Sections within this essay:Background
Phishing and Related Schemes
Typical Phishing Scams
Spyware and Keyloggers
Difficulty in Controlling Phishing Scams
Federal Laws Related to Phishing Activities
Credit Card Fraud Act
Identity Theft and Assumption Deterrence Act
Fair and Accurate Credit Transaction Act
California's Anti-Phishing Law
Education and Awareness
Review of Credit Records
Anti-Identity Theft Freeze
Anti-Phishing Working Group
Council of Better Business Bureaus (CBBB)
Federal Trade Commission
Phishing (analogous to fishing, and hence the term) refers to a practice where a perpetrator attempts to lure a victim into visiting an authenticlooking Web site and entering personal information. The purpose of a phishing scheme is to steal personal information from the victim in the form of account numbers, social security numbers, passwords, and so forth. Although these schemes are blatantly illegal forms of identity theft, those individuals who are responsible are difficult to catch and prosecute because they are often located overseas.
Statistics have shown that phishing has continually escalated as a problem in the United States. According to one estimate, about 1.2 million people between May 2004 and May 2005 suffered losses due to phishing schemes. One prominent computer security company, Symantec, determined that one of out every 125 emails sent in 2005 was part of a phishing scheme. Although legislative efforts to combat this problem have proven ineffective, consumers can take a number of steps to protect themselves from being victimized by this form of fraud.
A phishing scam begins with the distribution of an email that appears to be from a legitimate company, usually a bank or Internet shopping site. The email, which is typically addressed to a generic customer (e.g., "Dear Valued eBay Customer"), often contains authentic-looking logos from a legitimate company. Messages in these emails vary, but most indicate either that the company is undergoing a process of updating its records or that the customer's account information has been compromised through fraud. The email directs the user to click on a link that takes the user to a Web site that also looks authentic. Once on the site, the page directs the user to enter personal information, including the user's password.
Many victims of phishing schemes are unaware of what happened to them because they have been led to believe that the email and Web site were authentic. The person responsible for the phishing attack creates deception by producing a URL that looks like it belongs to an actual company. A victim often sees words in the hyperlink that are associated with the company, such as "eBay" or "CitiBank," and have no idea that the URL is fake. The Web site that the victim visits is likewise designed to deceive the victim because it usually looks identical to a company's actual site.
A more recent variation of phishing involves emails that are targeted towards employees of specific companies. Emails that are sent as part of this scheme appear to be from an employee's actual company and ask for the user to update personal information. However, like other phishing schemes, a link contained in the email message sends the user to a site that is completely unrelated to the company. This type of targeted phishing scheme has become known as "spear phishing."
Spear phishing has become prevalent. The Wall Street Journal reported that between January and June 2005, an estimated 35 million targeted messages were sent in the United States. This form of phishing has also proven to be effective. In one mock attack designed to study users' responses, 500 cadets from West Point received a targeted email asking for personal information. More than 80% of these cadets responded to the email and provided the requested information.
The term pharming refers to a practice where perpetrators redirect users from legitimate Web sites to fraudulent Web sites. This is done by exploiting weaknesses in Domain Name Service (DNS) software, which is used to resolve Internet names with the corresponding Internet Protocol (IP) address. For example, when a user enters http://www.mybank.com, DNS software resolves that name with an IP address that consists of a series of numbers, such as 18.104.22.168. When pharming has occurred with respect to that Internet name, the DNS software sends users to another IP address that does not belong to the actual business.
Another recent scam that is similar to phishing schemes employ the use of wireless devices. In these schemes, known as evil twin scams, attackers lure users into connecting their laptops or PDA devices into what appear to be legitimate wireless hotspots. An example of such a hotspot would be an airport lounge. Once a person has connected the wireless device, the attacker can steal information from the user.
More sophisticated Internet attacks can be carried out through the use of spyware and keyloggers. Spyware that is installed unknowingly on a victim's computer can be used to track the victim's Internet usage and steal personal information. Similarly, a keylogger that is installed on a computer can record anything that is typed on a computer, such as user names and passwords, and send that information to a perpetrator who installed the keylogger.
Several factors make it difficult for law enforcement to catch those who run phishing scams. The Web sites that are used in these scams are often only active for a few days, so even if law enforcement discovers a scam, the site may be removed long before it is investigated. Moreover, many of the servers that house these sites are located in foreign countries, making enforcement of domestic laws very difficult.
Although some members of Congress have introduced pieces of legislation focusing specifically on phishing, none of these bills have been enacted. Nevertheless, several federal laws prohibit phishing as well as other forms of fraud.
Originally enacted in 1984, the Credit Card Fraud Act prohibits the purchase of goods with an "access device." Access devices include credit cards, account numbers, personal identification numbers, and similar items "that can be used, alone or in conjunction with another access device, to obtain money, goods, services, or any other thing of value, or that can be used to initiate a transfer of funds…." A violation of the statute can result in a prison term of 15 years and a fine.
