Journal of Law, Information and Science
|
|
Home
| Databases
| WorldLII
| Search
| Feedback
Journal of Law, Information and Science |
|
PETER BLACK[&]
Dear National Australia Bank Member,
Technical services of the National Australia Bank are carrying out a planned software upgrade for the maximum convenience of the users of on-line services of the Bank. You are requested to visit our site, and fill in the required information by clicking the link below:
https://national.com.au/cgi-bin/ib/301_confstart.pl?browser=correct
This instruction has been to all bank customers and is obligatory to follow.
We present our apologies and thank you for co-operating.
Thank you,
Accounts Management
© National Australia Bank Limited[1]
Phishing, a form of identity theft, starts with an email and can result in the theft of confidential information, identities, bank account details and funds and more. Phishing can be defined as the criminal creation and use of emails and websites – which are designed to look like emails and websites of well-known legitimate businesses, financial institutions, and government agencies – in order to deceive Internet users into disclosing their bank and financial account information or other personal data such as usernames and passwords. The phisher uses the information obtained to commit fraud. The article deals with how phishing attacks are responding to increased public awareness about the problem by adopting more sophisticated techniques, considers the various strategies, both legal and technological, that can be utilised to combat phishing, and evaluates the effectiveness of these various strategies and critically examines which is best equipped to combat phishing. The article concludes that the most effective strategies in limiting the effects of phishing are technological innovation and community awareness rather than the creation of new offences.
Seemingly innocuous emails like this are a growing threat to e-commerce. With the internet now an integral part of the daily lives of Australians and Australian businesses, it has created new and exciting opportunities for e-commerce, but it has also created a new forum for criminals to steal our identity. This form of identity theft, known as phishing, starts with an email and can result in the theft of confidential information, identities, bank account details and funds and more.
Phishing can be defined as the criminal creation and use of emails and websites – which are designed to look like emails and websites of well-known legitimate businesses, financial institutions, and government agencies – in order to deceive Internet users into disclosing their bank and financial account information or other personal data such as usernames and passwords.[2] Consider this example.[3] An internet user receives an official-looking email that appears to have been sent by a familiar organisation or business, such as a bank, and reads that email because it does indeed look official. The email says that the user needs to update or validate his or her account information by clicking a link that takes the user to a phoney website that looks like the site of the organisation or business referred to in the email. At that site, the user is asked to provide personal and confidential information, like banking or credit card details or passwords and usernames, purportedly in order to update or validate his or her account.
Regardless of the means by which this information is obtained, the phisher then uses the information to commit fraudulent acts in the following ways.[4] First, the phisher may pretend to be another person online, abusing that person’s existing credit or debit facility. Second, the phisher may pretend to be another person in transactions with that person’s bank or other financial service provider. Third, the phisher may assume the identity of another person, using that assumed identity to incur debts and liabilities.
This basic scenario outlines how phishing attacks occur. Part II of this article will outline in more detail what a phishing attack is and how phishing attacks are responding to increased public awareness about the problem by adopting more sophisticated techniques. As well it will establish the extent of the problem by presenting facts and statistics on the phishing phenomenon. Part III considers the various strategies, both legal and technological, that can be utilised to combat the phishing. It evaluates the effectiveness of these various strategies and critically examines which is best equipped to combat phishing. The article concludes in Part IV that the most effective strategies in limiting the effects of phishing are technological innovation and community awareness.
According to the Anti-Phishing Working Group (APWG), a global association focused on eliminating the fraud and identity theft associated with phishing, the word ‘phishing’ is derived from the analogy that internet scammers use email lures to ‘fish’ for passwords and financial information from the ‘sea’ of internet users.[5] The term was first used in 1996 by hackers attempting to steal America On-line (AOL) accounts. The reason why ‘phishing’ is not referred to as ‘fishing’ is that hackers commonly replace the letter ‘f’ with ‘ph’; for example, the original form of hacking, done by phone, was known as ‘phreaking’.[6] In this respect, phishing is not a particularly new or innovative form of identity theft:
Phishing isn't really new – it's a type of scam that has been around for years and in fact predates computers. Malicious crackers did it over the phone for years and called it social engineering. What is new is its contemporary delivery vehicle – spam and faked Web pages.[7]
These phishing attacks quickly moved from merely stealing AOL accounts to attacking auction sites such as eBay, payment services such as PayPal, commerce sites such as Amazon and financial institutions (including banks)
A phishing attack usually has two core features.[8] First, the phisher creates the appearance of being a trusted source. The phisher obtains web space from an internet service provider and creates a website that is deliberately designed to mimic or ‘spoof’ that of a financial institution, an internet service provider, an e-commerce site, or a government agency. Phishers try to replicate the original site as closely as possible, by using similar fonts and graphics as well as by employing trademarked names and logos.[9] The phisher then sends out a mass email from what appears to be that trusted source. Although AOL, auction sites, online payment services, banks and other financial institutions were initially the trusted sources used for phishing attacks, other targets have included internet services provided by businesses,[10] search engines[11] and charities.[12]
Second, the phisher attempts to scare or frighten the recipient of the mass email into providing confidential information to the so-called trusted source. The email the phisher sends out contains warnings that there is an urgent need for the recipient to update their information with the trusted source, either because the sender has detected fraudulent use of their account, or because their account faces suspension unless the information is provided.[13] The recipient then clicks on a hyperlink in the email, whereby they are directed to the carefully spoofed site and enter the requested information. The phisher then uses that information to defraud the recipient of the phishing email.
