X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.

One of the biggest frauds on the Internet today is something called “phishing.” Phishing — a play on the word fishing,as in “fishing for confidential information” — refers to a scam thatencompasses fraudulently obtaining and using someone’s confidential personal orfinancial information. About 1 million Americans already have been victimized by phishers, which hascost the economy more than $2 billion over the past year, according to someestimates. [FOOTNOTE 1]And the problem is getting worse. An anti-phishing tradegroup estimates there were nearly 2,000 phishing attacks in July, which wasnearly 40 percent more than in June and significantly more than the 116 attacksthat occurred in December. [FOOTNOTE 2]Some have suggested that phishers areable to persuade up to 5 percent of the recipients of their e-mail to respond tothem. [FOOTNOTE 3] Generally speaking, phishing works as follows: � A consumer receives an e-mail that appears to originate from his Internetservice provider, a financial institution, online payment service, governmentagency or other well-known or reputable business entity, but is actually spamsent by the phisher; [FOOTNOTE 4] � The message tells the consumer that he must “verify” or”re-submit” confidential personal or financial information by clickingon a link embedded in the message. Incredibly, the message often uses theprevalence of phishing and other fraudulent practices on the Internet asjustification for asking the consumer to confirm the information that thelegitimate entity should already have in its possession; � The provided link leads the unwary consumer to a Web site, which purports tobe the site of the entity ostensibly requesting the information. To do so, thephisher uses the entity’s logos, trademarks, marketing phrases and other indiciaof authenticity to mislead the consumer as to the source of the site; � Once the consumer has accessed the fraudulent site, the he may be asked toprovide Social Security numbers, account numbers, passwords or other informationused to identify the consumer, such as the birth name of the consumer’s motheror the consumer’s place of birth; � If the consumer complies and provides that information, the phisher canbegin to access the consumer’s accounts or assume the consumer’s identity. [FOOTNOTE 5] Much of the stolen personal information is thereafter used by internationalorganized criminals or offered for sale on the Internet on sites that are hostedoutside the United States and can be created and dismantled on a moment’snotice. Thus, although the ramifications of phishing are far reaching andpotentially implicate international legal enforcement concerns, the problem ispeculiarly difficult to police. [FOOTNOTE 6] There are variations to this scam. For example, some phishers have begun toadvertise on real Web sites with banner ads promising a benefit but that, whenclicked on, direct surfers to a fraudulent site. A large number of companies have had their sites copied by phishers, fromfinancial institutions such as Citibank, Capital One and Wells Fargo to retailand services companies including eBay and PayPal. Even governmental sites havenot been immune; for instance, the Federal Deposit Insurance Corp. has warnedthat its site has been misappropriated by phishers. [FOOTNOTE 7] BUSINESSES REACT Companies with a Web presence should make efforts to limit the risks to theircustomers and other consumers from phishing, if not to limit their liabilityrisks at least to lower the chance that they will be smeared by phishingrequests. Recognizing that phishing harms not just the victim, but also the goodwill of the company whose name has been appropriated, businesses are beginningto work together in an effort to combat phishing. For example, the Anti-PhishingWorking Group and the Financial Services Technology Consortium, a group ofleading North American-based banks and other financial institutions, arepartnering in an effort to address phishing in financial services. Individually, businesses can make it clear to their customers that they willnever send e-mail asking them to verify account information online. Such awarning should help cut down on consumer responses to e-mail seeking that datano matter how bona fide it might appear. Also, businesses can make it easy for consumers to notify them about e-mail theybelieve may be suspect. Citibank’s site, www.citibank.com ,allows users to click on “contact us,” which brings them to a pagethat includes a separate link that permits them to notify Citibank “[i]fyou think that you may have received a fraudulent e-mail.” When a customerclicks on that link, a form appears in a pop-up window allowing the customer toprovide information about the e-mail and to give Citibank his contactinformation. It should be noted that this pop-up window states that if thecustomer provides his e-mail address, it will be used “for communicationabout this issue only and is separate from any e-mail permissions that you mayhave previously provided to us.” This notice should limit individuals’concerns about providing their e-mail addresses to Citibank and then be facedwith spam or unsolicited offers. Companies troubled about phishing also can provide their customers with thecontact information for federal agencies that are making an effort to combatthis problem, including the Federal Deposit Insurance Corporation at www.fdic.gov , and the Federal Trade Commission at www.consumer.gov/idtheft or 1-877-IDTHEFT. But it is the individual who is in the best position to protect his confidentialinformation from phishing attacks. Concerned companies could therefore advisetheir customers: � not to click on a link provided in an e-mail if there is reason