Chapter 02

Cyber Crime Categories

Chapter 02· 10 min read

Cyber Crime Categories

Reading as a guest

Sign up free to save your progress, highlight passages, and pick up where you left off.

You'll lose your reading position and notes if you leave without an account.

Create free accountSign in

Cybercrime is not one thing — it is a family of offences that share a digital element. Understanding the categories helps the examiner know what evidence to look for and which laws apply in India.

2.1What Makes a Crime "Cyber"

Not every crime involving a computer is the same kind of offence. Criminologists and courts use a three-way classification based on the computer's role:

  • Computer as target — the computer or network is what the criminal is attacking. Examples: hacking into a server, website defacement, deploying ransomware to encrypt a victim's files.
  • Computer as tool — the criminal uses a computer to commit a traditional offence more efficiently. Examples: online fraud, phishing, cyberstalking, child exploitation material.
  • Computer as incidental — a standard crime is committed, but the criminal's computer happens to hold evidence. Examples: a drug dealer's WhatsApp messages, a murder suspect's search history.

This distinction matters because the investigation strategy changes. When the computer is the target, the network logs and server are the primary evidence sources. When it is a tool, the examiner looks for communications, transaction records, and account activity.

Cybercrimes also divide into two broad harm categories:

  • Crimes against persons — harassment, identity theft, stalking, defamation, non-consensual image sharing
  • Crimes against property or systems — hacking, data theft, malware deployment, intellectual property theft

Indian legal framework. The primary statute is the Information Technology Act 2000 (amended significantly in 2008, often called IT Act 2000/2008). It creates specific offences and penalties for computer-related conduct. The Indian Penal Code (IPC) sections for fraud (§420), forgery (§463/465), and defamation (§499/500) continue to apply alongside the IT Act, because many cybercrimes are simultaneously traditional criminal offences committed through a digital medium.

IT Act 2000 (amended 2008)

India's primary legislation governing cybercrimes and electronic commerce. It defines offences ranging from hacking (§66) to identity theft (§66C), prescribes penalties, grants investigative powers (§69), and gives legal recognition to electronic records and digital signatures.

2.2Financial Cybercrime

Financial cybercrime is the most common category by reported volume in India. The motive is always money; the methods exploit human trust, weak authentication, and vulnerable systems.

Phishing is the act of sending a fraudulent message — usually an email — that mimics a trusted entity (a bank, courier company, government agency) to trick the recipient into revealing credentials or installing malware. The attacker registers a look-alike domain (e.g. sbi-login.in instead of sbi.co.in), builds a near-identical fake website, and sends mass emails with a link to it.

Forensic evidence in a phishing case: email header analysis (Received-from chain, SPF/DKIM/DMARC failures, spoofed From address), IP address of the sending mail server, domain registration records (WHOIS), SSL certificate issuance date, server access logs showing victims who clicked.

Vishing (voice phishing) and smishing (SMS phishing) are variants where the attacker contacts victims by phone call or text message, often impersonating bank fraud departments.

Banking fraud — SIM swap. An attacker bribes or social-engineers a telecom employee to port the victim's mobile number to a new SIM card the attacker holds. Once the attacker controls the phone number, they intercept OTPs (One-Time Passwords) and drain the victim's bank account. Evidence: telecom subscriber records, SIM swap timestamps, IMEI records before and after swap, bank transaction logs.

Credit card skimming. A physical overlay device is placed over an ATM card slot to read the card's magnetic stripe data; a hidden camera records the PIN. Evidence: ATM forensics including card-skimmer device, camera footage, transaction logs, and card data recovered from the skimmer's memory.

Investment / Ponzi fraud via social media. Fraudulent schemes promoted through WhatsApp groups, Telegram channels, or Instagram DMs promising unrealistic returns. Evidence: chat exports, device extraction, payment gateway records.

AttackerCreates fakebank websitePhishingSpoofed emailwith fake linkVictimClicks link, enterscredentialsAttackerHarvests creds,drains accountEvidence: email headers · sending IP · WHOIS · server access logs · SPF/DKIM fail
Fig 2.1Phishing attack flow — attacker creates fake bank site, sends spoofed email, victim enters credentials, attacker harvests and uses them.

2.3Social Media Crimes

Social media platforms are both the scene of the crime and the primary evidence source. Most offences leave a digital trail across platform server logs, device extractions, and network captures.