Phishing attacks are successful because of this combination of trust and fear. Although it is impossible to ascertain precise figures, it is estimated that emails sent as part of a phishing attack yield an average positive response of between 1% and 5% of all recipients.[14] Phishers are responding to increased consumer awareness of the dangers of phishing by developing increasingly sophisticated forms of attack. For example, phishers are increasingly using URL spoofing devices to deceive the recipient that they are accessing a trusted website.[15] Furthermore, the APWG identifies two categories of crimeware that are now being used in phishing attacks, ‘Phishing-based Trojans – Keyloggers’[16] and ‘Phishing-based Trojans – Redirectors’,[17] that are ‘alarmingly successful, capable of deceiving even seasoned Internet users’.[18] Both these categories use technical subterfuge to plant crimeware on a recipient’s computer to steal credentials directly by either using key logging systems to intercept usernames and passwords (‘Phishing-based Trojans – Keyloggers’), or to corrupt local and remote navigational infrastructures to misdirect consumers to counterfeit websites (‘Phishing-based Trojans – Redirectors’).[19] Given the core features of phishing and the advances in technical subterfuge, hackers have discovered the profit-making possibilities of phishing and the attacks ‘have expanded into a full-blown criminal enterprise that [has] targeted a wide range of users and significantly impacted individuals and the economy worldwide’.[20]
The impact of phishing on internet use may be significant as it impacts adversely on both the individual consumer as well as on the broader use of the internet:
Phishing victims are subject to the same emotional and financial harms and damage to reputation suffered by other identity theft victims, but risk more extensive losses both financially and in time spent dealing with the problem. Merchant and credit card issuers may also suffer extensive financial losses … because phishing victims may not discover the theft until long after it occurs.[21]
Significantly, the price that phishing exacts on the consumer, and on internet use in general, has grown noticeably since late 2003, when the FBI labelled phishing as ‘the hottest, and most troubling, new scam on the internet’.[22]
The APWG produces a monthly ‘Phishing Activity Trends Report’ that analyses phishing attacks reported to it via their website. The APWG phishing attack repository is considered the internet’s most comprehensive archive of email fraud and phishing activity.[23] There were 23,610 unique phishing reports received in February 2007, targeting 135 brands (although only 14 brands composed the top 80% of phishing campaigns).[24] This is a substantial increase from January 2004, where only 176 unique phishing reports were received by the APWG.[25]
Further, there were 16,463 unique phishing sites reported in February 2007, which were maintained, on average, for a period of 4 days.[26] Most phishing websites were hosted in the United States (24.17%), with the top ten breakdown as follows: China (10.16%), South Korea (9.5%), France (4.43%), Germany (4.1%), Japan (3.02%), Russia (2.34%), Netherlands (1.92%), United Kingdom (1.82%), and Chile (1.66%).[27]
These phishing attacks cause both short term losses to individuals and long term economic damage. Although phishing constitutes only 11.6% of all identity fraud in the United States,[28] the dollar damage from phishing is still substantial, with conservative estimates of the loss to the consumer and online commerce being between $500 million a year[29] and $1.2 billion in 2003.[30] In 2004, United States Senator Leahy stated that phishing has grown to become a $2 billion a year fraud on consumers and on online commerce.[31] Another estimate concludes that worldwide companies are losing $5 billion annually in customer and productivity losses, repair efforts, and business interruptions from phishing attacks.[32]
The long term damage of phishing is evident in the psychological impact it has on consumers. A recent survey of 665 consumers by the fraud prevention service RSA Cyota found that more than half of the respondents were less likely to sign-up or continue to use their bank’s online services because of phishing.[33] This level of concern amongst consumers has the capacity to affect the online environment as a viable channel for commerce altogether.[34] Accordingly, it is clear that phishing is an emerging threat to e-commerce.
Despite the fact that phishing is an act that would already be illegal in most places around the world, phishing remains an attractive form of identity theft to criminals largely because the speed and anonymity of the internet make it very unlikely that the phisher will be caught.[35] Any attempt to combat the phishing problem needs to address this reality. Therefore, Section A of this Part outlines the existing legislation in Australia and the United States that currently criminalises phishing, and Section B of this Part argues that any further legislation specifically designed to address phishing would be neither effective nor desirable. Section C outlines an attempt to combat the problem that does not require any further legislation, but rather relies on increased community awareness and cooperation within and between government and the private sector.
