X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
One of the biggest frauds on the Internet today is something called “phishing.” Phishing — a play on the word fishing, as in “fishing for confidential information” — refers to a scam that encompasses fraudulently obtaining and using someone’s confidential personal or financial information. About 1 million Americans already have been victimized by phishers, which has cost the economy more than $2 billion over the past year, according to some estimates. [FOOTNOTE 1]And the problem is getting worse. An anti-phishing trade group estimates there were nearly 2,000 phishing attacks in July, which was nearly 40 percent more than in June and significantly more than the 116 attacks that occurred in December. [FOOTNOTE 2]Some have suggested that phishers are able to persuade up to 5 percent of the recipients of their e-mail to respond to them. [FOOTNOTE 3] Generally speaking, phishing works as follows: �A consumer receives an e-mail that appears to originate from his Internet service provider, a financial institution, online payment service, government agency, or other well-known or reputable business entity, but is actually spam sent by the phisher; [FOOTNOTE 4] �The message tells the consumer that he must “verify” or “re-submit” confidential personal or financial information by clicking on a link embedded in the message. Incredibly, the message often uses the prevalence of phishing and other fraudulent practices on the Internet as justification for asking the consumer to confirm the information that the legitimate entity should already have in its possession; The provided link leads the unwary consumer to a Web site, which purports to be the site of the entity ostensibly requesting the information. To do so, the phisher uses the entity’s logos, trademarks, marketing phrases and other indicia of authenticity to mislead the consumer as to the source of the site. Once the consumer has accessed the fraudulent site, the he may be asked to provide Social Security numbers, account numbers, passwords or other information used to identify the consumer, such as the birth name of the consumer’s mother or the consumer’s place of birth. If the consumer complies and provides that information, the phisher can begin to access the consumer’s accounts or assume the consumer’s identity. [FOOTNOTE 5] Much of the stolen personal information is thereafter used by international organized crime or offered for sale on the Internet on sites that are hosted outside the United States and can be created and dismantled on a moment’s notice. Thus, although the ramifications of phishing are far reaching and potentially implicate international legal enforcement concerns, the problem is peculiarly difficult to police. [FOOTNOTE 6] There are variations to this scam. For example, some phishers have begun to advertise on real Web sites with banner ads promising a benefit but that, when clicked on, direct surfers to a fraudulent site. A large number of companies have had their sites copied by phishers, from financial institutions such as Citibank, Capital One and Wells Fargo to retail and services companies including eBay and PayPal. Even governmental sites have not been immune; for instance, the Federal Deposit Insurance Corp. has warned that its site has been misappropriated by phishers. [FOOTNOTE 7] BUSINESSES REACT Companies with a Web presence should make efforts to limit the risks to their customers and other consumers from phishing, if not to limit their liability risks at least to lower the chance that they will be smeared by phishing requests. Recognizing that phishing harms not just the victim, but also the good will of the company whose name has been appropriated, businesses are beginning to work together in an effort to combat phishing. For example, the Anti-Phishing Working Group and the Financial Services Technology Consortium, a group of leading North American-based banks and other financial institutions, are partnering in an effort to address phishing in financial services. Individually, businesses can make it clear to their customers that they will never send e-mail asking them to verify account information online. Such a warning should help cut down on consumer responses to e-mail seeking that data no matter how bona fide it might appear. Also, businesses can make it easy for consumers to notify them about e-mail they believe may be suspect. Citibank’s site, www.citibank.com , allows users to click on “contact us,” which brings them to a page that includes a separate link that permits them to notify Citibank “[i]f you think that you may have received a fraudulent e-mail.” When a customer clicks on that link, a form appears in a pop-up window allowing the customer to provide information about the e-mail and to give Citibank his contact information. It should be noted that this pop-up window states that if the customer provides his e-mail address, it will be used “for communication about this issue only and is separate from any e-mail permissions that you may have previously provided to us.” This notice should limit individuals’ concerns about providing their e-mail addresses to Citibank and then be faced with spam or unsolicited offers. Companies troubled about phishing also can provide their customers with the contact information for federal agencies that are making an effort to combat this problem, including the Federal Deposit Insurance Corporation at www.fdic.gov , and the Federal Trade Commission at www.consumer.gov/idtheft or 1-877-IDTHEFT. But it is the individual who is in the best position to protect his confidential information from phishing attacks. Concerned companies could therefore advise their customers: �not to click on a link provided in an e-mail if there is