www.rivkinradler.comNovember 11, 2004
 
New York Law Journal*
 
Phishing

Companies and Legislation Take Aim at Cyberspace's Latest Con
 
By: Shari Claire Lewis, Esq.
 
 
[Author Bio: Shari Claire Lewis is a partner at Rivkin Radler LLP, where she specializes in litigation in the areas of Internet, Domain Name, and Computer Law as well as Professional Liability and Medical Device and Product Liability. Resident in the firm's Long Island office, she may be reached at shari.lewis@rivkin.com.]
 
One of the biggest frauds problem on the Internet is something called "phishing." Phishing - a play on the word fishing, as in "fishing for confidential information" - refers to a scam that encompasses fraudulently obtaining and using someone's confidential personal or financial information.

About 1 million Americans already have been victimized by phishers, which has cost the economy more than $2 billion dollars over the past year, according to some estimates.[1] And the problem is getting worse. An anti-phishing trade group estimates that there were nearly 2,000 phishing attacks in July, which nearly 40 percent more than in June and significantly more than the 116 attacks that occurred in December.[2] Some have suggested that phishers are able to persuade up to five percent of the recipients of their e-mail to respond to them.[3]

Generally speaking, phishing works as follows:
    A consumer receives an e-mail that appears to originate from his or her Internet service provider, a financial institution, online payment service, government agency, or other well-known or reputable business entity, but is actually spam sent by the phisher;[4]

    The message tells the consumer that he must "verify" or "re-submit" confidential personal or financial information by clicking on a link embedded in the message. Incredibly, the message often uses the prevalence of phishing and other fraudulent practices on the Internet as justification for asking the consumer to confirm the information that the legitimate entity should already have in its possession;

    The provided link leads the unwary consumer to a Web site, which purports to be the site of the entity ostensibly requesting the information. To do so, the phisher uses the entity's logos, trademarks, marketing phrases and other indicia of authenticity to mislead the consumer as to the source of the site;

    Once the consumer has accessed the fraudulent site, he may be asked to provide Social Security numbers, account numbers, passwords or other information used to identify the consumer, such as the maiden name of the consumer's mother or the consumer's place of birth;

    If the consumer complies and provides that information, the phisher can begin to access consumer accounts or assume the consumer's identity.[5]


Much of the stolen personal information is thereafter used by international organized crime or offered for sale on the Internet on sites that are hosted outside the United States and can be created and dismantled on a moment's notice. Thus, although the ramifications of phishing are far reaching and potentially implicate international legal enforcement concerns, the problem is peculiarly difficult to police.[6]

There are variations to this scam. For example, some phishers have begun to advertise on real Web sites with banner ads promising a benefit, but that, when clicked on, direct Web surfers to their fraudulent site.

A large number of companies have had their sites copied by phishers, from financial institutions such as Citibank, Capital One and Wells Fargo to retail and services companies including eBay and PayPal. Even governmental sites have not been immune; for instance, the Federal Deposit Insurance Corp. has warned that its site has been misappropriated by phishers.[7]

Businesses React

Companies with a Web presence should make efforts to limit the risks to their customers and other consumers from phishing, if not to limit their liability risks at least to lower the chance that they will be smeared by phishing requests. Recognizing that phishing harms not just the susceptible victim, but also the good will of the company whose name has been appropriated, businesses are beginning to work together in an effort to combat phishing. For example, the Anti-Phishing Working Group and the Financial Services Technology Consortium, a group of leading North American-based banks and other financial institutions, are partnering in an effort to address phishing in financial services.

Individually, businesses can make it clear to their customers that they will never send e-mail asking customers to verify their account information online. Such a warning should help cut down on consumer responses to e-mail seeking that data no matter how bona fide it might appear.

Also, businesses can make it easy for consumers to notify them about e-mail that they believe may be suspect. Citibank's site, www.citibank.com, allows users to click on "contact us," which brings them to a page that includes a separate link that permits them to notify Citibank "[i]f you think that you may have received a fraudulent e-mail." When a customer clicks on that link, a form appears in a pop-up window allowing the customer to provide information about the e-mail and to give Citibank his or her contact information. It should be noted that this pop-up window states that if the customer provides his or her e-mail address, it will be used "for communication about this issue only and is separate from any e-mail permissions that you may have previously provided to us." This notice should limit individuals' concerns about providing their e-mail addresses to Citibank and then be faced with spam or unsolicited offers.

Companies troubled about phishing also can provide their customers with the contact information for federal agencies that are making an effort to combat this problem, including the Federal Deposit Insurance Corporation at www.fdic.gov, and the Federal Trade Commission at www.consumer.gov/idtheft or 1-877-IDTHEFT.

