Both spoofing and phishing are methods of fraud using telecommunications and the Internet, but they differ in how they are used. Spoofing involves broadly impersonating the IP address of another device, telephone number, email address or DNS server. Everything is camouflaged in such a way that the identification of the real user or caller is impossible. The easiest to recognise is email spoofing. The content of the message sent by someone impersonating a chosen e-mail address indicates the intention of spoofing confidential information from the addressee of the message. Phone number spoofing is carried out using easily accessible websites that, for a fee, allow you to make a call from any phone number and change the voice or convert the text into a voice that the person answering the phone will hear. Detection of such spoofing is only possible after the fact, when checking the billing of the number called and impersonated. IP address and DNS server spoofing is the most difficult to detect, as it may differ only slightly from the real one. The essence of phishing is reflected in its pronunciation, which is similar to the word “fishing”. It consists in preparing a “lure” for the user, e.g. by means of a link sent in an e-mail message, SMS or via instant messenger, and then either installing malicious software on the device or phishing for login data. The fraudster may impersonate e.g. a bank, government agency, courier company or a friend of the victim. Phishing emails are usually designed to look as authentic as possible. One form of phishing is spear-phishing, which involves a targeted attack on, for example, a specific company and impersonation of a business partner.
There are no provisions in Polish law that would directly prohibit spoofing and phishing, although this does not mean that such behaviour is not punishable on the basis of the Polish Penal Code. Spoofing, as impersonating someone else by its very nature, meets the requirements of the prohibited act pursuant to Article 190a § 2 of the Polish Penal Code: whoever, by impersonating another person, uses that person’s image, other personal data or other data by means of which that person is publicly identified, in order to cause material or personal damage to that person. Phishing is punishable under Article 267 §1 of the Polish Penal Code: Whoever without authority gains access to information not intended for them by opening a closed letter, by connecting to a telecommunications network or by breaking or bypassing electronic, magnetic, IT or other specific security thereof. Both phishing and spoofing may also constitute an offence under Article 287 §1 of the Polish Penal Code: Whoever, in order to gain a material benefit or to cause damage to another person, without authorisation, affects the automatic processing, collection or transmission of IT data or changes, deletes or introduces a new record of IT data. Naturally, these are the basic provisions, features of which are fulfilled by phishing and spoofing, as they may be in conjunction with other provisions of the Polish Penal Code, such as unlawful threat (Article 190 §1), forcing to behave, refrain from or cease in a specific manner (Article 191 §1), defamation (Article 212 §1 and 2), insult (Article 216 §1 and 2), false report of a danger (Article 224a §1 and 2), appropriation of the function of a public official (Article 227), destroying, damaging, deleting, altering or obstructing access to computer data (Article 268a), destroying, damaging, deleting, altering or obstructing access to sensitive computer data (Art. 269), interference with the operation of an IT system, data communications system or a data communications network (Art. 269a), theft of a computer programme (Art. 278 §2) and many other crimes that may be committed in relation to spoofing and phishing. The legal grounds for punishing spoofing and phishing are numerous in Polish law, depending on the specific action of the perpetrator and its purpose. However, a problem arises at the stage of detecting such offences and holding their perpetrators criminally liable. Spoofing and phishing are often of cross-border nature – the perpetrator of the crime using them is often located abroad. Moreover, the perpetrators are difficult to detect due to the masking methods used: creating intermediary middlemen, often unaware of the procedure, masking their identity or using another person’s identity and high dynamism in creating e.g. new websites.
Bank liability for inadequate protection against spoofing and phishing
The Act of 19 August 2011 on payment services (Journal of Laws 2011, No. 199, item 1175, with subsequent amendments) is relevant under Polish law from the perspective of the bank’s liability for inadequately protecting clients against such practices. The first obligation, arising from Article 40 of this act, is related to securing the executed transaction by means of various established methods of verification. Consent given by the payer before execution of the transaction is a prerequisite for the transaction to be deemed authorised. The payer can also hold the transaction until the payer’s provider receives an order to execute it. If there is an unauthorised transaction from the payer’s account, the bank is obliged under Article 46 to refund the amount that was debited from the payer’s account. There is an exception if the bank has a reasonable suspicion of fraud, in which case it will report this to the law enforcement authorities. In addition, the aforementioned act in article 45 point 1 requires the bank to prove that the transaction was authorised. Thus, if the customer exercised due diligence and nevertheless became a victim of fraud, the safeguards are deemed insufficient and the bank is held liable.
European law also refers to spoofing and phishing. The law currently in force in this area is Directive (EU) 2019/713 of the European Parliament and of the Council of 17 April 2019 on combating fraud and counterfeiting of non-cash means of payment, replacing Council Framework Decision 2001/413/JHA. This Directive sets out requirements for Member States to prevent and combat crimes related to non-cash means of payment. Under Article 6 of this Directive, Member States are required to penalise conduct which consists in performing or causing a transfer of money, monetary value or virtual currency and thereby causing an unlawful loss of property for another person in order to make an unlawful gain for the perpetrator or a third party, punishable as a criminal offence when committed intentionally without right, hindering or interfering with the functioning of an information system or without right, introducing, altering, deleting, transmitting or suppressing computer data. The regulation in this article therefore refers to spoofing and phishing, although it does not name them explicitly. In Article 9, the Directive sets out the minimum criminal penalties to be applied in the criminal laws of Member States for the offences committed by natural persons set out in the Directive. The Directive obliges Member States to introduce provisions that punish not only natural but also legal persons. Article 10 of the Directive establishes the requirement that Member States’ legislation create the conditions for a legal person to be liable for an offence committed for its benefit by any person, acting either individually or as part of a body of the legal person, and having a leading position within the legal person, based on one of the following: a power of representation of the legal person, an authority to take decisions on behalf of the legal person or an authority to exercise control within the legal person. A legal person is also liable where the lack of supervision or control, by one of those persons employed by the legal person, has made it possible for a person under its authority to commit one of the offences listed in the Directive. Liability of a legal person shall not exclude liability of a natural person who has committed such an offence.
One of the key methods of combating phishing and spoofing is to make bank customers in particular aware of the methods of fraudsters who use spoofing and phishing to defraud them. Widespread information campaigns and ongoing alerts on identified attacks are designed to warn potential victims and encourage people who have already been victims of spoofing or phishing to report the crime to law enforcement authorities. The Polish authorities are also taking steps to combat these harmful phenomena. One of them is the establishment, under the Act of 17 December 2021 on amending certain acts in connection with the establishment of the Central Bureau for Combating Cybercrime (Journal of Laws 2021, item 2447), of a special body to combat cybercrime – the Central Bureau for Combating Cybercrime as an organisational unit of the Polish Police. In January 2022, it was announced that changes would be presented in the Polish ICT sector to counteract crimes using spoofing and phishing, but these were not yet presented.