As phishing is effectively a form of identity theft, most forms of phishing could be criminally prosecuted under state legislation that generally deals with identity theft and fraud:[37]
• Crimes Act 1958 (Vic): obtaining property by deception (s 81(1)), and obtaining financial advantage by deception (s 82);
• Crimes Act 1900 (NSW): obtaining money by deception (s 178BA), obtaining money by false or misleading statements (s 178BB), obtaining credit by fraud (s 178C), false pretences (s 179), and fraudulent personation (s 184);
• Criminal Code 1899 (Qld): misappropriation (s 408C);
• Criminal Code (WA): fraud (s 409(1));
• Criminal Code Act 1924 (Tas): dishonestly acquiring a financial advantage (s 252A(1)), and inserting false information on data (s 257E);
• Criminal Code 2002 (ACT): obtaining financial advantage by deception (s 332), and general dishonesty (s 333);
• Criminal Code (NT): criminal deception (s 227);
• Criminal Law Consolidation Act 1935 (SA): false identity (s 144B), and misuse of personal identification information (s 144C). These provisions were introduced by the Criminal Law Consolidation (Identity Theft) Amendment Act 2004 (SA) to specifically address identity theft.
The relevant Commonwealth legislation is the Criminal Code Act 1995 (Cth). Part 7.3 of the Act, which is concerned with fraudulent conduct, is unlikely to be applicable as it is limited to information fraudulently obtained from the Commonwealth. However, some amendments to the Criminal Code Act in 2004 will cover phishing. These amendments were introduced by the Crimes Legislation Amendment (Telecommunications Offences and Other Measures) Act (No. 2) 2004, and are derived from the South Australian amendments in the Criminal Law Consolidation (Identity Theft) Amendment Act 2004 (SA) and the Discussion Paper on Credit Card Skimming Offences released by the Model Criminal Code Officers Committee of the Standing Committee of Attorneys-General in March 2004.
While the focus of the Discussion Paper (the Paper) was on credit card skimming by ‘bugging’ ATM or EFTPOS terminals, or by tapping telephone cables, the Paper acknowledged the damage caused by phishing:
The Internet has provided a wide range of opportunities for criminals to obtain personal details including credit card details from unsuspecting persons. One common technique is known as ‘spoofing’ – a person receives an email that appears to be from a legitimate business, for example a financial institution or on-line auction site. This email directs the person to the ‘business’ website, where the person is asked to enter personal data including credit card information. Although the website appears to be an official site of a legitimate business, it has no connection with that business but has been established by criminals to record the information that is entered which can then be used for fraudulent purposes.[38]
The Paper provided several examples of this form of fraud occurring in Australia in 2003, when AMP Banking, the Commonwealth Bank of Australia, Westpac and ANZ were targeted.[39] It was the view of the Committee that the section recommended in the Model Criminal Code (s 3.3.5 ‘Credit card skimming and related offences’) would apply to the internet.[40]
The Committee noted that the proposed offence ‘can accommodate changes in technology as it focuses on criminalising the dishonest dealing in personal financial information and does not refer to the specific means by which that information is obtained’.[41] This flexibility, as well as other salient features of s 3.3.5 of the Model Criminal Code, are present in Part 10.8 of the Criminal Code Act, ‘Financial information offences’ which was added to the Code in the 2004 amendments.
Within Part 10.8 of the Criminal Code Act, s 480.4 provides:
A person is guilty of an offence if the person:
(a) dishonestly obtains, or deals in, personal financial information; and
(b) obtains, or deals in, that information without the consent of the person to whom the information relates.
Penalty: Imprisonment for 5 years.
The Part defines dishonest to mean dishonest to the standards of ordinary people and known by the defendant to be dishonest according to the standards of ordinary people.[42] A person is taken to obtain or deal in personal information without the consent of the person to whom the information relates if the consent of that person is obtained by any deception.[43] And ‘personal financial information’ means ‘information relating to a person that may be used (whether alone or in conjunction with other information) to access funds, credit or other financial benefits’.[44] Any person who sends phishing emails and obtains and uses personal financial information from the victim, will contravene this section of the Act and commit a criminal offence.
In addition to the offences already provided for in federal and state legislation which would likely cover phishing and other forms of identity theft, the Model Criminal Law Officers’ Committee of the Standing Committee of Attorneys-General released in April 2007 a Discussion Paper on Identity Crime that recommended the creation of three new model offences to cover identity crime:
(1) identity crime – which encompasses identity theft and identity fraud;
(2) on-selling identification information; and
(3) possession of equipment to create identification information.[45]
There are several other pieces of State and Commonwealth legislation that may be contravened by phishers. First, phishing emails would be illegal under the Spam Act 2003 (Cth), which came into effect on 10 April 2004.[46] Under the Act it is illegal to send, or cause to be sent, ‘unsolicited commercial electronic messages’ that have an Australian link.[47] The definition of ‘electronic commercial message’ includes an electronic message sent for the purpose of obtaining financial advantage or gain,[48] which is the purpose behind a phishing email. A message has an ‘Australian link’ if it either originates or was commissioned in Australia, or originates overseas but has been sent to an address accessed in Australia.[49]
Second, a phisher would likely contravene various sections of the Trade Practices Act 1974 (Cth) and the equivalent state acts. In particular, phishing would presumably constitute deceptive and misleading conduct in trade or commerce.[50]
Third, the covert collection of personal information through phishing would contravene the Privacy Act 1988 (Cth) that, since December 2001, applies to private sector organisations, including individuals. Note, however, that the new provisions generally only apply to organisations with an annual turnover of more than $3 million. Therefore, it is unlikely that many phishers would fall within the Act. Nonetheless, those Organisations that are covered by the Act are required to comply with the National Privacy Principles (NPPs) which prescribe the way personal information can be collected, used, stored and disclosed. The NPPs potentially contravened by phishing include:
• NPP 1.1 that provides organisations must not collect personal information unless the information is necessary for one or more of their functions or activities.
