A crime in which the perpetrator develops a scheme using one or more elements of theinternetto deprive a person of property or any interest, estate, or right by a false representation of a matter of fact, whether by providing misleading information or by concealment of information.
As increasing numbers of businesses and consumers rely on the Internet and other forms of electronic communication to conduct transactions; illegal activity using the very same media is similarly on the rise. Fraudulent schemes conducted via the Internet are generally difficult to trace and prosecute, and they cost individuals and businesses millions of dollars each year.
From computer viruses to Web site hacking and financial fraud, Internet crime became a larger concern than ever in the 1990s and early 2000s. In one sense, this situation was less a measure of growing pains than of the increasing importance of the Internet in daily life. More users surfing the Web, greater business reliance upon e-mail, and the tremendous upsurge in electronic commerce have raised financial stakes. A single virus outbreak in 1999 was blamed for more than $80 million in damage, while Web site hacking in early 2000 purportedly cost hundreds of millions more. Adding new wrinkles were complaints about rampant fraud on popular online auction sites. Together, the problems drew tough rhetoric from U.S. officials, who announced new initiatives, deployed cyber-crime units, made numerous arrests, and even pursued international manhunts.
According to a u.s. justice department Web site devoted to the topic, Internet fraud refers to any type of scheme in which one or more Internet elements are employed in order to put forth "fraudulent solicitations to prospective victims, to conduct fraudulent transactions, or to transmit the proceeds of fraud to financial institutions or to others connected with the scheme." As pointed out in a report prepared by the National White Collar Crime Center and the federal bureau of investigation (FBI) in 2001, major categories of Internet fraud include, but are not limited to, auction or retail fraud, securities fraud, and identity theft.
Securities fraud, also called investment fraud, involves the offer of bogus stocks or high-return investment opportunities, market manipulation schemes, pyramid and Ponzi schemes, or other "get rich quick" offerings. Identity theft, or identity fraud, is the wrongful obtaining and use of another person' personal data for one's own benefit; it usually involves economic or financial gain for the perpetrator.
In its May 2002 issue, Internet Scambusters cited a study by Gartner G2 that demonstrated online merchants lost $700 million to Internet fraud in 2001. By comparison, the report showed that "online fraud losses were 19 times as high as offline fraud." In fact, the study pointed out that in the same year more than five percent of those making purchases via the Internet became victims of credit card fraud.
The IFCC, in its 2001 Internet fraud report, released statistics of complaints that had been received and then referred to law enforcement or regulatory agencies for action. For the 12-month period covered by the report, the IFCC received more than 17 million inquiries to its Web site, with nearly 50,000 formal complaints lodged. It must be noted, however, that the number of complaints included reports of computer intrusions and unsolicited child pornography.
Significant findings in the report revealed that Internet auction fraud was the most reported offense, comprising 42.8 percent of referred complaints. Besides those mentioned above, top fraud complaints also involved non-delivery of merchandise or payment, credit/debit card fraud, and confidence fraud. While it may seem easy to dismiss these concerns as obvious, the schemes used to defraud customers of money or valuable information have become increasingly sophisticated and less discernible to the unsuspecting consumer.
The "IFCC 2001 Internet Report" revealed that 81 percent of those committing acts of fraud were believed to be male, and nearly 76 percent of those allegedly involved in acts of fraud were individuals. According to the report, California, Texas, Florida, New York, and Illinois were the states in which half of the perpetrators resided. The report also provided a shocking example of just how difficult a task tracking down those involved in Internet fraud can be. According to the report, out of the more than 1,800 investigations initiated from complaints during 2001, only three arrests were made.
One example of the growing sophistication of Internet fraud cases can be seen in a 1997 case brought by the federal trade commission (FTC). FTC v. Audiotex Connection, Inc., CV-970726 (E.D.N.Y.), dealt specifically with a scam in which Internet consumers were invited to view or to access free computer images. As reported in a February 10, 1998, FTC statement made before a Senate Subcommittee on Investigations of the Governmental Affairs Committee, when viewers attempted to access the images, their computer modems were surreptitiously disconnected from their local Internet Service Providers (ISPs) and were reconnected to the Internet through the defendants' expensive international modem connections. Exorbitantly priced long-distance telephone charges continued to accrue until the consumer turned off the computer, even if he or she had exited the defendant's Web site and moved elsewhere on the Internet. Approximately 38,000 consumers fell for this scam, losing $2.74 million.
The U.S. Department of Justice Web site that addresses the major types of Internet fraud reports the following recent examples of various types of illegal activity carried out using the medium.