to believeit is fraudulent; � not to be intimidated by e-mail that warns of dire consequences for notfollowing its instructions; � to go to the company’s Web site by exactly typing in a site address thatthey know to be legitimate if they have a question about whether an e-mail islegitimate; and � to act immediately to protect themselves by alerting the businesses withwhich they have a relationship if they are victimized by a phishing scam, byplacing fraud alerts on their credit files with the three major credit bureaus — Equifax, Experian, and TransUnion — and by closely monitoring their account statements. In addition, consumers should beware e-mail containing typos or bad grammar.Consumers should also take care to notice Web site addresses that have lengthyaddresses before the “@” sign, followed by unfamiliar addresses oraddresses that appear to be similar, but in fact differ from the actual businessaddress by a single letter or reside in a different top level domain. Companies also can help consumers protect themselves by suggesting that althoughconsumers can and should rely on passive security features that are either partof their operating systems or Web browsers, or that can be obtained throughadditional low cost or free software (firewalls, anti-spyware programs, cookieblockers, etc.) to help with “intrusion” frauds, these programs willnot protect against phishing, which only works when the consumer responds.Indeed, as phishers get more and more sophisticated, even spam blockingtechnology becomes less effective in preventing the phishing e-mail fromreaching the consumer in the first place. PENDING LEGISLATION Congress has recognized the dangers of phishing, both to individuals and to theintegrity of the Internet. Several months ago, U.S. Senator Patrick Leahy,D-Vermont, introduced S. 2636, a bill to criminalize Internet scams involvingphishing. This bill, called the Anti-Phishing Act of 2004, has two primarygoals. First, if enacted, it would make it illegal to knowingly send out spoofede-mail that links to sham Web sites, with the intention of committing a crime.Second, it would criminalize the sham sites that are what Senator Leahycharacterizes as “the true scene of the crime” by making it illegal toknowingly create or procure a Web site that purports to be a legitimate onlinebusiness with the intent of collecting information for criminal purposes. It should be noted that the Anti-Phishing Act protects parodies and politicalspeech from being prosecuted as phishing. The bill has been referred to the Senate Judiciary Committee. There has been more congressional action on a second bill, H.R. 4661, theInternet Spyware (I-Spy) Prevention Act of 2004. In fact, H.R. 4661 wasfavorably reported by the Judiciary Committee, passed by the House ofRepresentatives, and received in the Senate on Oct. 8. The Judiciary Committee report accompanying H.R. 4661 recognizes, correctly,that, in some respects, phishing is only distinguished from traditional identitytheft and fraud because it involves employing the Internet as a means toobtaining the desired information. Indeed, the report points out that theschemes themselves, and the uses of the information by the criminals who obtainit, are not unique to the Internet, and almost all are illegal under existingfederal criminal laws dealing with wire fraud and identity theft. [FOOTNOTE 8] Nevertheless, H.R. 4661 is serious about targeting phishing. It authorizesappropriations to the Department of Justice for fiscal year 2005 through fiscalyear 2008 of $10 million per fiscal year for “dedicated prosecutions”needed to discourage phishing (and the use of spyware). Significantly, this sumis in addition to any sums otherwise authorized to be appropriated for thispurpose. H.R. 4661 further states that it is “the sense of Congress”that the Justice Department should “vigorously” prosecute those whoconduct “phishing scams.” Shari Claire Lewis is a partner at Rivkin Radler in Uniondale, N.Y.,specializing in litigation in the areas of Internet, domain name and computerlaw as well as professional liability and medical device and product liability. ::::FOOTNOTES:::: FN1See Statement by Senator Patrick Leahy, D-Vermont, on S. 2636, Cong. Rec.July 9, 2004, at S.7897. FN2The anti-phishing trade group defines a unique phishing attack as “asingle e-mail blast sent out at one time, targeting one company or organization,and having one unique subject line.” It also notes that as phishers try toget past spam filters, they on occasion are using multiple different subjectlines for a single attack; thus, the group states that the number of attacks maybe somewhat lower for some target companies. See www.antiphishing.org/APWG_Phishing_Attack_Report-Jul2004.pdf . FN3See www.antiphishing.org/APWG_Phishing_Attack_Report-Jul2004.pdf . FN4This practice of forging the source of e-mail so that it appears to come froma source different than the sender is often referred to as “e-mailspoofing.” See, e.g., www.webopedia.com/TERM/e/e_mail_spoofing.html FN5S.2636 defines “phishing” as a scam that “uses false e-mailaddresses, stolen graphics, stylistic imitation, misleading or disguisedhyperlinks, so-called ‘social engineering,’ and other artifices to trick usersinto revealing personally identifiable information.” S.2636 furtherobserves that after obtaining this information, the phisher “then uses theinformation to create unlawful identification documents and/or to unlawfullyobtain money or property.” FN6See, e.g., www.washingtonpost.com/wp-dyn/articles/A7152-2004Oct28.html ,”Police Arrest 28 in Online ID Theft Scams.” FN7See www.fdic.gov/consumers/consumer/alerts/index.html . FN8See H.R. Rep. 108-698, at 4.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.