• NPP 1.2 that provides organisations must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.
• NPP 2.1 that provides organisations must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection, unless certain exemptions apply.
• NPP 4.1 that provides organisations must take reasonable steps to protect the personal information they hold from misuse and loss and from unauthorised access, modification or disclosure.
• NPP 5.1 that provides organisations must set out in a document clearly expressed policies on their management of personal information.
Fourth, phishers may be in contravention of the Trade Marks Act 1995 (Cth). This is because phishing emails frequently use the registered trademarks of the organisation they are purporting to be, so that internet users are tricked into believing the email is legitimate and are therefore more likely to provide the phisher with their personal information.
As most phishing websites are hosted in the United States,[51] it is pertinent to consider their legal response to phishing. Similar to the situation in Australia, the United States has several criminal offences at the federal level that are potentially applicable to phishing, including identity theft,[52] wire fraud,[53] access device fraud,[54] and bank fraud.[55]
Internet users would also be protected by the Truth in Lending Act, which limits the losses of consumers to US$50 for unauthorised credit card use,[56] and the Gramm-Leach-Bailey Act, which prohibits a person from using false pretences to obtain financial information from a customer.[57] The Identity Theft Penalty Enchancement Act, enacted in 2004,[58] established a new crime of ‘aggravated identity theft’ – using a stolen identity to commit other crimes – that would include phishing. In addition, most states have criminal and consumer protection laws that deal with identity theft.
The United States, like Australia, also has legislation that regulates spam, namely the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act),[59] enacted in 2003. However, the CAN-SPAM Act creates an ‘opt out’ regime, rather than the ‘opt-in’ regime adopted by Australia. The means that it is not an offence to send an unsolicited commercial email per se, provided that the consumer is given the opportunity to say that they do not want to receive any further emails from that sender. Given this, the CAN-SPAM Act has been ineffective in combating phishing. According to survey by the Pew Internet and American Life Project, while internet users in the United States report that pornographic email has declined since the Act was introduced, 35% of internet users now report they have received phishing emails.[60] Enforcement actions under the Act have also been relatively few.
On 28 February 2005, United States Senator Leahy introduced a bill into the Senate titled the Anti-Phishing Act of 2005. The bill was specifically designed to combat phishing by creating two new crimes. The first crime would have prohibited the creation or procurement of a website that represents itself to be that of a legitimate business, and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft. The second would have prohibited the creation or procurement of an email that represents itself to be that of a legitimate business, and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft. Although this Act would have been a novel attempt to combat phishing, it never made it through Congress.
However, some states have passed new laws to combat phishing.[61] In January 2005, Virginia added phishing to its Computer Crimes Act, categorizing the use of a computer to obtain personal information ‘through the use of material artifice, trickery or deception’ as a Class 6 felony punishable by prison sentences of up to five years and fines of up to $2,500.[62] New Mexico enacted a similar statute in March 2005,[63] as did New York in June 2006.[64] Texas also passed an Anti-Phishing Act in 2006.[65] The state of Washington has gone even further by criminalising attempted phishing.[66] California has taken a different track in its Anti-Phishing Act of 2005 by providing for civil, rather than criminal, penalties against phishers.[67]
Despite the wide range of criminal offences that potentially cover phishing, very few individuals have ever been prosecuted for phishing.
As is the case with almost all internet related crime, phishing is difficult to deter as the normal barriers to offline crime do not apply.[68] First, online crimes are much less expensive to commit than offline crimes. Second, as online crime is effectively anonymous, the social norms that deter offline criminals are inapplicable. This anonymity also poses considerable difficulty in catching phishers.
Indeed, this anonymity is at the heart of the first of three hurdles that any legislation that prohibits phishing faces.[69] Phisher’s websites are on average only online for four days,[70] which means that often the website will have disappeared before the internet user has realised they have been defrauded, and before law enforcement has information about the attack. Furthermore, while a phisher’s internet service provider (ISP) information is revealed by a phishing website, phishers tend to use multiple ISPs, redirect servers and hijack third party computers around the world. Phishers are therefore able to appear and disappear remarkably quickly, making their identification and prosecution difficult.
The second hurdle is in law enforcement and in a court obtaining jurisdiction over the phisher. Phishing, like most forms of cybercrime, is a ‘cross-border enterprise’.[71] Given that Australia hosts only a small percentage of phishing websites, even if the phisher is able to be identified, it is very likely that that person will be located in a foreign country. It is evident that ‘countries where cybercrime flourishes tend to have weak laws dealing with computer crime, law enforcement agencies that lack computer forensic capabilities and an underdeveloped apparatus for collaborating with law enforcement agencies in other countries’.[72] Therefore, jurisdictional issues can be a major difficulty in catching phishers.