Two separate Los Angeles cases demonstrate the intricacies of securities fraud and market manipulation. In the first case, defendants bought 130,000 shares of bogus stock in NEI Webworld, Inc., a bankrupt company whose assets had previously been liquidated. Defendants in the case then posted e-mail messages on various Internet bulletin boards, claiming that NEI was being acquired by a wireless telecommunications company. Within 45 minutes of the posting, shares increased from $8 to $15 each, during which time defendants "cashed out." The remaining stock was worth 25 cents a share within a 30 minute period. The second example involves a case in which an employee of PairGain Technologies set up a fraudulent Bloomberg news Web site and reported false information regarding the company's purchase by a foreign company. The employee then posted bogus e-mail messages on financial news bulletin boards that caused a 30 percent manipulation of PairGain stock prices within hours.
In another example of investment fraud, perpetrators used the Internet, along with telemarketing techniques, to mislead more than 3,000 victims into investing almost $50 million in fraudulent "general partnerships involving purported high-tech investments, such as an Internet shopping mall and Internet access providers."
More than 100 U.S. military officers were involved in a case of identity theft. Defendants in the case illegally acquired the names and social security numbers of the military personnel from a Web site, and then used the Internet to apply for credit cards issued by a Delaware bank. In another case of identity theft and fraud, a defendant stole personal information from the Web site of a federal agency and then used the information to make applications for an online auto loan through Florida bank.
The Department of Justice Web site also gives an example of a widely reported version of credit card fraud. In the elaborate scheme, a perpetrator offers Internet consumers expensive electronics items, such as video cameras, at extremely low prices. As an incentive, they tell consumers that the item will ship before payment is finalized. When terms are agreed to, the perpetrator uses the consumer's name and address, but another party's illegally obtained credit card number, to purchase the item through a legitimate online vendor. Once the consumer has received the item, he or she authorizes credit card payment to the perpetrator. In the meantime, when the credit card holder, whose card number was used to purchase the item, stops payment on the unauthorized order, the vendor attempts to re-collect the merchandise from the consumer. The defrauded consumer, the victim of the credit card theft, and the merchant usually have no simple means of redress, since by the time they "catch on," the perpetrator has usually transferred funds into untraceable accounts.
In March 1999 the FBI became involved in a highly publicized hunt for a computer virus author. Electronic viruses are malicious software programs written to cause harm to unsuspecting computer users. They are designed to spread from computer to computer. Their propagation traditionally relied upon computer users sharing disks or software. On March 26, 2000, the appearance of the Melissa virus announced a new, dangerous breed of viruses delivered by e-mail, and it prompted heightened interest from federal law enforcement.
The virus was less deadly than those that erase data on a computer's hard drive. At heart, Melissa was an e-mail that contained a list of pornography Web sites, along with programming code that sent up to 50 copies of itself to names found in a victim's e-mail address book. This self-replicating behavior had the potential to strain and disable computer networks, as the FBI warned on March 28 in an alert issued through its National Infrastructure Protection Center (NIPC). Within days, these fears were realized as dozens of corporate e-mail servers slowed under a flood of Melissa e-mail. In all, the infection reached nearly 19 percent of U.S. corporations and an estimated 1.5 million computers.
Less than a week later, the FBI nabbed the virus author. David L. Smith, a 30-year-old, Aberdeen, New Jersey, computer programmer, had unintentionally left his name in similar
virus code. Charged with conspiracy, theft of computer services, and interruption of public communications, he pleaded innocent. After striking a plea bargain with state and federal prosecutors on December 11, however, he pleaded guilty to a single state count of computer theft along with a single federal count of sending a damaging computer program. Smith acknowledged that the virus had caused upwards of $80 million in clean-up costs.
The FBI issued a second virus advisory in June 1999, and then in May 2000, U.S. and Philippine officials cooperated in a manhunt for a third virus author. Like Melissa, the so-called Love Bug worm transmitted and replicated itself via e-mail, but it differed by damaging files on victims' computers. As authorities deemed it the fastest-spreading virus in history, the NIPC traced its origins to Manila. Prompted by U.S. officials, the Philippine National Bureau of Investigation arrested 27-year-old Reomel Ramones. The case hit snags, however, as authorities were at a loss to find physical evidence and even to know what to charge Ramones with, since virus writing is not a criminal offense under Philippine law.
