Lauren L. Sullins, "phishing" for a Solution: Domestic and International Approaches to Decreasing Online Identity Theft

• Citation: Vol. 20 No. 1
• Publication year: 2006

"PHISHING" FOR A SOLUTION: DOMESTIC AND INTERNATIONAL APPROACHES TO DECREASING ONLINE IDENTITY THEFT

INTRODUCTION

In less than five minutes, Jane Smith will give criminals throughout the world the ability to gain complete control of her identity and savings. Unfortunately, as she logs on to check her e-mail, she has no idea that this is about to happen. As Jane skims her inbox, she sees an e-mail with the subject "Important Security Alert for All EasyBank Users"; the sender address reads "EasyBank." As one of EasyBank's millions of customers, Jane opens the e- mail to read the important news.

When she opens the e-mail, it contains EasyBank's famous logo and a message. The message informs her that the company is initiating a new security system to protect against fraudulent activity. The message states that she must click on the following link to confirm her online banking details. If she does not do so, the message states that her account will be cancelled. Wanting to protect herself from attacks on her account and also believing that she is required to do so to keep her account, Jane clicks on the link.

After clicking on the link, Jane is taken to a website that appears official. It is identical to the site that she normally visits to conduct her online banking. Jane logs in, as she normally does, entering her customer identification number and password. She is taken to an additional page where she enters her social security number, address, mother's maiden name, and other personal information. After she provides all of the requested information, the website displays a message that thanks her for her time. Jane turns off her computer and continues her day, believing that her account is now well-protected. She has no idea that the e-mail and website were scams and that, only moments later, a criminal will empty all of the funds from her account and sell her personal information on the black market.

Jane is the victim of a "phishing" attack-a form of online identity theft that uses fraudulent e-mails to trick recipients into divulging personal financial information on fraudulent, imitation websites.¹These attacks not only impact consumers and corporations-they also threaten to destroy Internet commerce as a whole by destroying consumer trust in online transactions.²Gartner Research estimates that in 2003, in the United States alone, over 57 million people received a phishing attack e-mail and almost 5% of the recipients responded with personal information.³These attacks cost U.S. banks and credit card issuers more than $1.2 billion per year, and the losses continue to grow.⁴Worldwide, the annual damage from phishing attacks has reached $5 billion, and the number of attacks is steadily increasing.⁵Every day new scammers appear. Many actually learn how to conduct these scams from websites that offer do-it-yourself kits on how to build fake websites for phishing scams.⁶The Anti-Phishing Working Group received reports of

15,820 new phishing e-mails in October 2005, compared to 6,957 reports in October 2004.⁷As staggering as these figures are, the number of phishing incidents and the associated losses are actually underreported.⁸

Phishing scams do not only affect the finances of the victims and targeted companies in the short term-the attacks also have long-term effects on the growth of Internet-related transactions.⁹Individual targets of phishing scams are likely to lose confidence in the online marketplace and may not trust their ability to distinguish legitimate sites from scams.¹⁰If consumers do not have confidence in the authenticity of e-mails, it could lead to destruction of consumer trust in the Internet as a whole and an erosion of e-commerce growth.¹¹The U.S. Department of Justice (DOJ) stresses the importance of decreasing Internet crimes as follows: "In short, if left unchallenged, computer crime . . . may stifle the Internet's power as a tool to communicate, engage in commerce, and expand people's educational opportunities around the globe."¹²

Phishers do not limit their attacks to the United States-the culprits, victims, and effects are international. The Anti-Phishing Working Group estimates that foreign countries host over 70% of phishing websites.¹³China now hosts 9.96% of the worldwide phishing-based websites, and an Anti-

Phishing Working Group report states that countries such as the Republic of Korea and Germany host many of the remaining sites.¹⁴Organized crime rings run many of these foreign websites.¹⁵The groups use individuals in their networks to carry out the entire scam, from sending the initial e-mail to committing identity theft.¹⁶