The third hurdle is that phishers are often found to be judgment proof. Enforcing judgments against internet scammers is notoriously difficult. Note the United States Federal Trade Commission’s experience in enforcing such judgments:[73]
Indeed, the most egregious spammers, like other fraud operators, are likely to transfer assets offshore to place them beyond the reach of U.S. courts. … In the FTC’s experience, attempting to reach the defendants’ offshore funds necessitates a foreign action to enforce a U.S. court judgment. This is time-consuming, expensive, and, in many cases, futile, as many countries do not enforce U.S. court judgments obtained by government agencies.
Notwithstanding these difficulties in deterring phishers by legislation, laws can and have been used against phishing in Australia. In April 2004, the Australian Federal Police reportedly sought cooperation from French authorities to shut down a domain name associated with a large phishing scheme that targeted Westpac, ANZ and Commonwealth Bank of Australia customers.[74] Also, in August 2004, a Perth man was charged for offences related to $70,000 of stolen funds from nine different Australian banks through phishing.[75] He was arrested following an investigation by the Joint Banking and Finance Sector Investigation Team, established by the Australian High Tech Crime Centre to assist law enforcement in combating phishing. Regardless of these and other successes, the instances of successful prosecutions for phishing around the world have been few and far between.
Domestic legislation is not the only method to combat phishing. Given that phishing is a global phenomenon,[76] one possible mechanism to control phishing may be international legislation. Sullins suggests there are two possible models, the United Nations Convention Against Transnational Organised Crime or the Council of Europe Convention on Cybercrime.[77] Although either model may go some way to ameliorating hurdles two and three above, given the extraordinary difficulty of obtaining an international consensus and then uniformity on a legislative response to phishing, it is unlikely that such a response will be an effective solution to combat phishing anytime soon.
A better way forward would be to engage the targeted companies and consumers in the battle against phishing. This response relies on improved technological protections, as well as in increased consumer awareness.
Given that a phishing attack will require the recipient of the phishing email to do some positive act – reply, click on a link, or provide information – consumer education and awareness discouraging recipients from doing any positive act in concerning circumstances will greatly diminish the chances of success for a phisher.
Internet users should also be cognisant of the phishing threat when accessing their email and look for these signs that the email they have received is a phishing email:
• emails addressed to a generic name (such as ‘Dear Customer’) rather than a username;
• unsuspected requests for personal information;
• alarmist warnings (for example, claims that the account will be closed if there is no response);
• mistakes (spelling, grammar, errors in the organisation’s logo).[78]
Given that the easiest and cheapest way of preventing successful phishing attacks is consumer awareness, banks,[79] credit card companies,[80] e-commerce websites,[81] internet organisations like APWG[82] and FraudWatch International,[83] and governments have issued advice on how to protect information online and avoid phishing attacks. This is the advice given by the Australian government:
There are some simple rules that you can follow which will help you stay protected from phishing:• Never respond to an email that asks for personal or financial information, even if it appears to be from your bank.
• Always call your bank by phone or visit them in person if you wish to update your financial and personal details. Never send this information electronically.
• Regularly check your computer for viruses and spyware to ensure that your system is not being scanned for personal details without you knowing.
• Determine who you need to contact in an emergency if you feel you have become a victim of phishing. Reports may need to be filed and accounts temporarily closed.
• Keep close check of your financial statements to see whether there are any unexplained transactions.
• Understand your rights in relation to online fraud.[84]
Educating the likely recipients of phishing attacks in such a manner should continue as the reality is that the easiest and cheapest way to prevent or reduce the success of phishing attacks is simply for the recipient not to reply to the phishing email and not to click on any links in the phishing email.
There are also simple and immediate technological steps that any internet user can take to reduce the likelihood of being the victim of a phishing attack, including the use of spam filters on email, anti-virus software and personal firewalls. Internet users should ensure that these measures, as well as their operating and browser software, are up to date.
Information security technology solutions may be able to limit the increasing threat posed by phishing, especially the more advanced forms of phishing that are employing crimeware. However, most of these information security solutions will need to be implemented by the companies and organisations targeted by phishers. The APWG has made these recommendations:[85] first, adopt strong website authentication so that all users of e-commerce sites authenticate themselves using a physical token such as a smart card; second, implement mail server authentication, requiring all email to pass through a gateway server for source verification; third, companies and organisations that feel vulnerable to phishing attacks should attach a digital signature with desktop and/or gateway verification to all their outbound email.[86] These steps, together with careful monitoring and the implementation of any sensible future technological advances should help minimise the incidence and success of phishing attacks.
This paper has established the threat phishing poses to e-commerce, as well as to consumer confidence in the internet itself. The battle against phishing – as perhaps with all forms of cybercrime – requires a multi-faceted response. Although the reality is that traditional legislative responses, whether on a domestic or an international level, are unlikely to be successful and that increased law enforcement is largely ineffective and costly, that is not to say such approaches should not be pursued. In identifying such acts as criminal, the conduct is denounced, a clear deterrent is articulated and internet users feel some reassurance knowing perpetrators can be prosecuted. Even if few in number, successful prosecutions, especially when they are reported in the media, do send a negative message to would-be phishers, as well as serving to soothe the level of public anxiety about internet abuse and fraud. However, this can all be done with existing legislation. Moreover, what is clear, is that the more effective and desirable response to phishing is to engage the targeted companies and consumers of phishers in a suite of measures designed to improve the technological safeguards against phishing and to enhance consumer awareness. If computers have software safeguards to limit phishing hooks getting through, and users have knowledge on how to identify and respond to any lures that surface, phishers may find too few will take their bait and be caught in their scam.