Hackers also launched assaults on U.S. government systems. For several years, hackers penetrated federal computers belonging to the Pentagon and other agencies, often eluding authorities. They occasionally publicized government data in works such as 2600: The Hacker Quarterly and created a daring image celebrated in popular culture. In 1999 the White House declared war. President bill clinton targeted hackers in get-tough speeches in January and May. An FBI dragnet culminated in the arrest of 20 suspected hackers in six states. Apparently as retaliation, hackers defaced Web sites belonging to the FBI, the interior department, the U.S. Senate, and even the White House, forcing some to shut down for hours. A few days later, on June 2, White House press secretary Joe Lockhart announced a government-wide review of computer security and vowed to punish the responsible parties. Yet the government's effectiveness came into question in early 2000 as high-profile attacks crippled major Web sites.
As the government grappled with hackers, a famous hacker was released from prison. Kevin Mitnick, held in federal custody without bail or a trial since 1995, entered a plea bargain with the Los Angeles district attorney's office on charges pending from his arrest for intrusion into several corporate computer systems. A cause celebre in the computer underground since fleeing a manhunt in the early 1990s, Mitnick's case had prompted public protests and even hacks of Web sites proclaiming the message, "Free Kevin." On August 9, U.S. District Judge Mariana Pfaelzer sentenced the 35-year-old hacker to 46 months in federal prison and ordered him to pay $4,125 in restitution. He was released on January 21, 2000. Mitnick's parole terms forbid him from using computers in any way for another three years. When authorities subsequently barred him from accepting lucrative speaking engagements, Mitnick retained famed first amendment attorney Floyd Abrahms, filed suit, and successfully proved that the terms of his parole violated his right to freedom of speech.
As Internet auction sites gained popularity, fraud also attracted federal attention. In February 2000, the FTC announced a multi-agency effort to combat what it said was a hundredfold increase in complaints about Web-based fraud. The FTC reported that complaints had soared from 107 in 1997 to 10,700 in 1999. In response, it announced plans to work with the Department of Justice, the U.S. Postal Inspection Service, and other federal and state authorities to increase the number of cases it files in court, which to date amounted to only 35. The leading Internet auction site eBay separately announced that it would cooperate with authorities to sniff out con artists. According to statistics from the National Fraud Information Center, fraud in online auctions accounted for 90 percent of the total incidents of Internet fraud in 2002.
Mouallem, Leda. 2002. "Oh No, Grandma Has a Computer: How Internet Fraud Will Take the Place of Telemarketing Fraud Targeting the Elderly." Santa Clara Law Review 42 (spring): 659–687.
National White Collar Crime Center. 2003. "IFCC 2002 Internet Fraud Report." Available online at <www.nw3c.org/downloads/Internet_Fraud.pdf> (accessed September 2, 2003).
Zollers, Frances E., Peter Shears, and Sandra Hurd. 2002. "Fighting Internet Fraud: Old Scams, Old Laws, New Context." Temple Environmental Law & Technology Journal 20 (spring): 169–193.
According to the U.S. National Consumers League, Internet-related fraud cost individuals and businesses $3.2 billion at the turn of the 21st century. The U.S. Federal Trade Commission (FTC) identified 18,660 instances of potential Internet fraud in 1999, with fully 25 percent of all consumer fraud complaints concerning the Internet, up from three percent in 1997. The Securities and Exchange Commission (SEC) received about 2,000 e-mails each day concerning possible online scams.
In many ways, the Internet seems tailor-made for engaging in fraudulent activity. A single individual can perpetrate elaborate, low-cost schemes while enjoying anonymity and a platform from which to reach potential victims all over the world. Among the crimes the Internet facilitates are identity theft and the generation of false, but valid, credit card numbers. Cyberspace also provides a new home for more traditional forms of fraud that can be more easily, and often more damagingly, committed online than in the physical world.
The true impact of Internet fraud is difficult to measure. Gartner Group reported that a survey of 166 retailers revealed an online credit card fraud rate that was 18 times higher than overall credit card fraud, while the U.S. Secret Service states that online and offline fraud rates are roughly the same. Part of this variation is caused by reluctance on the part of consumers and merchants to report fraud. Since there are no national reporting standards for credit card fraud, and claimed losses due to alleged fraud often are tal-lied in with all disputed claims, accurate measures are difficult to come by.
VARIETIES OF ONLINE FRAUD
Internet scams come in a wide range of guises. The most common online fraud concerns the compromise of shoppers' personal financial information when it is released to complete a sale on the Internet. Even well known retailers seem prone to security breaches and hacking. A variety of sensitive personal information is revealed in such transactions, including a person's name, address, e-mail account, phone and social security numbers, passwords, and credit card data.
