Legal Implications of Cyber Impersonation and Data Misuse under Indian Laws (Part II)

Amal PAmal P
7 min read

Table of contents

Introduction

In the digital age, where most of our personal and professional lives are entwined with online platforms, the risk of cybercrimes has significantly increased. A recent example, in our last blog, involving a student named Ravi highlights a growing concern: cyber impersonation. Ravi unknowingly submitted his personal information to a fake website that closely resembled the official portal of a government educational institution. This led to unauthorized use of his data and a barrage of unsolicited marketing calls. Incidents like these are not just deceptive; they are illegal under Indian law.

Let us explore the legal landscape that governs such digital misconduct.

Understanding Domain Impersonation

Domain impersonation

Domain impersonation (or domain spoofing), a type of Cyber impersonation, is a cyberattack method where fake websites are created to closely resemble legitimate ones, tricking users into sharing sensitive information like passwords, financial details, or personal data.

For example, if the legitimate website is “interintender.com”, attackers might use:

  • Misspellings (e.g., inderintender.com, interindenter.com)

  • Character substitutions (e.g., Interintender.com, int€rintender.com)

  • Adding or removing characters (e.g., interintend.com, interintenderr.com)

  • Homoglyphs (e.g., interintender.com with "r", interintender.com with "i")

  • Alternative TLDs (e.g., interintender.net, interintender.org)

  • Subdomain spoofing (e.g., blog.interintender-official.com, interintender.officialwebsite.com)

Victims are taken to the fake domain through phishing emails, malicious links, or ads that often offer services or urgent requests. Once users interact with the site (by logging in, filling out forms, or making transactions), the attackers collect sensitive data such as credentials, financial information, or personal details. This information could then be used for identity theft, financial fraud or further cyberattacks.

Legal books on a table

The following legal provisions may offer recourse or apply in the context of your situations.

Fundamental Right to Privacy

The Right to Privacy is a fundamental right under Article 21 of the Indian Constitution, as affirmed by the Supreme Court in the landmark Justice K.S. Puttaswamy (Retd.) vs. Union of India judgment (2017). This ruling recognized that every individual has the right to make autonomous decisions regarding personal matters including, the right to exercise control over their personal information. Misuse or unauthorized sharing of personal data—such as phone numbers or email addresses obtained without informed consent—directly violates this right. Any entity or platform that collects and uses personal information under false pretenses not only undermines public trust but also violates the constitutionally guaranteed right of privacy.

Information Technology Act, 2000

  1. Section 43A is about a company’s liability of compensation for failure to protect data while possessing or handling sensitive personal information in a computer resource. According to this section, the company should maintain reasonable security practices and procedures to protect the data and avoid any negligence. The Information Technology (reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011 defines sensitive personal data or information of a person as

    such personal information which consists of information relating to;—

    (i) password;

    (ii) financial information such as Bank account or credit card or debit card or other payment instrument details ;

    (iii) physical, physiological and mental health condition;

    (iv) sexual orientation;

    (v) medical records and history;

    (vi) Biometric information;

    (vii) any detail relating to the above clauses as provided to body corporate for providing service; and

    (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:

    provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules."

  2. Section 66C of the Act deals with punishment for identity theft, that punishes someone who fraudulently or dishonestly make use of your electronic signature, password or any other unique identification feature. Punishment is either imprisonment to maximum 3 years and a fine which may extend to 1 lakh rupees.

  3. Section 66D is about punishment for cheating by personation by using computer resource. Punishment is either an imprisonment for a term which may extend to 3 years and fine of maximum one lakh rupees.

  4. Section 72A deals with the punishment for disclosure of information in breach of lawful contract. As per the section, if any person (including an intermediary) gets access to your personal information while providing a service (as part of a legal agreement), they are not allowed to share it with anyone else without your consent. If they do share it without your permission, and it causes harm or unfair benefit to someone, they can be punished with up to three years in jail, a fine of up to 5 lakhs rupees, or both.

Indian Penal Code (IPC)

  1. Cheating: Section 415 of the IPC identifies dishonest concealment of facts as cheating and Section 416 defines cheating by personation as when someone pretends or represents to be another person. According to Section 417, it is punished with imprisonment of either a term of maximum one year, or with fine, or with both.

  2. Forgery: According to Section 463, forgery happens when someone creates a false document or electronic record with the intent to deceive or cause harm, or to make someone enter into a contract, part with property, or act on false information. Section 468 deals with forgery for the purpose of cheating, where someone creates a fake document or fake electronic record to cheat someone. The punishment for this can be up to 7 years in jail and a fine.

Consumer Protection Act, 2019

As per Section 2(42) of the Act, a “service” includes any kind of service (includes providing news or any kind of information) that is available to potential users. This excludes services that are fully free or are provided under personal service contracts.

  • Deficiency in service: There is "deficiency" in service as per section 2(11) when there is any inadequacy in the performance of a service, including when the service provider does any act that causes loss or injury (any harm whatever illegally caused to any person, in body, mind or property: Sec. 2(23)) to the consumer or when there is deliberate withholding of relevant information by the service provider to the consumer.

  • Unfair trade practice: When a trade practice is used to sell a service that is dishonest, misleading, or deceptive it is defined as unfair trade practice as per Section 2(47) of the Act. This includes any kind of false or misleading statement made to the public pretending that the business is officially linked with a brand or organization when it’s not or convincing people they need a product or service when they actually don’t need it. It is explicitly mentioned in Section 2(47)(ix) that disclosing someone’s private data without their consent is an unfair trade practice.

Digital Personal Data Protection Act, 2023 (DPDP Act)

This recent law regulates the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such data for lawful purposes. It mandates that consent must be freely given, specific, informed, and unambiguous. Organizations collecting data must implement reasonable security safeguards to prevent data breaches and unauthorized use. Violation of this Act can lead to significant penalties and is overseen by the Data Protection Board of India. Currently, the Ministry of Electronics and Information Technology has drafted the Digital Personal Data Protection Rules, 2025 to facilitate the implementation of the Act.

What Can You Do If You Are a Victim?

Chanacya seeking your attention

If you find yourself in a situation like Ravi’s, you can:

  1. Preserve Evidence

    • Take screenshots of the fake website, emails, or messages.

    • Save call logs and SMS records.

  2. Notify the Impersonated Institution

    • Inform the real organization that its brand identity has been misused so they can issue warnings.

  3. File a Cyber Crime Complaint

  4. Approach Local Police or Cyber Cell

    • File an FIR for violation of your legal rights.

  5. Raise Awareness

    • Share your experience to help others avoid similar traps. Educating peers is part of responsible digital citizenship.

Conclusion

Online impersonation and data misuse are not minor glitches in the system; they are serious cyber offenses with profound legal consequences. With increasing digital activity in India, it is crucial for users to stay vigilant, understand the technology and be aware of their legal rights. Legal frameworks in India are equipped to tackle such crimes, but public awareness and prompt action are key to enforcing them effectively.

Stay safe. Stay informed.

1
Subscribe to my newsletter

Read articles from Amal P directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#ImpersonationAlert#PhishingScam#IndiaCyberLaw#cybersecurity#onlinesafetydigital rightsdigitalsafetyInternet fraud#cyberawarenessdata privacy

Written by

Amal P
Amal P