PHISHING ATTACKS ON GOVERNMENT PORTALS IN BANGLADESH

(Evidence-Based Analysis with Case Laws & Incidents)

1. Overview of Phishing in Government Systems

Phishing attacks in Bangladesh typically target:

• Government login portals (NID, land, tax, health systems)
• Official email accounts (.gov.bd domains)
• Citizen service portals (e.g., vaccine registration, e-services)
• Banking-linked government systems

Attackers use:

• Fake login pages mimicking government portals
• Spear-phishing emails to officials
• Malware-laced documents disguised as official notices
• SMS/WhatsApp-based credential harvesting

These attacks often lead to:

• Identity theft
• Mass data leaks
• Fraudulent access to government systems
• Manipulation of official records

2. Key Evidence from Bangladesh Government Cyber Incidents

A. Large-Scale Citizen Data Leak (Government Portal Breach)

A major government registration portal exposed data of nearly 50 million citizens, including NID and personal details, due to system vulnerability exploited through unauthorized access attempts resembling phishing-based credential abuse patterns.

Significance:

• Demonstrates weak authentication protection
• Highlights exposure of citizen identity infrastructure

B. Fake Government Vaccine Portal Phishing Campaign

Cyber attackers created fake COVID-19 vaccine websites (e.g., imitation of official portals) to trick citizens into submitting personal data.

• Fake domain mimicked official government vaccine platform
• Used social engineering during pandemic urgency

Significance:

• Classic phishing via government impersonation
• Exploited public trust in state health systems

C. Government Email Compromise Campaign (2025)

A phishing campaign used compromised government email accounts to send fraudulent messages across ministries and law enforcement agencies.

• Attackers used legitimate government credentials
• Distributed malicious links internally

Significance:

• Shows “trusted insider phishing”
• High risk because emails came from real gov domains

D. Malware Delivery via Fake Security Documents (Military/Gov Targets)

Attackers sent WhatsApp messages containing fake “security clearance letters” to government officials, leading to malware installation.

• Impersonation of high-ranking officials
• RAR file attachments used as phishing payload

Significance:

• Spear-phishing targeting state institutions
• Credential harvesting + system infiltration

E. National Revenue Server Compromise (NBR Case)

Attackers accessed government tax systems using stolen credentials over years, enabling manipulation of import clearance records.

• Unauthorized login using stolen IDs
• Long-term exploitation of government portal

Significance:

• Credential phishing + insider misuse
• Economic loss through system manipulation

F. Fake e-Apostille Government Portal Fraud

Fraudulent website mimicked Bangladesh’s official e-apostille service.

• Stole passports, NID cards, and certificates
• Operated as phishing clone of government system

Significance:

• Advanced phishing using full website cloning
• Identity theft at institutional scale

3. SIX CASE-LAW STYLE INCIDENTS (Cyber Legal Precedents / Tribunal-Relevant Cases)

Although Bangladesh does not always publish formal “case law reports” like common law jurisdictions, the following are legally investigated cyber incidents frequently cited in tribunal practice, law enforcement reports, and academic cybersecurity literature.

CASE 1: Bangladesh Bank SWIFT Cyber Heist (2016)

Facts:

• Hackers used spear-phishing emails to infect employee systems
• Gained access to banking credentials
• Attempted $951 million transfer; $81 million stolen

Legal Relevance:

• Investigated under ICT Act & money laundering laws
• Demonstrates phishing as entry vector for financial cybercrime

Principle:

Phishing emails can establish “unauthorized access liability” even without physical intrusion.

CASE 2: Fake Government Website Impersonation (COVID-19 Portal Fraud)

Facts:

• Fake domain imitating official government COVID portal
• Citizens tricked into submitting personal data

Legal Relevance:

• Violations under ICT Act §57 (fraud + identity deception)
• Basis for digital impersonation prosecution

Principle:

Government domain impersonation constitutes criminal misrepresentation.

CASE 3: National Board of Revenue (NBR) Credential Abuse Case

Facts:

• Attackers used stolen login credentials for government tax system
• Conducted unauthorized customs clearances

Legal Relevance:

• Investigated under Cyber Security Act provisions on unauthorized access
• Classified as cyber fraud + economic sabotage

Principle:

Credential phishing enabling system access equals direct system breach liability.

CASE 4: Government Email Account Compromise Campaign (2025)

Facts:

• Phishing emails targeted government staff
• Attackers used real government accounts to distribute malware

Legal Relevance:

• Falls under “identity theft + digital impersonation offences”
• Investigated by national CERT authority

Principle:

Compromised government credentials amplify legal severity of phishing attacks.

CASE 5: Fake e-Apostille Government Portal Data Theft

Facts:

• Clone website mimicked government authentication service
• Harvested passports, NID, academic records

Legal Relevance:

• Identity theft + forgery + cyber fraud charges
• High-value digital document crime

Principle:

Cloned government services constitute aggravated cyber fraud.

CASE 6: Malware Delivery via Spear Phishing (Military Target Case)

Facts:

• Fake official documents sent via WhatsApp/email
• Malware installed via attachment disguised as clearance letter

Legal Relevance:

• Treated as cyber espionage attempt
• National security implications under cybersecurity laws

Principle:

Phishing targeting government/military systems is classified as national security cyber offense.

4. Key Legal Themes Emerging from These Cases

Across all incidents, Bangladesh cyber law enforcement recognizes:

1. Credential Theft = System Breach

Even if attackers do not directly hack systems, stolen credentials = illegal access.

2. Impersonation of Government Portals = Criminal Fraud

Fake domains or cloned portals are prosecutable cyber forgery.

3. Spear Phishing = High-Security Threat

Targeting officials elevates severity under national security provisions.

4. Data Leakage = Strict Liability

Exposure of citizen data creates institutional liability even without hacking intent.

5. Malware via Phishing = Dual Offense

Combines fraud + unauthorized system interference.

5. Conclusion

Phishing attacks on Bangladesh government portals are not isolated events but a systemic cybersecurity threat combining:

• Social engineering
• Credential theft
• Fake government portal creation
• Malware delivery
• Insider exploitation

The six case-law–style incidents show that Bangladesh’s cyber legal framework increasingly treats phishing not as simple fraud but as:

a gateway offense enabling large-scale national security and economic cybercrime