* Associate Lecturer, Queensland University of Technology.
[1] James Riley, ‘NAB customers baited in email ‘phishing’ scam’ The Australian (Sydney) 27 December 2005 <http://www.australianit.news.com.au/ articles/0,7204,17666685%5E15306%5E%5Enbv%5E,00.html> at 27 December 2005.
[2] United States Department of Justice, Special Report on ’Phishing’: <http://www.usdoj.gov/criminal/fraud/Phishing.pdf> at 17 April 2007. For other definitions, see Australian Department of Communications, Information Technology and the Arts, Attorney-General’s Department, Australian Communications Authority, ‘Phishing: don’t take the bait!’: <http://www.dcita.gov.au/communications_and_technology/publications_and_reports/2004/may/phishing_-_dont_take_the_bait!_-_fact_sheet> at 17 April 2007; and Anti-Phishing Working Group, Anti-Phishing Resources <http://www.antiphishing.org/resources.html> at 17 April 2007.
[3] Peter Black, ‘Catching a phish: protecting online identity’ (2006) 8 Internet Law Bulletin 133, at 133.
[4] See Australian Government, Australian Institute of Criminology (2005) 9 High Tech Crime Brief 1: <http://www.aic.gov.au/publications/htcb/ htcb009.pdf> at 18 April 2007.
[5] See Anti-Phishing Working Group, Origins of the Word ‘Phishing’: <http://www.antiphishing.org./word_phish.html> .
[6] See Anita Ramasastry, ‘The Anti-Phishing Act of 2004: A Useful Tool Against Identity Theft’ (2004) Writ 16 August 2004: <writ.findlaw. com/ramasastry/20040816.html>.
[7] Russel Kay, ‘Phishing’ (2004) ComputerWorld 19 January 2004: <http://www.computerworld.com/action/article.do?command=viewArticleBasic & articleId=89096 & pageNumber=1> at 18 April 2007.
[8] See Camille Calman, ‘Bigger Phish to Fry: California’s Anti-Phishing Statute and Its Potential Imposition of Secondary Liability on Internet Service Providers’ (2006) 13 Richmond Journal of Law & Technology 2, [8].
[9] Tracey Baker, ‘Ignore and bait: Don’t Get Hooked by Phishing Scams’ (2005) 16 Plugged In 2, 54.
[10] For example, in December 2005, Microsoft filed 117 civil lawsuits in the United States District Court for the Western District of Washington targeting unnamed defendants who sent spam email and put up websites targeting Microsoft services such as MSN and Hotmail. See Grant Gross, ‘Microsoft files 117 phishing lawsuits’, Computerworld, 31 March 2005: <http://computerworld.com/securitytopics/security/story/0,10801,100777,00.html> at 23 April 2007.
[11] For example, Google, whose users were targeted in November 2005 with a copy of Google’s front page with a large message claiming ‘You have WON $400.00!!!’. Users were then presented with instructions to claim their prize money. These instructions required users to enter their credit card number and shipping address. See Joris Evers, ‘Google phishing scam promises a $400 windfall’ CNET News, 8 November 2005: <http://www.news.com.com/Google+phishing+scam+promises+a+400+windfall/2100-7349_3-5940682.html> at 20 April 2005.
[12] For example, the United States Federal Bureau of Investigation warned that many of the 4,000 websites advertising relief services for Hurricance Katrina victims in Louisiana could be fake. A similar situation occurred after the tsunami devastated the coast of Indonesia in December 2004. See Deborah Radcliff, ‘Fighting back against phishing’ Computerworld, 21 April 2005: <http://www.computerworld.com.au/pp.php?id=70761714 & fp=16 & fpid=0> .
[13] See Calman, above note 8, [8].
[14] Eric L. Carlson, ‘Phishing for Elderly Victims: As the Elderly Migrate to the Internet Fraudulent Schemes Targeting Them Follow’ (2006) 14 The Elder Law Journal 423, 435 citing ‘Internet Fraud Hits Seniors: As Senior Venture into the Web, the Financial Predators Lurk and Take Aim’: Hearing Before the U.S. Senate Spec. Comm. On Aging, 109th Cong. 78 (2004) at 78 (statement of David Jevans, Chairman, Anti-Phishing Working Group).
[15] Matthew Bierlein and Gregory Smith, ‘Internet: Privacy Year in Review: Growing Problems with Spyware and Phishing, Judicial and Legislative Developments in Internet Governance, and the Impacts on Privacy’ (2005) 1 I/S: A Journal of Law and Policy for the Information Society 279, 307.
