While the U.S. House of Representatives has initially focused on
anti-spyware measures in the early days of the 109th Congress, Sen. Patrick
Leahy (D-Vt.) this week targeted phishing in one of the first technology
bills introduced in the upper chamber.
Phishing is a form of identity theft launched by cyberspace con artists. It
usually begins with spoofed e-mail appearing to be from a trusted financial
institution or business. The e-mail directs the reader to a fraudulent site
that attempts to collect personal information such as credit card and
“Some phishers and pharmers can be prosecuted under wire fraud or identity
theft statutes, but often these prosecutions take place only after someone
has been defrauded,” Leahy said in a floor speech introducing the
legislation. “For most of these criminals, that leaves plenty of time to
cover their tracks.”
Leahy’s Anti-Phishing Act of 2005 targets both the e-mail bait and the
Web site switch by entering two new crimes into the U.S. Code. The bill
prohibits the creation or procurement of an e-mail that represents itself as
being from a legitimate business but is, in fact, sent with the intent to
commit a fraud or identity theft.
The second part of the bill prohibits the creation or procurement of a
Web site that appears to be legitimate but attempts to induce the victim to
divulge personal information with the intent to commit a crime of fraud or
The bill also targets the practice of pharming, which entails hijacking Web browsers and the Internet’s addressing system. The effect is that even individuals who correctly type a desired Internet destination into their Web browser may be redirected to a phony Web site.
The bill calls for fines of up to $250,000 and prison terms topping out at
five years for convicted phishers and pharmers.
“It has been reported that the average phishing Web site is active on the
Internet for less than six days. Moreover, the mere threat of these attacks
undermines everyone’s confidence in the Internet,” Leahy said. “When people
cannot trust that Web sites are what they appear to be, they will not use the
Internet for their secure transactions. Traditional wire fraud and identity
theft statutes are not sufficient to respond to phishing and pharming.
According to the Anti-Phishing Working Group (APWG), phishing attacks jumped 42 percent from December to January. The APWG reported 12,845 new, unique phishing e-mails, and the number of phishing Web sites supporting these messages reached 2,560, which is up 47 percent from 1,740.
The types of attacks are also expanding, with cyber criminals looking beyond
“Port 80” HTTP-based attacks. Port 80 is the default port for the HTTP Web
protocol. In January, nearly 10 percent of phishing sites were hosted on
non-Port 80 HTTP servers in an apparent attempt to evade detection.
The APWG believes the trend away from targeting Port 80 indicates that the
number of user PCs that have been compromised for phishing attacks is
growing. The report also said that financial service firms continue to be a
leading target. Eight of nine newly hijacked brands in January belonged
to financial institutions.
“To many Americans, phishing and pharming are new words. They are certainly
a new form of an old crime. They are also very serious, and we need to act
aggressively to keep them from eroding the public’s trust in online commerce
and communication,” Leahy said.
Leahy said his bill protects free speech, even if it is deceptive, such as
the innocent parodying of commercial Web sites for political commentary. The
legislation also requires that anyone charged under the proposed new laws
must have the specific criminal purpose of committing a crime of fraud or
“There are, of course, important First Amendment concerns to be protected.
The Anti-Phishing Act protects parodies and political speech from being
prosecuted as phishing,” Leahy said. “We have worked closely with various
public interest organizations to ensure that the Anti-Phishing Act does not
impinge on the important democratic role that the Internet plays.”