Cyberbullying is the repeated use of digital communication to harass, humiliate, or threaten a person. It commonly occurs on Instagram, Twitter/X, WhatsApp, and gaming platforms. Evidence: screenshots with visible timestamps and usernames, IP address logs from the platform, device extraction showing sent messages, witness statements corroborating the timeline.

Online grooming describes the process by which a predator builds an emotional relationship with a minor online to gain their trust and eventually exploit them sexually. Platforms commonly exploited: Instagram DMs, WhatsApp, Snapchat, online gaming voice chats. Evidence: chat logs preserved from device extraction or platform legal request, call detail records, device IMEI, IP address mapping to the suspect.

Defamation — publishing false statements of fact that damage a person's reputation — is a criminal offence in India (IPC §499/500). Online defamation includes fake reviews, false social media posts, and morphed photographs. Evidence: URL of the offending post, cached copy (Wayback Machine or manual archiving), IP address obtained from the platform via legal process, server logs.

Account hacking and impersonation. An attacker gains unauthorised access to a victim's social media account (via credential stuffing, phishing, or SIM swap) and then uses it to post harmful content or defraud the victim's contacts. Evidence: login IP logs from the platform, device fingerprint mismatch, 2FA bypass records, timestamps of account activity anomalies.

Fake news and deepfakes. Morphed images and AI-generated video (deepfake) depicting a person in a false or compromising situation. Evidence: EXIF metadata embedded in the original image file (camera model, GPS coordinates, timestamp), provenance trail comparing the morphed image with the original source, digital watermark analysis, AI detection tools.

EXIF Metadata

Exchangeable Image File Format metadata — a block of structured data embedded inside image files (JPEG, TIFF) by the camera or phone that took the photo. EXIF can contain GPS coordinates, device make and model, timestamp, exposure settings, and editing software used. It is a primary forensic artefact for geolocating a suspect or proving an image was manipulated.

2.4Network-based Crimes

Network-based crimes attack or exploit the infrastructure that connects computers. The examiner's evidence comes from traffic captures, firewall logs, and server records rather than from the victim's endpoint alone.

Packet sniffing / eavesdropping. An attacker who is on the same physical or logical network segment as the victim can capture all traffic passing through that segment using tools like Wireshark or tcpdump. On a switched network, the attacker must first use ARP poisoning (sending fake ARP replies that redirect traffic through the attacker's machine) to position themselves as a man-in-the-middle. If traffic is unencrypted (plain HTTP, FTP, Telnet), credentials and data are fully readable. Evidence: PCAP (packet capture) files, ARP table logs on the switch, network interface logs showing promiscuous mode.

IP spoofing. An attacker forges the source IP address in outgoing packets to impersonate another host, bypass IP-based access controls, or hide their identity. Spoofed packets cannot receive legitimate replies (TCP three-way handshake cannot complete), so IP spoofing is mainly used in DoS attacks and to plant false attribution evidence. Evidence: TTL values (a spoofed packet often has a different TTL than a genuine packet from the claimed source), router NetFlow data, asymmetric routing patterns.

Denial of Service (DoS) / Distributed DoS (DDoS). A DoS attack floods a server or network link with traffic until it becomes unavailable to legitimate users. In a DDoS, the flood comes from many sources simultaneously — typically a botnet of thousands of compromised machines controlled by the attacker. Evidence: firewall logs showing traffic volume spike, NetFlow records identifying source IP ranges, ISP upstream traffic analysis, botnet C2 (command-and-control) server identification.

Web jacking. An attacker takes over a website by hijacking its domain registration (social engineering the registrar or exploiting weak registrar authentication) or compromising the hosting provider credentials. The legitimate site is replaced with the attacker's content, or DNS records are changed to redirect visitors. Evidence: DNS record change history (registrar logs), WHOIS historical data, web server access and error logs, SSL certificate replacement timestamp.

Switch / HubNetwork coreClientLegitimate userServerWeb / DB serviceAttackerWireshark / tcpdumpARP poison →← ARP poisonCaptures packets
Fig 2.2Packet sniffing on a LAN — the attacker uses ARP poisoning to redirect traffic between the client and server through their own machine, capturing all packets.

2.5Indian Legal Framework

India has a layered legal framework for cybercrime. Understanding which section applies to which offence is essential for admissibility and for framing charges correctly.

