washingtonpost.com  > Technology > Tech Policy > Cybercrime

Senate Democrat Introduces Phishing Bill

By Brian Krebs
washingtonpost.com Staff Writer
Tuesday, March 1, 2005; 5:43 PM

A senior Senate Democrat on Tuesday introduced legislation to impose tough penalties against persons convicted of launching "phishing" scams -- a form of online fraud in which criminals use deception to trick computer users into giving up their personal and financial information.

The Anti-Phishing Act of 2005, sponsored by Sen. Patrick J. Leahy (Vt.), would allow prosecutors to impose fines of up to $250,000 and jail terms of up to five years against anyone convicted of creating fake corporate Web sites and fraudulent e-mail messages designed to fleece consumers. The legislation would prevent online parodies and political speech from being prosecuted as phishing.

_____Cyber-Crime Headlines_____
D.C. Area Tops in Fraud Complaints (The Washington Post, Feb 2, 2005)
Technology Fueling Wave of Phishing Scams (washingtonpost.com, Jan 18, 2005)
Thieves Find Exactly What They're Looking for on EBay (The Washington Post, Jan 6, 2005)
More Cyber-Crime Headlines

The Leahy bill also would apply its penalties to a form of phishing sometimes called "pharming," which involves using computer programming tricks to redirect Internet users from a legitimate site to a counterfeit version operated by criminals.

Leahy is the ranking Democrat on the Judiciary Committee, the panel that will decide whether his bill should be referred to the full Senate for a vote.

Dave Jevans, chairman of the Anti-Phishing Working Group, said the Leahy bill would allow investigators to prosecute scam artists before they send out phishing e-mails.

"Right now, you can use copyright, trademark and other civil laws to sue people who are creating phishing sites, but that can take months," Jevans said. "What [the Leahy bill] means is that if you're building a site called 'eBay-security.net' with the intent to defraud people, then [law enforcement] can go after you just for that."

The legislation comes in the midst of a substantial increase in the number of phishing attacks, as documented by security experts. More than 12,800 new and unique phishing e-mails were reported in January, a 42 percent increase over December, according to a report released last week by the Anti-Phishing Working Group (APWG), a coalition of banks and technology companies. The APWG tracked 2,560 phishing Web sites in January, a 47 percent increase from one month earlier and more than double the number of scam sites spotted in October.

Estimates of consumer losses to phishing scams range from a few hundred million dollars to more than a billion dollars each year. According to experts, phishing scams often lead to identity theft and other crimes that can haunt consumers for years. Roughly three to five percent of people who receive phishing scams take the bait, the APWG said.

"Traditional wire fraud and identity theft statutes are not sufficient to respond to phishing," Leahy said in a statement. "We need to act aggressively to keep them from eroding the public's trust in online commerce and communication."

Security experts praised the legislation's intent, but voiced concern that it may do little to deter phishing attacks, most of which originate outside of the country. Roughly 68 percent of all phishing sites are hosted on computers located in other nations and thus outside the reach of U.S. law, the APWG found.

"To the extent that there are laws that make current [phishing] activities illegal, they have been ineffective because of jurisdictional problems," said Chuck Wade, project leader for the Financial Services Technology Consortium, an industry group made up of financial institutions, technology providers, research groups and government agencies.

Marcus Sachs, a former cyber-security adviser to President George W. Bush, said the Leahy bill shows Congress is feeling the pressure to help fix a highly complex and visible problem. Still, Sachs said, it is unclear whether new criminal laws are the solution.

"As soon as you start enacting new Internet-specific laws you open up the door for continued regulation and control over the Internet," Sachs said. "So far, the Internet has been violently successful following a largely unregulated road, so if the current laws are applicable here, we ought to be using those first."

House lawmakers have not issued a companion measure to the Leahy bill, but legislation introduced last month designed to combat intrusive computer programs known as "spyware" would earmark an additional $10 million in funding for the Justice Department to investigate and prosecute spyware and phishing scams.

© 2005 TechNews.com