In an attempt to cut down on the exponential growth of phishing scams, Sen.Patrick Leahy, D-Vermont, introduced a bill yesterday that defines the penaltiesfor perpetrators.
The Anti-Phishing Act of 2005 calls for fines of up to US$250,000 and prison terms of up to five years for people convicted of the scam, in which phony e-mails and Web sites mimic those of real businesses in an attempt to trickconsumers into divulging private information.
The bill also goes after “pharming,” in which Internet users are redirected from legitimate sites to phony ones that look real.
US Effort Would Help
The Anti-Phishing Working Group’s (APWG) report for January detailed a sharp jump in scams. The group said it received reports of 12,845 new and unique phishing e-mails, up 42 percent from December. It also recorded a leap of 47 percent in the number of phishing Web sites.
Although much phishing activity is hosted on servers or perpetrated by scammers outside the United States, Peter Cassidy, secretary general of the APWG, said the bill nonetheless is a good idea.
“The bill is extremely valuable,” Cassidy told TechNewsWorld, partly because it makes phishing itself a federal crime. Currently, law enforcement officials must go after phishers with other criminal laws — such as those dealing with wire fraud — or civil laws covering such matters as trademark violations. The bill would allow prosecutors to go after scammers just for building the bogus sites.
The APWG report found that 32 percent of phishing sites are hosted in the United States. China was second with 13 percent.
“It means that if you’re organizing a scam, it’s explicitly against the law,” he said. “If you’re in the U.S., that works, but if you’re international, it doesn’t help.”
International Cooperation Needed
The key will be enlisting overseas help.
“The interesting part of phishing is that by its nature it’s an international crime. You need cooperation across jurisdictional frontiers,” Cassidy said.
The vast majority of phishing expeditions are aimed at financial institutions. Consumers should be aware of any changes in the way their bank, brokerage firm, credit card company, etc., communicates with them. If an e-mail format has changed without notice, call the company before following the link. Another telltale sign, Cassidy said, is that while it iseasy to spoof an e-mail, it is not easy to spoof individual information.
Legitimate correspondence will usually have some partially disguisedpersonal information — it might say “your account ending in 5555” forinstance — which would probably be missing from a bogus e-mail. If there’sany doubt, call the company and ask.
Some in the financial services industry use automated services to monitorthe activity around every Web site. When a phisher copies a site, it leavesvery distinct markers that can be used, in some cases, to block the sitefrom going up.
“All the monitoring gives you information that can lead you to servers, Websites and machines being used by the bad guys,” Cassidy said, although thephishers themselves can remain elusive. The APWG attributes the vastmajority of phishing activity to fewer than 100 groups, who are very busy.