Phishers are now targeting consumers and companies all over the world. The United Kingdom's Association for Payment Clearing Services (APACS),¹⁷estimates that there are over two thousand victims of phishing scams in the United Kingdom alone, resulting in losses of £4.5 million.¹⁸Although, in the past, most criminals only aimed their attacks at consumers in English-speaking countries, phishers have also launched attacks against citizens of Germany and Brazil.¹⁹The attacks in Germany on Postbank AG and Deutsche Bank AG originated from crime rings in Russia and Asia, and it is possible that German companies will become the focus of more international phishing rings.²⁰

The alarming increase in the number of phishing scams and the substantial amount of damage they have inflicted on companies and individuals worldwide demonstrate the need for an international solution to the problem. This Comment shows that phishing is a non-traditional crime that requires a non-traditional solution and asserts that this solution lies in one word: cooperation. The fight against phishing is dependent upon cooperation in the following three areas: joint operations among law enforcement agencies, domestic and international legislation, and among the private companies and consumers that are the victims of these attacks.²¹Cooperation within each area alone is not enough-the groups must act together to combat each other's weaknesses and grow stronger as an integrated unit.²²

Part I is divided into three sections. Section A gives a general overview of phishing and its history. Section B explains phishing's effects on consumers, companies, and the future of Internet commerce. Section C discusses the unique aspects of phishing that make the crime attractive to criminals and cause serious problems for those trying to stop the scams. Part II of this Comment focuses on the need for cooperation between law enforcement agencies, legislators, and the private sector. Finally, this Comment proposes that the solution to phishing depends on cooperation between all three groups.

I. BACKGROUND

A. An Overview of Phishing

Phishing is an Internet scam in which criminals design e-mails and websites that appear to originate from a legitimate business, government agency, or financial institution and then use this false identity to deceive Internet users into disclosing personal financial information.²³First, the phisher sends an e-mail that appears to be sent from a trusted source, like SunTrust or Citibank, so that the user does not initially regard the e-mail as suspicious.²⁴The e-mail informs the recipient that there is a problem with his account and instructs him to click on a link to update or validate his account information.²⁵The e-mail usually threatens suspension of the account or some other undesirable consequence if the user does not act quickly.²⁶The victim is not aware that the sender probably used a "spamming"²⁷technique to send the e-mail and that possibly thousands of people received this same e-mail.²⁸

Users mistakenly believe that they are acting responsibly when they click on the link and respond.²⁹

Once the user clicks on the link, he is taken to a phony website that mimics the appearance of the official website of the organization mentioned in the e- mail.³⁰The phisher covers the website with trademarks and copyrighted images so that the site appears to be authentic.³¹The website then prompts the user to disclose credit card numbers, passwords, and other confidential information.³²Once the victim believes that the website is legitimate, he inputs his information and leaves the site without knowing that he has been scammed.³³Phishers then take this information and use it to commit identity theft and fraud.³⁴

Although phishing incidencts have increased recently, the practice has been in existence for many years. The word "phishing" originates from the analogy that criminals use e-mails as lures to "fish" for information from the sea of Internet users.³⁵Phishing is spelled with a "ph" instead of an "f" because of its historical ties to "phone phreaking," a 1970s scam that involved hacking into phone switches to make calls for free or bill them to someone else.³⁶In 1996, criminals began to use the term "phishing" to describe the process of getting unsuspecting America Online (AOL) users to reveal their passwords to criminals so that they could steal the AOL dial-up accounts. The hacked accounts were called "phish."³⁷The trend was so popular that criminals even began to use the AOL "phish" as a form of currency to trade for other hacking software.³⁸Unfortunately, phishing did not remain relegated to this one small area for long. When hackers realized the profit-making possibilities of phishing, the attacks expanded into a full-blown criminal enterprise that targeted a wide range of users and significantly impacted individuals and the economy worldwide.³⁹

B. The Harmful Effects of Phishing

Phishing scams jeopardize the security of individuals, companies, and the Internet. Individual victims of phishing scams are vulnerable to many forms of violation, but the damages usually occur in one of the following three ways. First, criminals can use the stolen data to purchase items or withdraw money from the victims' existing accounts.⁴⁰Many times, consumers are unaware that these transactions have...