Skip to main content

U.S. SENATOR PATRICK LEAHY

CONTACT: Office of Senator Leahy, 202-224-4242

VERMONT

New Leahy Bill Targets INTERNET "PHISHING"
That Steals $2 b./yr. From Consumers

[Below are (1) the Senate Floor speech that Sen. Patrick Leahy delivered Friday in introducing his bill to explicitly target Internet “phishing,” with new federal criminal penalties, and (2) a fact sheet on the bill.  Leahy (D-Vt.), the ranking Democratic member of the Senate Judiciary Committee, is sometimes referred to as the “cyber senator” for his enthusiasm for and leadership on Internet issues.  Internet phishing has grown to become a $2 billion a year fraud on consumers and on online commerce.]
__________________________

 Statement Of Senator Patrick Leahy
Introduction Of The "Anti-Phishing Act Of 2004"
Senate Floor / Congressional Record
Friday, July 9, 2004

Mr. President, today I am introducing a bill, the Anti-Phishing Act of 2004, which targets a large and growing class of crime that is spreading across the Internet. 

Phishing is a rapidly growing class of identity theft scams on the Internet that is causing both short-term loses and long-term economic damage.  In the short-term, these scams defraud individuals and financial institutions.  Some estimates place the cost of phishing at over two billion dollars just over the last 12 months.  Just imagine the concern we would all have about a series of bank robberies involving that much money.  In the long run, phishing undermines the Internet itself.  By making consumers uncertain about the integrity of the Internet’s complex addressing system, phishing threatens to make us all less likely to use the Internet for secure transactions.  If you can’t trust where you are on the web, you are less likely to use it for commerce and communications.

Phishing is spelled “P-H-I-S-H-I-N-G.”  Those well-versed in popular culture may guess that it was named after the phenomenally popular Vermont band, Phish.  But phishing over the Internet was in fact named from the sport of fishing, as an analogy for its technique of luring Internet prey with convincing email bait.  The “F” is replaced by a “P-H” in keeping with a computer hacker tradition. 

Phishing attacks usually start with emails that are, in Internet jargon, “spoofed.”  That is, they are made to appear to be coming from some trusted financial institution or commercial entity.  The spoofed email usually asks the victim to go to a website to confirm or renew private account information.  These emails offer a link that appears to take the victim to the website of the trusted institution.  In fact the link takes the victim to a sham website that is visually identical to that of the trusted institution, but is in fact run by the criminal.  When the victim takes the bait and sends their account information, the criminal uses it – sometimes within minutes – to transfer the victim’s funds or to make purchases.  Phishers are the new con artists of cyberspace.

To give an idea of how easy it is to be fooled, we have reproduced some recent phishing charts, with the help of the Anti-Phishing Working Group.  These are just two examples of a problem that affects countless companies.  The website on the right is an actual website of MBNA, a well-established financial institution and credit card issuer.  On the left is a recently discovered phishing site that mimicked the MBNA site.  As you can see, the two websites are practically identical.  Both have the MBNA logo, and both have the same graphics, in the same layout.  But if you end up going to the website on the left, when you enter your account information, you are giving it to an identity thief.

As another example, the next two websites both appear to be from eBay.  Again, the one on the right is from the genuine website. 

The one on the left is a fake website that is controlled by a phisher.  As you can see, if you end up at the website on the left, it would be next to impossible to know that you are not at the real eBay website.  Informed Internet users can avoid this problem if they simply use their web browser to go to the website, instead of using a link sent to them in an email, but far too many people do not do this.

This is a growing problem.  Phishing is on the rise.  In recent months there has been an explosion of these types of attacks.  As you can see from the next chart, these attacks are growing at an alarming rate.  Roughly one million Americans already have been victims of phishing attacks. 

And phishing attacks are increasingly sophisticated.  Early phishing attacks were by novices, but there is evidence now that some attacks are backed by organized crime.  And some attacks these days include spyware, which is software that is secretly installed on the victim’s computer, which waits to capture account information when the victim even goes to legitimate websites.

Phishers also have become more sophisticated in how they cast their huge volumes of email bait on the Internet waters.  Security experts recently discovered that vast networks of home computers are being hijacked by hackers using viruses, and then they are rented to phishers – all without the knowledge of the owners of these home computers. 

Some phishers can be prosecuted under wire fraud or identity theft statutes, but often these prosecutions take place only after someone has been defrauded.  Moreover, the mere threat of phishing attacks undermines everyone’s confidence in the Internet.  When people cannot trust that websites are what they appear to be, they will not use the Internet for their secure transactions.  So traditional wire fraud and identity theft statutes are not sufficient to respond to phishing. 

The Anti-Phishing Act of 2004 protects the integrity of the Internet in two ways.  First, it criminalizes the bait.  It makes it illegal to knowingly send out spoofed email that links to sham websites, with the intention of committing a crime.  Second, it criminalizes the sham websites that are the true scene of the crime. 

It makes it illegal to knowingly create or procure a website that purports to be a legitimate online business, with the intent of collecting information for some criminal purpose. 

There are important First Amendment concerns to be protected.  The Anti-Phishing Act protects parodies and political speech from being prosecuted as Phishing.  We have worked closely with various public interest organizations to ensure that the Anti-Phishing Act does not impinge on the important democratic role that the Internet plays. 

To many Americans, phishing is a new word.  It certainly is a new form of an old crime.  It also is a serious crime, and we need to act aggressively to keep phishing from infecting the Internet and from eroding the public’s trust in online commerce and communication.  I look forward to working with others in the Senate in addressing this growing threat to the Internet, with effective and responsible action. 

_________________________________________

The Anti-Phishing Act of 2004
Fact Sheet

The Anti-Phishing Act of 2004, introduced in the U.S. Senate on July 9 by Sen. Patrick Leahy (D-Vt.), is intended to combat a rapidly growing Internet scam called “phishing.”  Phishers are con-artists in cyberspace.  Phishing refers to a popular Internet scam in which the victim receives an email that appears to come from a trusted source such as a financial institution, and that asks for certain personal information.  The email typically includes a hyperlink that appears to take the victim to the website of that financial institution, but which is actually a sham site.  Any personal information entered is stolen and used – sometimes within minutes – for unlawful purposes such as transferring funds or purchasing goods.

Phishing is growing exponentially. During the last 12 months alone, the estimated losses have exceeded $2 billion, and the losses continue to mount.  Moreover, current law does not adequately respond to this problem.  Phishing does not always fit neatly into traditional wire fraud and identity theft statutes.  Neither wire fraud nor identity theft statutes protect against one of the greatest harms caused by phishing: a diminished trust in the Internet’s system of addressing and linking.  Trust in this system is crucial to the Internet fulfilling its potential as a medium for all manner of secure communications. 

The Anti-Phishing Act of 2004 would enter two new crimes into the U.S. Code.  The first prohibits the creation or procurement of a website that represents itself to be that of a legitimate business, and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft.  The second prohibits the creation or procurement of an email that represents itself to be that of a legitimate business, and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft. 

In order to protect important First Amendment concerns, the Leahy bill carefully protects speech -- even speech that may be deceptive, such as the innocent parodying of commercial websites for political commentary.  The bill protects such important speech by including the requirement that the actor must have the specific criminal purpose of committing a crime of fraud or identity theft.

# # # # #

 

 Return to Home Page Senator Leahy's Biography For Vermonters Major Issues Press Releases and Statements Senator Leahy's Office Constituent Services Search this site