What is phishing? How is it regulated in our law system? Thank you.
DAFTAR ISI
INTISARI JAWABAN
Phishing is a cybercrime in which a person disguises himself as a legitimate organization and contacts the victim/target via e-mail, phone, or text message, asking them to provide sensitive data such as personal identity information, banking and credit card details, and passwords.
The information is then used to access critical accounts which can result in identity theft and financial loss.
What are the common methods used by the perpetrators? Then, what are the articles that can criminalize the perpetrators according to Indonesian laws and regulations?
Please read the review below for a further explanation.
This article below is the second update of the article entitled Phishing, first written by Si Pokrol and published on Wednesday, 1 February 2006, and was first updated on 17 May 2021.
All legal information available on Klinik hukumonline.com has been prepared for educational purposes only and is general in nature (read the complete Disclaimer). In order to obtain legal advice specific to your case, please consult with Justika Partner Consultant.
Definition of Phishing
What is phishing? According to phishing.org in one of its articles entitled What is phishing? the meaning of phishing is a cybercrime in which a person disguises himself as a legitimate institution and contacts the victim or target via email, phone, or text message, in order to provide sensitive data such as personal identity information, banking and credit card details, and passwords.
Once the victim or target provides the requested information, it is then used to access critical accounts which can result in identity theft and financial loss.
Belajar Hukum Secara Online dari Pengajar Berkompeten Dengan Biaya TerjangkauMulai DariRp. 149.000
Phishing itself comes from the word fishing. Just like fishing, phishing is a crime that works like fishing or utilizing bait. A well-targeted bait is the critical success factor for phishing. The presence of a phishing account is the key, as it resembles an official account.
In this regard, the bait used is usually false information that is made to look like the real thing. It is usually sent as if it is from an authorized party, such as a system administrator, bank employee, or government employee. The content of the information can vary, but it is usually an invitation to update the targeted account information.
This method, often known as email phishing, is the most commonly used mode. The perpetrator will send a fake e-mail, in which he acts as an officer or website admin of a banking company. The content of the email is usually about notifying customers about certain matters that are important, urgent, and require a quick response.
In the e-mail, a phishing link is sent. A phishing link is a link used by the perpetrator to lead the victim to a special web page that has been prepared by the perpetrator.
Web Forgery
Web forgery or web phishing is a website that is intentionally designed to deceive its visitors. The appearance on the website is made to look like the original. Then, the victim is led to enter his identity in a form that has been prepared by the perpetrator.
After the victim enters his user id and password, the data will be stored in the website's database. This stored data is what the perpetrator is targeting to misuse for his interests.
Phone Phishing
The perpetrator will call the victim on behalf of certain parties, such as law enforcement, important users, audit consultants, and so on. Then, he will ask or request certain things, such as asking for the victim's user id and account password, asking for an OTP (One Time Password) code to access the victim's cellphone, or asking the victim to transfer a certain amount of money to an account number designated by the perpetrator.
Phishing via SMS
The perpetrator sends an SMS containing that the victim won a lottery with a relatively large amount of money. To be able to collect the prize, the victim is asked to confirm by providing the user id and internet banking password to the perpetrator.
Phishing through Conversation Applications (Chat Phishing)
The perpetrator sets up a program on a popular chat application automatically, for example by pretending to be an online customer service by manipulating that the web display is being disconnected. After that, the perpetrator will ask the victim to log in again by entering the user id and password on the link sent.
The perpetrator is known to conduct phishing by distributing a copy website that is similar to the original website to the victim's e-mail with the aim of obtaining user data, such as e-mail, password, and victim's identity, including the victim's address (p. 3).
After obtaining the victim's credit card data, the defendant then sold the phished credit card through a Facebook account (p. 4).
For these acts, the defendant was found legally and convincingly guilty of violating Article 32 section (2) jo. Article 48 section (2) Law Number 11/2008 or EIT Law with a prison sentence of 1 year and 2 months and a fine of IDR 20 million (p. 17).
Criminal Penalty
According to our research, there is no legislation that specifically regulates phishing. However, perpetrators can be charged with provisions under the Criminal Code as well as the EIT Law and its amendments as in the case above.
In addition, it is important to know that phishers can be charged with several criminal offenses, such as fraud, manipulation, breaching, and moving or transferring.
There are several articles that can potentially criminalize phishers, namely:
Fraud
Fraud is regulated in Article 378 Criminal Code, which reads as follows:
Any person who with intent to unlawfully benefit himself or another, either by assuming a false name or a false capacity, or by crafty artifices, or by a web of fictions, induces someone to deliver any property or to negotiate a loan or to annul a debt, shall, being guilty of fraud, be punished by a maximum imprisonment of four years.
Manipulation
The perpetrator of sending electronic mail (e-mail) as if it were genuine can be charged with Article 35 jo. Article 51 EIT Law, as follows:
Any Person who intentionally and illegally or unlawfully manipulates, creates, alters, omits, or damages Electronic Information and/or Electronic Document so that said Electronic Information and/or Electronic Document is considered as if the data were authentic, will be subject to imprisonment for a maximum of 12 (twelve) years and/or a maximum fine of IDR 12,000,000,000.00 (twelve billion rupiahs).
Breaching
If the perpetrator breaks into a certain electronic system, using the victim's identity and password without right, he can be charged with Article 30 section (3) jo. Article 46 section (3) EIT Law, as follows:
Any Person who intentionally and illegally or unlawfully accesses a Computer and/or Electronic System in any way by violating, breaching, bypassing, or breaking through the security system, will be subject to imprisonment for a maximum of 8 (eight) years and/or a maximum fine of IDR 800,000,000.00 (eight hundred million rupiahs).
Moving or Transferring
For the act of moving or transferring information and/or electronic documents belonging to the victim, such as account contents, phishers can be charged with Article 32 section (2) jo. Article 48 section (2) EIT Law, which reads:
Any Person who intentionally and illegally or unlawfully in any way moves or transfers Electronic Information and/or Electronic Document to the Electronic System of an unauthorized person, will be subject to imprisonment for a maximum of 9 (nine) years and/or a maximum fine of IDR 3,000,000,000.00 (three billion rupiahs).
These are the answers we can provide, we hope you will find them useful.