WASHINGTON, D.C. – Senator Patrick J. Leahy (D-VT) introduced on Tuesday a new bill named The Anti-Phishing Act of 2005, which targets operators of online consumer fraud campaigns known as “phishing” scams. Phishing scams involve tricking web surfers into thinking that they are visiting a trusted website when in fact they are visiting a site run by criminals; the tactic is used primarily to trick surfers into disclosing sensitive information such as bank account numbers or website passwords. If passed, the Act would increase significantly the penalties for operating a phishing scam, and would give law enforcement officials the power to charge phishers with a crime before a phishing campaign is actually started.”Traditional wire fraud and identity theft statutes are not sufficient to respond to phishing,” said Leahy, the ranking Democrat on the Judiciary Committee. “We need to act aggressively to keep them from eroding the public’s trust in online commerce and communication.”
Under the Act, prosecutors could impose fines of up to $250,000 and jail time of up to five years for any persons caught building or operating a phony corporate website or sending out phony email messages for the purpose of defrauding consumers. Significantly, under the Act, law enforcement can act against phishers while a phishing site is being built rather than waiting until the scam is actually launched
“Right now, you can use copyright, trademark and other civil laws to sue people who are creating phishing sites, but that can take months,” said Dave Jevans, chairman of the Anti-Phishing Working Group. “What [the Leahy bill] means is that if you’re building a site called ‘eBay-security.net’ with the intent to defraud people, then [law enforcement] can go after you just for that.”
The bill, however, is not without its critics. Chuck Wade, project leader for the Financial Services Technology Consortium, said the bill will be ineffective because many of the phishing scams are operated by individuals who fall outside of the United States’ jurisdiction.
“To the extent that there are laws that make current [phishing] activities illegal, they have been ineffective because of jurisdictional problems,” said Wade.
Marcus Sachs, a former cyber-security adviser to President George W. Bush, said that regulation isn’t the answer to the internet’s security problems.
“As soon as you start enacting new Internet-specific laws you open up the door for continued regulation and control over the Internet,” Sachs said. “So far, the Internet has been violently successful following a largely unregulated road, so if the current laws are applicable here, we ought to be using those first.”
The bill comes on the heals of a recent increase in phishing scams, highlighted last week when number two browser maker The Mozilla Foundation announced security flaws in its popular Firefox browser. The announced flaws made it possible for phishers to spoof the URL shown in a browser’s locator so that it doesn’t match the site being displayed in the browser window. An updated version of Firefox fixes this flaw, and can be downloaded at GetFirefox.com. Similar security holes have plagued Microsoft’s Internet Explorer browser.
Additionally, a report released last week by the Anti-Phishing Working Group indicates that there was a 42 percent increase in new phishing scams in January over the recorded levels in December. The group also reported that somewhere between three to five percent of people who are exposed to a phishing scam will fall victim, accounting for consumer losses that could top one billion dollars per year.