[16] Defined as: ‘Crimeware code which is designed with the intent of collecting information on the end-user in order to steal those users' credentials. Unlike most generic keyloggers, phishing-based keyloggers have tracking components which attempt to monitor specific actions (and specific organizations, most importantly financial institutions and online retailers and ecommerce merchants) in order to target specific information, the most common are; access to financial based websites, ecommerce sites, and web-based mail sites.’ See AGPW, Phishing Attack Trends Reports February 2007, 5:
<http://www.antiphishing.org/reports/apwg_report_ february_2007.pdf> at 18 April 2007.
[17] Defined as: ‘Crimeware code which is designed with the intent of redirecting end-users network traffic to a location where it was not intended to go to. This includes crimeware that changes hosts files and other DNS specific information, crimeware browser-helper objects that redirect users to fraudulent sites, and crimeware that may install a network level driver or filter to redirect users to fraudulent locations. All of these must be installed with the intention of compromising information which could lead to identify theft or other credentials being taken with criminal intent.’ See AGPW, above note 16, at 7.
[18] Carlson, above note 14, at 435.
[19] See AGPW, above note 16 at 1.
[20] Lauren L Sullins, ‘Phishing for a solution: domestic and international approaches to decreasing online identity theft’ (2006) 20 Emory International Law Review 397 at 402.
[21] Jennifer Lynch , ‘Identity Theft in Cyberspace: Crime Control Methods and Their Effectiveness in Combating Phishing Attacks’ (2005) 20 Berkeley Technology Law Journal 259 at 266-67.
[22] ‘Internet Fraud Hits Seniors: As Senior Venture into the Web, the Financial Predators Lurk and Take Aim’: Hearing Before the U.S. S. Spec. Comm. On Aging, 109th Cong. 78 (2004) at 78 (statement of David Jevans, Chairman, Anti-Phishing Working Group).
[23] See Australian Institute of Criminology, above note 4.
[24] See AGPW, above note 16 at 1.
[25] Ibid.
[26] Ibid.
[27] Ibid at 5.
[28] Javelin Strategy and Research, 2005 Identity Fraud Survey Report.
[29] This is according to a survey conducted by the Ponemon Institute in 2004: <http://www.ponemon.org> . See Leydon J, ‘US phishing losses hit $500 million’ The Register: <http://www.theregister.co.uk/2004/09/29/phishing_ survey/> at 18 April 2007.
[30] See Gartner, ‘Gartner Study Finds Significant Increase in E-mail Phishing Attacks’ (Press Release, 6 May 2004): <http://www.gartner.com/press_ releases/asset_71087_11.html> at 20 April 2007.
[31] See Statement of United States Senator Patrick Leahy, ‘Introduction of “The Anti-Phishing Act of 2004”’, Senate Floor, Congressional Record, Friday 9 July 2004: <http://www.leahy.senate.gov/press/200407/ 070904c.html> at 21 April 2007.
[32] Jennifer Barrett, “Phishing for Dollars’, Newsweek, 28 January 2004: <http://www.msnbc.msn.com/id/4079364/> at 20 April 2007.
[33] RSA Security, ‘RSA Security Announces Key Findings from Annual Financial Institution Consumer Online Fraud Survey’ (Press Release, 14 March 2006): <http://www.cyota.com/press-releases.asp?id=78> at 22 April 2007.
[34] Declan McCullagh, ‘Season over for ‘phishing’?’, CNET News.com, 15 July 2004: <http://news.com.com/Season+over+for+phishing/2100-1028 _3-5270077.html> at 21 April 2007.
[36] See Black, above note 3, at 134-135.
[37] A similar list is contained in Model Criminal Law Officers’ Committee of the Standing Committee of Attorneys-General, Discussion Paper Model Criminal Code Chapter 3: Identity Crime (April 2007), at 13-23. Neither lists are exhaustive lists but rather provide an illustration of the kinds of offences with possible application.
[38] Model Criminal Code Officers Committee of the Standing Committee of Attorneys-General, Discussion Paper Model Criminal Code Chapter 3: Credit Card Skimming Offences (March 2004), 3.
[39] Innis M, ‘Log-on rip-off’ Sydney Morning Herald 23 April 2003.
[40] Innis M, Above note 38 at 23.
[41] Ibid.
[42] See s 480.2 of the Criminal Code Act 1995 (Cth).
[43] See s 480.1 of the Criminal Code Act 1995 (Cth).
[44] See s 480.1 of the Criminal Code Act 1995 (Cth).
[45] See above note 37, at 24.
[46] For a summary of spam legislation in Australia, the US and Europe, see Philip Argy, ‘Will the new code keep the lid on spam?’ (2005) 8(1) Internet Law Bulletin 1.
[47] See s 16 of the Spam Act 2003 (Cth).
[50] See s 52 of the Trade Practices Act 1974 (Cth), s 12 of the Fair Trading Act 1992 (ACT), s 42 of the Consumer Affairs and Fair Trading Act 1990 (NT), s 42 of the Fair Trading Act 1987 (NSW), s 38 of the Fair Trading Act 1989 (Qld), s56 of the Fair Trading Act 1987 (SA), s 14 of the Fair Trading Act 1990 (Tas), s11 of the Fair Trading Act 1985 (Vic), and s 10 of the Fair Trading Act 1987 (WA).