Online auction sites present prime breeding grounds for online fraud. The FTC reported that Internet fraud complaints rose from a mere 100 in 1997 to about 11,000 in 2000. The most common auction-related problem was that buyers failed to receive the items that they had paid for. The courts generally have refused to hold auction sites liable for any fraudulent activities perpetrated by sellers who use their sites. Potential customers are left to investigate the reliability of vendors through independent avenues. Some sites will post the names of fraudulent buyers who have been caught in scams designed to artificially inflate the highest price bid or in other ways fix the outcome of a sale. Auction site eBay draws roughly 16 million users each month. Nearly 87 percent of all online fraud cases in 2000 were believed to involve online auctions, with an average victim losing $600 per order. In addition to auctions, stock scams also are popular, especially the so-called "pump and dump" schemes in which con artists posing as investment experts fraudulently promote stocks via the Internet and then quickly sell their shares of those stocks in order to realize large profits.
Fraud perpetrators frequently utilize computer viruses, such as Trojan horse programs that arrive as e-mail attachments or JPEG images that, once opened, can steal passwords or grant hackers access to a user's PC. Dialer programs—applications that can terminate an ISP and dial another telephone number—also are involved. They often are presented as porn site downloads. Another online scam involves dot-coms whose sites closely mimic those of respected online companies. Web con artists use such sites to collect credit card information from inattentive online shoppers.
Identity theft constitutes a particular subset of online fraud. Hackers break into poorly protected servers, set up clone sites that resemble legitimate sites, and then use them to gather personal information. With merely a name, thieves can access Web directories or dossier services to acquire addresses and phone numbers.
Though most notorious online scams were perpetrated by teenagers in highly publicized cases of stock fraud, authorities actually are far more concerned about the international online fraud rings that have cropped up. The Gartner Group predicted that the most vigorous growth in online fraud in the early 2000s would involve petty larcenies committed by individuals operating from economically depressed countries, particularly Russia. The FBI indicates that stolen credit card data frequently is sold to Eastern European organized crime operations.
Among recent innovations in cyber fraud is domain name extortion, in which individuals receive faxes from phony domain name monitoring firms indicating that a third party is trying to register a dot-net version of a dot-com domain name that the individual owns. Then the firm offers to register the dot-net name for that individual, upon payment of a fee for the service. The U.S. Securities & Exchange Commission also launched an investigation of online frauds that attempt to sell investments in nonexistent nations, including New Utopia, the Kingdom of EnenKio, and the Dominion of Melchizedek.
Wireless subscription fraud also is emerging, since Internet security systems can't easily be transferred to a wireless environment. Merchants involved in fraudulent transactions conducted over the wireless Net that are completed with stolen credit card numbers are liable for the cost of the item, while wireless carriers are exempt from responsibility. In a wired environment, security is maintained by SSL protocol, digital certificates, and user name/password verification; in wireless environments, SSL is translated to wireless transparent LAIN service. This translation permits information transferred from a wireless device to become decrypted, at which point credit card numbers and passwords can be stolen.
At the end of 2000, consumer protection agencies identified a "top 10" list of "dot-cons" as part of a multi-national effort to combat Internet fraud. The list was compiled from complaints lodged at Consumer Sentinel, a consumer fraud database. The list included, in decreasing order of prevalence: Internet auction fraud; Internet access services that lure consumers into unknowingly entering long-term access contracts; credit card fraud; offers of free access to porn sites when a viewer or dialer is downloaded; "Web cramming," or offers of a free 30-day trial use of a custom-designed Web site, which is later invoiced even if the recipient does not agree to continue use of the site; and finally, traditional "real world" scams transported to the Internet, such as pyramid schemes, vacation frauds, get-rich-quick offers, and miracle healthcare products.
PROTECTION AGAINST E-FRAUD
Most industry-standard encryption technologies only protect customer data during its actual transmission. An equally vulnerable point—the Web site's storage of personal data after the transaction occurs—often remains unprotected. Many hackers break into the servers that store customer data collected from past e-commerce transactions. Third-party sites that process credit card information also may furnish weak links. Thus, most online merchants rely on secure sockets layer (SSL) encryption technology to protect e-commerce data while in transit. However, it does nothing to safeguard information before or after it arrives on the server. Ideally, sites should possess a complex combination of firewalls, digital certificates, intrusion detection, access control, passwords, anti-virus software, and even biometrics systems to verify customers' identities. Retailers also can require the three-digit card verification value (CVV or CVV2), which is printed above the signature on the back of credit cards, to prevent unauthorized use of credit card numbers that have been obtained over the Web. Finally, transaction-risk scoring software exists that can spot deviations from customers' usual shopping patterns. One of the latest developments was a smart card payment option, which became popular in Europe.