IT Act 2000 / Amendment 2008 — key sections:

IT Act SectionOffenceMaximum Punishment
§43Damage, disruption, or unauthorised access to a computerCivil penalty — compensation up to ₹1 crore
§65Tampering with computer source code3 years imprisonment or ₹2 lakh fine or both
§66Computer-related offences — hacking (dishonest access, damage, data alteration)3 years or ₹5 lakh or both
§66BReceiving stolen computer resources3 years or ₹1 lakh or both
§66CIdentity theft (fraudulent use of password/digital signature)3 years or ₹1 lakh or both
§66DCheating by personation using computer resource3 years or ₹1 lakh or both
§66EViolation of privacy (capturing/publishing private images)3 years or ₹2 lakh or both
§67Publishing obscene material in electronic form5 years (first conviction) or ₹10 lakh
§69Power to intercept, monitor, or decrypt information (government)Non-compliance: 7 years
§72Breach of confidentiality and privacy by officials2 years or ₹1 lakh or both

IPC sections that continue to apply alongside the IT Act:

  • §420 — Cheating (online fraud, fake e-commerce)
  • §463/465 — Forgery (fake digital documents, forged e-mails)
  • §499/500 — Defamation (fake posts, morphed images)
  • §354D — Stalking including cyberstalking

Evidence law — Bharatiya Sakshya Adhiniyam (BSA) 2023. The BSA replaced the Indian Evidence Act 1872. Section 63 BSA governs the admissibility of electronic records. It requires that a person who was responsible for managing the computer that produced the record must provide a certificate stating: (a) the computer was used in the ordinary course of activity, (b) information was regularly supplied to it, (c) it was operating properly, and (d) the record was produced in the ordinary course of activity. Without this certificate, an electronic record is not admissible. (Section 63 BSA replaces the older §65B Indian Evidence Act, though the certificate requirement remains essentially the same.)

CERT-In (Indian Computer Emergency Response Team). Under MeitY (Ministry of Electronics and Information Technology), CERT-In is India's national nodal agency for cybersecurity incident response. A 2022 directive requires all organisations — including service providers, data centres, and government bodies — to report cybersecurity incidents to CERT-In within 6 hours of detection or being made aware of them. This includes breaches, ransomware, data theft, unauthorised access, and social media account hacks affecting critical systems.

§66C IT Act — Identity Theft

Fraudulently or dishonestly using the electronic signature, password, or any other unique identification feature of any other person. Punishable with up to 3 years' imprisonment and a fine of up to ₹1 lakh. Commonly charged in SIM swap cases where the attacker uses the victim's banking credentials.

Section 63 BSA 2023 — Electronic Records Certificate

For an electronic record (email, CCTV footage, server log, phone extraction) to be admissible as evidence in an Indian court, a certificate must be provided by a responsible official of the organisation that produced the record. The certificate must confirm the computer's regular use, proper operation, and that the record is an authentic output. Without it, the evidence is inadmissible regardless of forensic quality.

Memory hooks · Chapter 2

2.1 Computer roles — Target (hacking the computer itself) · Tool (using computer to commit fraud/stalking) · Incidental (computer holds evidence of a non-cyber crime).

2.1 IT Act + IPC together — IT Act 2000/2008 for cyber offences; IPC §420/463/499 still apply for fraud, forgery, defamation.

2.2 Phishing evidence — email headers (Received chain, SPF/DKIM/DMARC fail), sending IP, WHOIS domain records, server access logs.

2.2 SIM swap — attacker ports victim's number → intercepts OTP → drains bank account; evidence: telecom SIM swap records + IMEI before/after.

2.2 Skimming — ATM overlay reads magnetic stripe; camera captures PIN; evidence on the skimmer device itself.

2.3 EXIF metadata — GPS, device, timestamp embedded in image file; proves location and time; reveals editing software used.

2.4 Packet sniffing — Wireshark/tcpdump on same LAN + ARP poisoning; evidence = PCAP files + ARP table logs.

2.4 DDoS evidence — firewall volume logs + NetFlow + botnet C2 identification.

2.5 IT Act §66 = hacking · §66C = identity theft · §66D = personation · §67 = obscene material · §69 = government interception power.

2.5 BSA §63 certificate — mandatory for electronic records to be admissible; responsible official must sign; replaces §65B Indian Evidence Act.

2.5 CERT-In — report incidents within 6 hours of detection (2022 directive).

Don't lose your place

Save this chapter and the rest of Cyber & Digital Forensics.

A free ForensicSpot account remembers which chapters you've read, lets you highlight passages, take notes and resume from any device.

Create free accountI already have an account
PreviousComputer Hardware & Operating SystemsNextFirst Responder & Digital Search-and-Seizure