reason to believeit is fraudulent; �not to be intimidated by e-mail that warns of dire consequences for notfollowing its instructions; �to go to the company’s Web site by exactly typing in a site address that they know to be legitimate if they have a question about whether an e-mail is legitimate; and �to act immediately to protect themselves by alerting the businesses with which they have a relationship if they are victimized by a phishing scam, by placing fraud alerts on their credit files with the three major credit bureaus — Equifax, Experian, and TransUnion — and by closely monitoring their account statements. In addition, consumers should beware e-mail containing typos or bad grammar.Consumers should also take care to notice Web site addresses that have lengthyaddresses before the “@” sign, followed by unfamiliar addresses oraddresses that appear to be similar, but in fact differ from the actual businessaddress by a single letter or reside in a different top level domain. Companies also can help consumers protect themselves by suggesting that although consumers can and should rely on passive security features that are either part of their operating systems or Web browsers, or that can be obtained through additional low cost or free software (firewalls, anti-spyware programs, cookie blockers, etc.) to help with “intrusion” frauds, these programs will not protect against phishing, which only works when the consumer responds. Indeed, as phishers get more and more sophisticated, even spam blocking technology becomes less effective in preventing the phishing e-mail from reaching the consumer in the first place. PENDING LEGISLATION Congress has recognized the dangers of phishing, both to individuals and to the integrity of the Internet. Several months ago, U.S. Senator Patrick Leahy, D-Vermont, introduced S. 2636, a bill to criminalize Internet scams involving phishing. This bill, called the Anti-Phishing Act of 2004, has two primary goals. First, if enacted, it would make it illegal to knowingly send out spoofed e-mail that links to sham Web sites, with the intention of committing a crime. Second, it would criminalize the sham sites that are what Senator Leahy characterizes as “the true scene of the crime” by making it illegal to knowingly create or procure a Web site that purports to be a legitimate online business with the intent of collecting information for criminal purposes. It should be noted that the Anti-Phishing Act protects parodies and political speech from being prosecuted as phishing. The bill has been referred to the Senate Judiciary Committee. There has been more congressional action on a second bill, H.R. 4661, the Internet Spyware (I-Spy) Prevention Act of 2004. In fact, H.R. 4661 was favorably reported by the Judiciary Committee, passed by the House of Representatives, and received in the Senate on Oct. 8. The Judiciary Committee report accompanying H.R. 4661 recognizes, correctly, that, in some respects, phishing is only distinguished from traditional identity theft and fraud because it involves employing the Internet as a means to obtaining the desired information. Indeed, the report points out that the schemes themselves, and the uses of the information by the criminals who obtain it, are not unique to the Internet, and almost all are illegal under existing federal criminal laws dealing with wire fraud and identity theft. [FOOTNOTE 8] Nevertheless, H.R. 4661 is serious about targeting phishing. It authorizes appropriations to the Department of Justice for fiscal year 2005 through fiscal year 2008 of $10 million per fiscal year for “dedicated prosecutions” needed to discourage phishing (and the use of spyware). Significantly, this sum is in addition to any sums otherwise authorized to be appropriated for this purpose. H.R. 4661 further states that it is “the sense of Congress” that the Justice Department should “vigorously” prosecute those whoconduct “phishing scams.” Shari Claire Lewis is a partner at Rivkin Radler in Uniondale specializing in litigation in the areas of Internet, domain name, and computer law as well as professional liability and medical device and product liability. ::::FOOTNOTES:::: FN1See Statement by Senator Patrick Leahy, D-Vermont, on S. 2636, Cong. Rec.July 9, 2004, at S.7897. FN2The anti-phishing trade group defines a unique phishing attack as “a single e-mail blast sent out at one time, targeting one company or organization, and having one unique subject line.” It also notes that as phishers try to get past spam filters, they on occasion are using multiple different subject lines for a single attack; thus, the group states that the number of attacks may be somewhat lower for some target companies. See www.antiphishing.org/APWG_Phishing_Attack_Report-Jul2004.pdf . FN3See www.antiphishing.org/APWG_Phishing_Attack_Report-Jul2004.pdf . FN4This practice of forging the source of e-mail so that it appears to come from a source different than the sender is often referred to as “e-mail spoofing.” See, e.g., www.webopedia.com/TERM/e/e_mail_spoofing.html FN5S.2636 defines “phishing” as a scam that “uses false e-mail addresses, stolen graphics, stylistic imitation, misleading or disguised hyperlinks, so-called ‘social engineering’, and other artifices to trick users into revealing personally identifiable information.” S.2636 further observes that after obtaining this information, the phisher “then uses the information to create unlawful identification documents and/or to unlawfully obtain money or property.” FN6See, e.g., www.washingtonpost.com/wp-dyn/articles/A7152-2004Oct28.html ,”Police Arrest 28 in Online ID Theft Scams.” FN7See www.fdic.gov/consumers/consumer/alerts/index.html . FN8See H.R. Rep. 108-698, at 4.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.