washingtonpost.com  > Metro > Virginia
General Assembly

Va. Lawmakers Aim to Hook Cyberscammers

Starting July 1, Those Who 'Phish' for Personal Data Online Can Be Prosecuted

By Karin Brulliard
Washington Post Staff Writer
Sunday, April 10, 2005; Page C08

The Virginia General Assembly this year passed a handful of new bills aimed at cracking down on computer and online crimes, including a statute that observers say is the nation's first law that criminalizes "phishing" schemes.

Phishing occurs when someone sends out bulk e-mail messages designed to trick consumers into revealing bank account passwords, Social Security numbers and other personal information.

Sen. Kenneth W. Stolle said the new state laws will "make computer crimes more painful and less profitable." (Photos Robert A. Reeder -- The Washington Po St)

Net Aids Access to Sensitive ID Data (The Washington Post, Apr 4, 2005)
Microsoft Seeks to Identify Phishing Scam Authors (washingtonpost.com, Mar 31, 2005)
DNA Key to Decoding Human Factor (washingtonpost.com, Mar 28, 2005)
More Security News

Starting July 1, cyberscammers who deceive people out of that kind of information could face a felony charge punishable by up to five years in prison and $2,500 in fines. Those convicted of selling the data or using it to commit another crime, such as identity theft, would face twice the prison time.

Other new laws boost penalties for hackers convicted of computer trespassing or invasion of privacy, which includes disabling a computer with a virus, stealing personal data directly from a computer or using "spyware" programs to do so. The bills also update some computer-related definitions penned in the 1980s that have become practically archaic in the quickly changing world of technology.

Lawmakers said the changes will give prosecutors more power to go after cybercriminals and deter others from committing high-tech crimes.

"Not in all cases, but in many cases these statutes make computer crimes more painful and less profitable," said Sen. Kenneth W. Stolle (R-Virginia Beach), a sponsor of one bill.

The new legislation will bolster Virginia's Computer Crimes Act, which is already among the toughest in the nation. Former state attorney general Jerry R. Kilgore (R) adopted a tough-on-computer-crime stance while in office, ushering in the nation's first anti-spam law. And lawmakers have worked closely on the issue with high-tech companies, many of which are based in Virginia, where as much as half the world's e-mails are routed.

"Other legislatures look to us as being leaders in the area of computer legislation," said Del. Joe T. May (R-Loudoun), who sponsored one of the bills. "I just see it as us doing our job."

The new legislation was written carefully to ensure that only people with criminal intent could be prosecuted, said Stewart Petoe, director of legal affairs for the Virginia State Crime Commission, a legislative advisory body. That means people who accidentally erase files from their colleagues' computers or online chat room suitors who falsely say they're millionaire doctors could not be prosecuted, he said.

True phishers, however, would be fair game. Industry observers say phishing is booming and costs consumers and businesses hundreds of millions of dollars each year. To "hook" consumers, phishers send e-mails that appear to come from banks, Internet providers or other companies. The messages typically demand that consumers click on a link to a sham Web site, where they are asked to surrender personal information or lose their accounts.

According to the Anti-Phishing Working Group, an industry association, the number of phishing Web sites grew by 28 percent from July 2004 to January 2005. David Jevans, chairman of the group, said a few other states, including California, are considering anti-phishing laws to crack down on the problem. A proposed federal law died in Congress last year.

The Virginia anti-phishing law is innovative because it also targets purveyors of phished information, meaning that middlemen, and not just those who use the data, can be prosecuted, Jevans said.

Laws cannot help, however, with what he said is perhaps the hardest part of prosecuting phishers lurking in cyberspace: catching them. Nor do they provide law enforcement officials with the resources needed to investigate highly technical cases. But observers said laws are a step in the right direction.

"Every little bit helps," said Nicholas Graham, a spokesman for America Online, which is based in Loudoun County. "Phishers should be the ones who get hooked, not consumers."

© 2005 The Washington Post Company