2023 — Delhi — BEC Fraud

Company Loses ₹2.4 Crore in Fake CEO Email Instruction

A Delhi-based export firm lost ₹2.4 crore after fraudsters hacked the CEO's email account and sent instructions to the finance department to transfer funds to a "new foreign client account." The finance team, believing the instruction genuine, processed the transfer without phone verification. By the time the fraud was discovered, the funds had been routed through multiple accounts across different countries.

2022 — Mumbai — Phishing Email

Senior Citizen Loses ₹18 Lakh via Fake SBI Email

A 67-year-old Mumbai resident received an email claiming his SBI account would be deactivated unless he verified his details immediately. The link in the email led to a near-identical fake SBI website. He entered his net banking credentials, debit card number and OTP — which were instantly used to drain ₹18 lakh from his account. The fraudsters had registered the fake domain just 3 days before the attack.

2023 — Bengaluru — Sextortion Email

IT Professional Pays ₹3 Lakh After Fake Hacking Threat Email

A Bengaluru IT professional received an email claiming the sender had hacked his laptop camera and recorded him. The email contained his correct password (obtained from a data breach) as "proof." Panicking, he paid ₹3 lakh in Bitcoin before consulting police. Investigators confirmed it was a mass-sent sextortion scam — no recording existed. The password was from an old breach available on the dark web.

2024 — Punjab — Fake Income Tax Email

Businessman Defrauded of ₹85 Lakh via Fake Government Email

A Punjab businessman received an official-looking email from what appeared to be the Income Tax Department, stating he had an unclaimed refund of ₹1.2 crore. To process the refund, he was asked to pay ₹85 lakh as "processing charges" and "TDS clearance" in multiple instalments. The sender's domain was "incometax-refund.org" — not the official incometaxindia.gov.in — which the victim did not verify.

⚖️ APPLICABLE LAWS

IT Act Sec 66 IT Act Sec 66C IT Act Sec 66D IT Act Sec 67 IT Act Sec 72 BNS Sec 318 BNS Sec 319 BNS Sec 308 BNS Sec 351 BNS Sec 356

IT Act Section 66: Computer-related offences via email — including hacking email accounts, sending malware through attachments — punishable with imprisonment up to 3 years or fine up to ₹5 lakh or both.

IT Act Section 66C: Identity theft via email — using another person's email identity or credentials without consent — imprisonment up to 3 years and fine up to ₹1 lakh. Covers email spoofing and account takeovers.

IT Act Section 66D: Cheating by personation using electronic communication — directly applicable to phishing emails, fake bank alerts and BEC attacks. Imprisonment up to 3 years and fine up to ₹1 lakh.

IT Act Section 67: Sending obscene or offensive content via email — imprisonment up to 3 years and fine up to ₹5 lakh (first offence); up to 5 years and ₹10 lakh for subsequent offences. Covers obscene harassment emails and sextortion emails.

IT Act Section 72: Breach of confidentiality — disclosing private information obtained through email access without consent — imprisonment up to 2 years or fine up to ₹1 lakh. Covers insider email data leaks.

BNS Section 318 (Cheating): Email fraud resulting in financial loss — fake lottery emails, advance fee scams, fake invoice fraud — imprisonment up to 7 years and fine. Covers all email-based financial deception.

BNS Section 319 (Cheating by Impersonation): Impersonating a bank, government agency or known person via email — imprisonment up to 5 years and fine. Directly applicable to BEC attacks and phishing emails.

BNS Section 308 (Extortion): Sextortion emails and blackmail emails demanding money — imprisonment up to 3–10 years and fine. Do not pay — report to police immediately.

BNS Section 351 (Criminal Intimidation): Sending threatening emails to cause fear of injury to person, reputation or property — imprisonment up to 2–7 years and fine depending on severity.

BNS Section 356 (Defamation): Sending defamatory emails making false imputations about a person to damage their reputation — imprisonment up to 2 years or fine or both.

📝 Report This Crime

📝 Report Email Crime to ABCSS

Akhil Bhartiya Cyber Suraksha Sangathan (Regd.)

Regd. with Registrar of Society of NCT Delhi-Regd. No-287

Cyber Criminals se Suraksha, Digital India ki Raksha

अखिल भारतीय साइबर सुरक्षा संगठन (पंजी)

भारत की पहली साइबर क्राइम इन्वेस्टीगेशन एन जी ओ

ऑनलाइन रहें सतर्क, साइबर अपराध से रहें सुरक्षित

Cyber Links

Important Links