Federal legislation concerning online fraud includes the Computer Fraud and Abuse Act of 1986, which authorizes both criminal remedies and civil remedies for such offenses. The Electronic Signatures in Global and National Commerce Act ("E-Signature Act") of October 1, 2000 guaranteed that electronic signatures on legal agreements or commercial transactions enjoy the same legal status and protection as written signatures.
The Federal Trade Commission and the Internet Fraud Complaint Center (a joint initiative of the FBI and the National White Collar Crime Center) host Web sites where victims of online schemes can post complaints. In May 2000, the FBI teamed up with the National White Collar Crime Center to create the Internet Fraud Center, whose 161 full-time employees will conduct preliminary investigative work into complaints and then forward their findings to field agents. The FTC manages the world's biggest database on Internet fraud, though it cannot lodge criminal charges in cases.
Some electronic payment processors were developing special digital certificate codes that identify consumers as rightful credit-card holders. Also in the works were virtual, single-use credit cards. Ultimately, many firms hope that biometric identification systems, which read unique voice or retinal patterns, will provide higher e-commerce security.
The federal Fair Credit Billing Act limits consumer liability for all incidents of credit card fraud to only $50 of any unauthorized charges. Thus, online merchants often stand to lose the most from online fraud. Beyond the expenses of charge-backs and bank fees (which are higher than those paid by their traditional retail counterparts), companies that gain reputations as vulnerable to online fraud often lose customer confidence and business. The CSI/FBI Computer Crime and Security Survey for 2000 indicated that 44 percent of all companies interviewed revealed that they failed to report incidents, while 20 percent notified their legal counsel, and only 25 percent went to law enforcement agencies. More than half stated that they wanted to avoid negative publicity or would prefer to handle the situation themselves.
THE EXTENT OF E-FRAUD
A survey of 140 members of the Worldwide eCommerce Fraud Prevention Network indicated that many international firms consider online fraud is a serious but manageable problem. However, despite their assertion, only 10 percent of those firms surveyed spent more than three percent of their total revenue on fraud protection, while 60 percent spent less than one percent. Of the varieties of online fraud, one-third found the difficulty in prosecuting Web-based fraud to pose the greatest threat to their online businesses.
The Internet Fraud Complaint Center received more than 20,000 complaints during its first six months of operation, according to the FBI and the National White Collar Crime Center. Computer users made more than 37.5 million visits to the Web site. Auction fraud was the most reported Internet fraud, comprising 64.1 percent of all referred complaints. Several of the complaints involved monetary losses of $100,000 or more, including one involving more than $366,000. Internet-related fraud complaints to the Federal Trade Commission were up from 8,000 in 1998 to 23,000 in 2000 (not including identity theft).
Atanasov, Maria. "The Truth about Internet Fraud." Ziff Davis Smart Business for the New Economy. April 2001.
Beliakov, Victor; and Thomas Barnwell. "Investigative Investing." Asian Business. April 2000.
"By the Numbers." Internet World. May 15, 2001.
Carbonara, Peter. "The Kid and the Con Man." Money. March 2001.
Davis, Jessica. "Watch Out for Top 10 'Dot-Cons' Named by Consumer Protection Agencies." InfoWorld. November 6, 2000.
Feldman, Amy. "A Classic Scam Takes to the Internet." Money. July 2001.
Foster, Ed. "Phony Lotteries, Domain Name Extortion May Be the Latest Internet Con." InfoWorld. January 8, 2001.
Haney, Clare. "Auction Sites Hit Hard by Electronic Crime." InfoWorld. January 15, 2001.
Kandra, Ann. "The Myth of Secure E-Shopping." PC World. July 2001.
McNamee, Mike. "Invest in Freedonia!" Business Week. December 11, 2000.
Radcliff, Deborah. "Think Like a Crook." Computerworld. April 9, 2001.
Smith, Hilary. "Internet Opens New Avenues for Wireless Fraud." RCR Wireless News. November 20, 2000.
Wallerstein, Lisa. "Fraud in the 'New Economy."' Business Credit. November/December 2000.
"www.Going-Going-Gone! " Consumer Reports. May 2001.
According to MSNBC, research companies that conduct studies about credit card fraud disagree regarding the extent of the problem. While some analysts cite the occurrence of online credit card theft as about 3.5 times higher than non-Internet credit card fraud, others claim the rate to be about 10 times greater.