But, it is the individual who is in the best position to protect his or her confidential information from phishing attacks. Concerned companies could therefore advise their customers:

    not to click on a link provided in an e-mail if there is reason to believe it is fraudulent;

    not to be intimidated by e-mail that warn of dire consequences for not following its instructions;

    to go to the company's Web site by exactly typing in a site address that they know to be legitimate if they have a question about whether an e-mail is legitimate; and

    to act immediately to protect themselves by alerting the businesses with which they have a relationship if they are victimized by a phishing scam, by placing fraud alerts on their credit files with the three major credit bureaus - Equifax, Experian, and TransUnion - and by closely monitoring their account statements.


In addition, consumers should beware e-mail containing typos or bad grammar. Consumers should also take care to notice Web site addresses that have lengthy addresses before the "@" sign, followed by unfamiliar addresses that appear to be similar, but in fact differ from the actual business address by a single letter or reside in a different top level domain.

Companies also can help consumers to protect themselves by suggesting that although consumers can and should rely on passive security features that are either part of their operating systems or Web browsers, or that can be obtained through additional low cost or free software (firewalls, anti-spyware programs, cookie blockers, etc.), to help with "intrusion" frauds, these programs will not protect against phishing, which only works when the consumer responds. Indeed, as phishers get more and more sophisticated, even spam blocking technology becomes less effective in preventing the phishing e-mail from reaching the consumer in the first instance.

Pending Legislation

Congress has recognized the dangers of phishing, both to individuals and to the integrity of the Internet. Several months ago, U.S. Senator Patrick Leahy introduced S. 2636, a bill to criminalize Internet scams involving phishing. This bill, known as the "Anti-Phishing Act of 2004," has two primary goals. First, if enacted, it would make it illegal to knowingly send out spoofed e-mail that links to sham Web sites, with the intention of committing a crime. Second, it would criminalize the sham sites that are what Senator Leahy characterizes as "the true scene of the crime" by making it illegal to knowingly create or procure a Web site that purports to be a legitimate online business with the intent of collecting information for some criminal purpose.

It should be noted that the Anti-Phishing Act protects parodies and political speech from being prosecuted as phishing.

The bill has been referred to the Senate Judiciary Committee.

There has been more congressional action on a second bill, H.R. 4661, the "Internet Spyware (I-Spy) Prevention Act of 2004." In fact, H.R. 4661 was favorably reported by the Judiciary Committee, passed by the House of Representatives, and received in the Senate on October 8.

The Judiciary Committee report accompanying H.R. 4661 recognizes, correctly, that, in some respects, phishing is only distinguished from traditional identity theft and fraud because it involves employing the Internet as a means to obtaining the desired information. Indeed, the report points out that the schemes themselves, and the uses of the information by the criminals who obtain it, are not unique to the Internet, and almost all are illegal under existing federal criminal laws dealing with wire fraud and identity theft.[8]

Nevertheless, H.R. 4661 is serious about targeting phishing. It authorizes appropriations to the Department of Justice for fiscal year 2005 through fiscal year 2008 of $10 million per fiscal year for "dedicated prosecutions" needed to discourage phishing (and the use of spyware). Significantly, this sum is in addition to any sums otherwise authorized to be appropriated for this purpose. H.R. 4661 further states that it is "the sense of Congress" that the Justice Department should "vigorously" prosecute those who conduct "phishing scams."
- top -
NOTES:
[1] See Statement by Sen. Leahy on S. 2636, Cong. Rec. July 9, 2004 at S.7897.
[2] The anti-phishing trade group defines a unique phishing attack as "a single email blast sent out at one time, targeting one company or organization, and having one unique subject line." It also notes that as phishers try to get past spam filters, they on occasion are using multiple different subject lines for a single attack; thus, the group states that the number of attacks may be somewhat lower for some target companies. See www.antiphishing.org/APWG_Phishing_Attack_Report-Jul2004.pdf.
[3] See www.antiphishing.org/APWG_Phishing_Attack_Report-Jul2004.pdf.
[4] This practice of forging the source of e-mail so that it appears to come from a source different than the sender is often referred to as "e-mail spoofing." See, e.g., http://www.webopedia.com/TERM/e/e_mail_spoofing.html
[5] S.2636 defines "phishing" as a scam that "uses false e-mail addresses, stolen graphics, stylistic imitation, misleading or disguised hyperlinks, so-called 'social engineering', and other artifices to trick users into revealing personally identifiable information." S.2636 further observes that after obtaining this information, the phisher "then uses the information to create unlawful identification documents and/or to unlawfully obtain money or property."
[6] See, e.g., http://www.washingtonpost.com/wp-dyn/articles/A7152-2004Oct28.html, "Police Arrest 28 in Online ID Theft Scams."
[7] See http://www.fdic.gov/consumers/consumer/alerts/index.html.
[8] See H.R. Rep. 108-698, at 4.
*This article is reprinted with permission from the November 11, 2004 issue of the New York Law Journal (C) 2004 ALM Properties, Inc. Further duplication without permission is prohibited. All rights reserved.