The Identity Theft and Assumption Deterrence Act applies to the unauthorized transfer or use of a means of identification. A means of identification in-cludes personal information, such as a social security number or date of birth, as well as biometric data, such as a fingerprint. Although the two statutes are similar, the Identity Theft and Assumption Deterrence Act differs from the Credit Card Fraud Act in that the former defines "victim" as the person whose identity is stolen. By comparison, the Credit Card Fraud Act defines victim as the bank, credit issuer, or merchant, since one of those entities is financially responsible for any fraudulent purchases.
Congress enacted the Fair and Accurate Credit Transaction Act in 2003 to allow consumers to check their credit reports and correct mistakes on those reports. The statute amended the Fair Credit Reporting Act, which is designed to protect the privacy of consumer information in credit reports as well as to promote accuracy in those reports.
California in 2005 became the first state to enact legislation designed specifically to deter phishing. Under the Anti-Phishing Act of 2005, it is unlawful in the state "for any person, by means of a Web page, electronic mail message, or otherwise through use of the Internet, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the authority or approval of the business."
Unlike federal statutes, the California law provides for civil liability as opposed to criminal penalties. Some victims of phishing, including those who provide Internet access service to the public, own a Web page, or own a trademark, may recover up to $500,000 for each proven violation of the statute. Other victims may recover up to $5000 for each violation of the statute. The statute also allows the state's attorney general or a district attorney in the state to bring an action to enjoin further violations.
California is also among a few states that allow consumers to place freezes on their credit reports. This option is similar to provisions in the federal Fair and Accurate Transactions Act, although the state's option is stronger than the federal counterpart. Nevertheless, few consumers in those states take advantage of this option, primarily because it is not well advertised and it is costly.
Without effective state or federal legislation, most experts recommend that consumers employ one of several self-help measures. These measures include increased education and awareness of the threat of phishing scams, review of credit records, placing freezes on credit reports, and using one of several different types of insurance.
In 2003, the Federal Trade Commission (FTC) released the Identity Theft Survey Report, which indicated that many victims expressed that they would have benefited a great deal if they had better awareness of the potential for identity theft. Although phishing remains prevalent, many consumers have become sophisticated enough to identify fraudulent emails. Nevertheless, more advanced scams, such as spear phishing and pharming schemes, may still lure a consumer to provide personal information.
Banks, credit issuers, and other businesses have made efforts to educate their customers about the potential for phishing schemes and other fraudulent scams. Most businesses do not request personal information from their customers through email messages, and so almost all emails that request this information are illicit. Consumers who receive any suspicious correspondence requesting personal information should contact the business that apparently sent the request.
Several businesses and law enforcement agencies have joined the Anti-Phishing Working Group (APWG), which has been formed to eliminate the threat of phishing scams. Both the APWG and the FTC offer several suggestions in addition to those summarized above.
- Use anti-virus software and a firewall, and keep both up-to-date.
- Do not use email to send personal or account information.
- Review credit card and bank accounts as soon as they are received.
- Regularly log on to online accounts.
- Be cautious about opening any attachment or downloading any files from emails.
- Forward phishing emails to the appropriate authorities, including the following email addresses: [email protected] (FTC); [email protected] (APWG).
- File a complaint with the FTC. More information is available online at http://www.consumer.gov/idtheft/.
Consumers should take advantage of federal laws that allow consumers to review their credit reports. At the least, this allows consumers to identify suspicious activity that may have occurred with respect to their personal information. However, the effectiveness of this option may be limited because personal information stolen through a phishing scheme may have occurred months before the consumer checks the credit report.
A freeze on a credit account can prevent identity theft attackers from using a consumer's personal information for fraudulent purposes. If a phisher obtains personal information, a freeze would prevent the attacker from using the information for fraudulent purposes. On the other hand, if a consumer provides bank or credit card information to a phisher, such a freeze would not protect the consumer.
Several companies offer different types of insurance to protect consumers against instances of fraud. Some of these plans monitor a consumer's credit activity, while others reimburse victims after identity theft has occurred.
Identity Theft: A Legal Research Guide. Best, Reba A., William S. Hein & Co., Inc., 2004.
Identity Theft in Cyperspace: Crime Control Methods and Their Effectiveness in Combating Phishing Attacks. Jennfier Lynch, Berkeley Technology Law Journal, 2005.
Take Charge: Fighting Back Against Identity Theft. Federal Trade Commission, 2004. Available at http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm.
E-Mail: [email protected]
4200 Wilson Blvd., Suite 800
Arlington, VA 22203-1838 USA
Phone: (703) 276-0100
Fax: (703) 525-8277
600 Pennsylvania Avenue, N.W.
Washington, D.C. 20580 USA