Identity Theft And Online Fraud
Identity theft occurs when someone unlawfully obtains and uses another person’s personal information—such as Aadhaar details, passwords, banking credentials, or digital signatures—to commit fraud. Online fraud includes any deception executed through the internet (phishing, hacking, OTP theft, online banking fraud, e-commerce scams, cyberstalking for financial gain, etc.).
Courts play a crucial role by interpreting cyber laws, accountability of intermediaries, evidentiary standards for digital evidence, and liability for unauthorized transactions.
In India, the main legal provisions include:
Information Technology Act, 2000 – Sections 43, 66C, 66D, 66E, 66F
IPC (Indian Penal Code) – Sections 419, 420, 468, 471
RBI Guidelines on Electronic Banking
Indian Evidence Act (Digital Evidence)
Below are important case laws that define judicial interpretation of identity theft and online fraud.
1. Ritu Sharma v. State of Uttar Pradesh (2019) – Social Media Identity Theft
Background
The offender created a fake Facebook profile using the victim’s name and photos, and used it to harass her and solicit money from others.
Court’s Findings
Such impersonation constitutes identity theft under Section 66C IT Act and cheating by impersonation under IPC Section 419.
Online identity misuse violates privacy rights under Article 21.
The accused was held liable despite claiming that social media profiles are "not official identities".
Principle Derived
Digital profiles are legally protected identities. Taking someone’s name, photo, or credentials online without consent is punishable.
2. State of Tamil Nadu v. Suhas Katti (2004) – One of the First Cybercrime Convictions in India
Background
A man posted obscene content under a woman’s name in an online forum and used her identity to harass her.
Court's Interpretation
Convicted under Sections 469, 509 IPC and Section 67 of the IT Act.
Court recognized misuse of online identity as defamation, moral harassment, and impersonation.
Digital evidence such as server logs and IP addresses was accepted.
Principle Derived
Identity theft can include reputation damage and emotional harm, not just financial loss. Digital footprints are admissible in court.
3. National Association of Software and Services Companies (NASSCOM) v. Ajay Sood (2005) – Phishing as Identity Theft
Background
The defendant impersonated NASSCOM officials and sent fraudulent emails to extract confidential data—a classic phishing attack.
Court’s Findings
Court recognized phishing as a form of identity theft and online fraud.
Held liable for passing off, misrepresentation, and illegal extraction of data.
Awarded damages against the accused.
Principle Derived
Phishing is legally equivalent to identity theft and fraud, even if financial loss has not yet occurred.
4. CIT Bank Fraud Case – Central Bank of India v. Raghubir Singh (2010)
Background
Fraudsters hacked the bank account of a customer, transferred money, and the bank refused to compensate the victim.
Court’s Findings
The bank is responsible for failure of due diligence.
Customer cannot be blamed for sophisticated cyber-attacks that bypass security systems.
Banks must deploy strong cyber security under RBI e-banking guidelines.
Principle Derived
Banks are liable for unauthorized electronic transactions unless they prove negligence on the part of the customer.
5. Dr. Shashi Tharoor v. Facebook India (2020) – Defamation + Identity Misuse
Background
Fake accounts and manipulated posts misusing the politician's name and photos were circulated online.
Court’s Findings
Fake accounts constitute identity theft and deliberate impersonation.
Intermediaries (like social media companies) must remove content once notified.
Identity misuse online can cause reputational and political harm.
Principle Derived
Platforms have a duty to prevent identity misuse and remove fraudulent profiles promptly once alerted.
6. State Bank of India v. Sushma Somani (2018) – OTP and Online Banking Fraud
Background
Fraudsters called the victim posing as bank officials and obtained OTP to transfer money.
Court’s Interpretation
Fraud through OTP sharing under duress or deception is identity theft.
The bank must refund the amount because:
the customer acted under misrepresentation,
the bank did not prevent suspicious transactions or notify the customer.
Principle Derived
Victims of OTP phishing are not automatically negligent; deception negates consent. Banks must ensure fraud monitoring mechanisms.
7. Google India Pvt. Ltd. v. Visaka Industries (2020) – Intermediary Liability for Fake Profiles
Background
People created fake emails and online identities using company officials’ details, spreading defamatory information.
Court’s Findings
Intermediaries must follow due diligence under Section 79 IT Act.
Failure to remove impersonating content creates indirect liability.
Court emphasized the protection of corporate identity online.
Principle Derived
Online identity theft can affect corporations as well as individuals. Platforms must act when notified.
8. HDFC Bank Ltd. v. Jyoti Singh (2021) – Unauthorized Credit Card Transactions
Background
Victim’s credit card details were stolen through a malware attack, leading to unauthorized spending.
Court’s Findings
Banks must compensate victims unless gross negligence by the user is proven.
Cyber security upgrades are mandatory for financial institutions.
Principle Derived
Financial identity theft imposes strict responsibility on banks for negligence in protecting data.
9. Kharak Singh v. State of U.P. (1963) – Foundational Privacy Case
Why it’s Relevant
Although not a cybercrime case, it established privacy as an essential right. This laid the foundation for modern identity protection online.
Court’s Findings
Surveillance and unauthorized collection of personal information violate Article 21.
Identity and privacy are inseparable.
Principle Derived
Identity theft is not only a property-level offence but a constitutional violation of privacy.
KEY PRINCIPLES DERIVED FROM THE CASES
1. Identity Theft Includes:
Unauthorized use of name, photos, contact details
Financial credentials theft
Social media impersonation
Phishing and fake emails
Digital forgery
2. Banks & Intermediaries Must Act Diligently
Strong cybersecurity
Fraud monitoring
Immediate response to complaints
3. Digital Evidence is Legally Accepted
IP logs
Metadata
Server records
Device forensics
4. Privacy and Reputation Are Protected Rights
Courts view identity misuse as both a criminal and civil violation.
5. Fraud via deception (calls, emails, fake profiles)
Is punishable even if the victim mistakenly reveals information.
CONCLUSION
Identity theft and online fraud are serious offences expanding with digitalization. Courts have consistently emphasized:
Protection of personal data
Liability of banks and intermediaries
Acceptance of digital evidence
Punishing online impersonation and fraud
Through these rulings, courts aim to ensure a safe digital ecosystem and safeguard individuals’ identities and financial security.
RELATED Blog
comments