New Leahy Bill
Targets INTERNET "PHISHING"
That Steals $2 b./yr. From Consumers
[Below are (1) the Senate Floor speech that Sen. Patrick Leahy delivered
Friday in introducing his bill to explicitly target Internet “phishing,”
with new federal criminal penalties, and (2) a fact sheet on the bill.
Leahy (D-Vt.), the ranking Democratic member of the Senate Judiciary
Committee, is sometimes referred to as the “cyber senator” for his
enthusiasm for and leadership on Internet issues. Internet phishing has
grown to become a $2 billion a year fraud on consumers and on online
commerce.]
__________________________
Statement Of Senator Patrick
Leahy
Introduction Of The "Anti-Phishing Act Of 2004"
Senate Floor / Congressional Record
Friday, July 9, 2004
Mr. President, today I am introducing a
bill, the Anti-Phishing Act of 2004, which targets a large and growing
class of crime that is spreading across the Internet.
Phishing is a rapidly growing class of
identity theft scams on the Internet that is causing both short-term
loses and long-term economic damage. In the short-term, these scams
defraud individuals and financial institutions. Some estimates place
the cost of phishing at over two billion dollars just over the last 12
months. Just imagine the concern we would all have about a series of
bank robberies involving that much money. In the long run, phishing
undermines the Internet itself. By making consumers uncertain about the
integrity of the Internet’s complex addressing system, phishing
threatens to make us all less likely to use the Internet for secure
transactions. If you can’t trust where you are on the web, you are less
likely to use it for commerce and communications.
Phishing is spelled “P-H-I-S-H-I-N-G.”
Those well-versed in popular culture may guess that it was named after
the phenomenally popular Vermont band, Phish. But
phishing over the Internet was in fact named from the sport of fishing,
as an analogy for its technique of luring Internet prey with convincing
email bait. The “F” is replaced by a “P-H” in keeping with a computer
hacker tradition.
Phishing attacks usually start with emails
that are, in Internet jargon, “spoofed.” That is, they are made to
appear to be coming from some trusted financial institution or
commercial entity. The spoofed email usually asks the victim to go to a
website to confirm or renew private account information. These emails
offer a link that appears to take the victim to the website of the
trusted institution. In fact the link takes the victim to a sham
website that is visually identical to that of the trusted institution,
but is in fact run by the criminal. When the victim takes the bait and
sends their account information, the criminal uses it – sometimes within
minutes – to transfer the victim’s funds or to make purchases. Phishers
are the new con artists of cyberspace.
To give an idea of how easy it is to be
fooled, we have reproduced some recent phishing charts, with the help of
the Anti-Phishing Working Group. These are just two examples of a
problem that affects countless companies. The website on the right is
an actual website of MBNA, a well-established financial institution and
credit card issuer. On the left is a recently discovered phishing site
that mimicked the MBNA site. As you can see, the two websites are
practically identical. Both have the MBNA logo, and both have the same
graphics, in the same layout. But if you end up going to the website on
the left, when you enter your account information, you are giving it to
an identity thief.
As another example, the next two websites
both appear to be from eBay. Again, the one on the right is from the
genuine website.
The one on the left is a fake website that
is controlled by a phisher. As you can see, if you end up at the
website on the left, it would be next to impossible to know that you are
not at the real eBay website. Informed Internet users can avoid this
problem if they simply use their web browser to go to the website,
instead of using a link sent to them in an email, but far too many
people do not do this.
This is a growing problem. Phishing is on
the rise. In recent months there has been an explosion of these types
of attacks. As you can see from the next chart, these attacks are
growing at an alarming rate. Roughly one million Americans already have
been victims of phishing attacks.
And phishing attacks are increasingly
sophisticated. Early phishing attacks were by novices, but there is
evidence now that some attacks are backed by organized crime. And some
attacks these days include spyware, which is software that is secretly
installed on the victim’s computer, which waits to capture account
information when the victim even goes to legitimate websites.
Phishers also have become more
sophisticated in how they cast their huge volumes of email bait on the
Internet waters. Security experts recently discovered that vast
networks of home computers are being hijacked by hackers using viruses,
and then they are rented to phishers – all without the knowledge of the
owners of these home computers.
Some phishers can be prosecuted under wire
fraud or identity theft statutes, but often these prosecutions take
place only after someone has been defrauded. Moreover, the mere threat
of phishing attacks undermines everyone’s confidence in the Internet.
When people cannot trust that websites are what they appear to be, they
will not use the Internet for their secure transactions. So traditional
wire fraud and identity theft statutes are not sufficient to respond to
phishing.
The Anti-Phishing Act of 2004 protects the
integrity of the Internet in two ways. First, it criminalizes the
bait. It makes it illegal to knowingly send out spoofed email that
links to sham websites, with the intention of committing a crime.
Second, it criminalizes the sham websites that are the true scene of the
crime.
It makes it illegal to knowingly create or
procure a website that purports to be a legitimate online business, with
the intent of collecting information for some criminal purpose.
There are important First Amendment
concerns to be protected. The Anti-Phishing Act protects parodies and
political speech from being prosecuted as Phishing. We have worked
closely with various public interest organizations to ensure that the
Anti-Phishing Act does not impinge on the important democratic role that
the Internet plays.
To many Americans, phishing is a new
word. It certainly is a new form of an old crime. It also is a serious
crime, and we need to act aggressively to keep phishing from infecting
the Internet and from eroding the public’s trust in online commerce and
communication. I look forward to working with others in the Senate in
addressing this growing threat to the Internet, with effective and
responsible action.
_________________________________________
The Anti-Phishing Act of 2004
Fact Sheet
The Anti-Phishing Act of 2004, introduced
in the U.S. Senate on July 9 by Sen. Patrick Leahy (D-Vt.), is intended
to combat a rapidly growing Internet scam called “phishing.” Phishers
are con-artists in cyberspace. Phishing refers to a popular Internet
scam in which the victim receives an email that appears to come from a
trusted source such as a financial institution, and that asks for
certain personal information. The email typically includes a hyperlink
that appears to take the victim to the website of that financial
institution, but which is actually a sham site. Any personal
information entered is stolen and used – sometimes within minutes – for
unlawful purposes such as transferring funds or purchasing goods.
Phishing is growing exponentially. During
the last 12 months alone, the estimated losses have exceeded $2 billion,
and the losses continue to mount. Moreover, current law does not
adequately respond to this problem. Phishing does not always fit neatly
into traditional wire fraud and identity theft statutes. Neither wire
fraud nor identity theft statutes protect against one of the greatest
harms caused by phishing: a diminished trust in the Internet’s system of
addressing and linking. Trust in this system is crucial to the Internet
fulfilling its potential as a medium for all manner of secure
communications.
The Anti-Phishing Act of 2004 would enter
two new crimes into the U.S. Code. The first prohibits the creation or
procurement of a website that represents itself to be that of a
legitimate business, and that attempts to induce the victim to divulge
personal information, with the intent to commit a crime of fraud or
identity theft. The second prohibits the creation or procurement of an
email that represents itself to be that of a legitimate business, and
that attempts to induce the victim to divulge personal information, with
the intent to commit a crime of fraud or identity theft.
In order to protect important First
Amendment concerns, the Leahy bill carefully protects speech -- even
speech that may be deceptive, such as the innocent parodying of
commercial websites for political commentary. The bill protects such
important speech by including the requirement that the actor must have
the specific criminal purpose of committing a crime of fraud or identity
theft.
# #
# # #