[52] 18 U.S.C. 1028 (2000).
[53] 18 U.S.C. 1343 (2000 & Supp. II 2002).
[54] 18 U.S.C. 1029 (2002).
[55] 18 U.S.C. 1344 (2000).
[56] 15 U.S.C. 1643(a)(1) (2000).
[57] 15 U.S.C. 6821(b) (2000).
[58] Amending 18 U.S.C.
[59] Amending scattered sections of 15 U.S.C., 18 U.S.C., 28 U.S.C. and 27 U.S.C. For a summary of the CAN-SPAM Act, see note 46.
[60] Deborah Fallows (Pew Internet and American Life Research Fellow), ‘CAN-SPAM a year later’, April 2005: <http://www.pewinternet.org/pdfs/ PIP_Spam_Ap05.pdf> .
[61] See Calman, above note 8, [2].
[62] VA. CODE ANN. § 18.2-152.5:1 (2005).
[63] S.B. 720, 2005 Leg., Reg. Sess. (N.M. 2005), N.M. STAT. ANN. § 30-16-24.1 (West2005).
[64] Assemb. 8025, 2005 Assemb., Reg. Session (N.Y. 2005).
[65] Anti-Phishing Act, 79th Leg. R.S., ch. 544, § 1, 2005 Tex. Gen. Laws 1468. For a discussion of the Act, see Justin Vaughan, ‘Texas’s New E-Consumer Protection Acts: a (ph)arewell to phishing and spyware? (2006) 13 Texas Wesleyan Law Review 265.
[66] H.B. 1888, 2005–2006 Leg. Reg. Sess. (Wash. 2005), WASH. REV. CODE § 19.190.010 . (2005). See also Eric Chabrow, ‘Washington State Enacts Anti-Spyware and Anti-Phishing Legislation’, Government Enterprise, May 19 2005: <http://www.governmententerprise.com/news/ 163105506> at 23 April 2007.
[67] CAL. BUS. & PROF. CODE § 22948–22948.3 (West Supp. 2006). See Calman, above note 8, [4].
[68] For an excellent discussion of how best to deter cybercime, see Neal Kumar Katyal, ‘Criminal Law in Cyberpsace’ (2001) 149 University of Pennsylvania Law Review 1003.
[69] These hurdles are expanded upon by Robert Stevenson, ‘Plugging the ‘Phishing’ Hole: Legislation Versus Technology’ (2005) Duke Law and Technology Review 6, [14]-[23].
[71] Thomas Fedorek, ‘Computers + Connectivity = New Opportunities for Criminals and Dilemmas for Investigators’ (2003) 76(2) New York State Bar Association Journal 10, at 16.
[72] See above note 71, at 17.
[73] Federal Trade Commission, A CAN-SPAM Informant Reward System: A Report to Congress (September 2004), 36, fn 38: <http://www.ftc.gov/ reports/rewardsys/040916rewardsysrpt.pdf> at 22 April 2007.
[74] Andrew Colley, ‘AusCERT: AFP looks to French connection to arrest phishing scam’ ZDNet 7 April 2004: <http://www.zdnet.com.au/news/ security/0,2000061744,39144081,00.htm> at 17 April 2007.
[75] See Australian Federal Police, ‘Man arrested over phishing scam’ (Press Release, 10 August 2004): <http://www.afp.gov.au/media_releases/ national/2004/ahtcc/man_arrested_over_phishing_scam> at 20 April 2005.
[77] Sullins, above note 20, at 417-426.
[78] See Black, above note 3, at 136.
[79] See, for example, the Australian Bankers’ Association (prepared by the Australian Bankers’ Association and the Australian High Tech Crime Centre): <http://www.bankers.asn.au/Default.aspx?ArticleID= 846> at 19 April 2007.
[80] See, for example, MasterCard: <http://www.mastercard.com/us/personal/ en/securityandbasics/fraudprevention/emailfraud/index.html> at 19 April 2007.
[81] See, for example, eBay: <http://pages.ebay.com/help/confidence/isgw-account-theft-spoof.html> at 19 April 2007.
[82] See <http://www.antiphishing.org/consumer_recs.html> at 21 April 2007.
[83] See <http://www.fraudwatchinternational.com/phishing/> at 21 April 2007.
[84] Australian Government Net Alert Limited, ‘How to Avoid a Phishing scam’: <http://www.netalert.net.au/01604-How-to-avoid-a-Phishing-scam. asp> at 19 April 2007.
[85] Anti-Phishing Working Group, Whitepaper: Proposed Solutions to Address the Threat of Email Spoofing Scams (12 December 2003): <http://www.antiphishing.org/form_wp_scamsolution.htm> at 17 April 2007.
[86] In evaluating the pros and cons of using digital signatures, the APWG notes that this approach would make it impossible to forge the ‘From:’ address without detection. However, it would still be possible for a phisher to obtain a valid digital certificate for a domain that is deceptively similar to that of a target company (e.g. the phisher could use ‘ebay.custservices.com’, which is an entirely different domain from ‘ebay.com’). See above note 85.
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/JlLawInfoSci/2005/4.html