Computer Crime Research Center


Plugging the "phishing" hole: legislation versus technology

Date: March 17, 2005
Source: Duke's Law and Technology Review
By: Robert Louis B. Stevenson


This iBrief analyzes the Anti-Phishing Act of 2005, legislation aimed at curbing the problem of "phishing." Phishing is the sending of fraudulent emails which appear to be from legitimate businesses and thereby fooling the recipients into divulging personal information such as credit card numbers. While this legislation may provide some assistance in the fight against phishing, it is limited by the global nature of the Internet and the ease with which phishers can hide and avoid judgments. This iBrief therefore concludes that although the Anti-Phishing Act can play a supporting role in the battle, technological solutions are the most effective means of reducing or eliminating phishing attacks.


1. The Internet has created a marketplace for businesses and consumers to come together and interact in new and exciting ways. Unfortunately, it has also provided criminals and the unscrupulous with a new venue.[2] Nowhere is this more evident than in the recent emergence and growth of the phenomenon known as "phishing." The United States Department of Justice defines phishing as criminals’ creation and use of e-mails and websites--designed to look like e-mails and websites of well-known legitimate businesses, financial institutions, and government agencies--in order to deceive Internet users into disclosing their bank and financial account information or other personal data such as usernames and passwords.[3]

2. Studies indicate that the number of phishing incidents is increasing at an alarming rate. A recent report by the Anti-Phishing Working Group[4] ("APWG") found that phishing attacks have increased by an average of 30% each month since July 2004.[5] In January 2005, alone, more than 12,800 phishing emails and 2,560 phishing web sites, representing 64 hijacked brands, were reported and tracked by the APWG.[6] Perhaps the rapid growth of this new type of consumer fraud can be explained by the additional finding by the APWG that "data suggests that phishers are able to convince up to 5% of recipients to respond to them."[7] By contrast, the estimated response rate for regular spam is 0.01%.[8] Further research has estimated that the costs of these phishing attacks on consumers in 2003 ranged from $500 million to an amazing $2.4 billion.[9]

3. Phishing is a particularly invidious attack on the Internet community because it almost always involves two separate acts of fraud. The phisher first "steals" the identity of the business it is impersonating and then acquires the personal information of the unwitting customers who fall for the impersonation. This has led commentators to refer to phishing as a "two-fold scam"[10] and a "cybercrime double play."[11]

4. It is clear that something must be done soon to curb this alarming trend. The question, however, is what can and should be done to reduce or even eliminate phishing attacks.

5. On February 28, 2005, Senator Patrick Leahy (D-VT) introduced the Anti-Phishing Act of 2005 ("the Act") in the United States Senate.[12] The Act is virtually identical to the Anti-Phishing Act of 2004, which Senator Leahy introduced last year but stalled in committee without coming to a vote before the congressional session ended.[13] This iBrief provides an analysis of the Act and concludes that this bill would fill some gaps in the current law and would make prosecution and conviction of phishers easier. However, the Act suffers from the same inherent weaknesses as all legislation aimed at solving what is essentially a technological problem. Although Congress should enact this legislation, alone it is unlikely to truly stop the flow of phishing attacks. The only way to effectively eliminate the phishing problem is to focus on technological changes and have legislation play a supporting role.

I. The Anti-Phishing Act of 2005

A. Content of the Act

6. The Act, if passed, will add two crimes to the current federal law:It would criminalize the act of sending a phishing email regardless of whether any recipients of the email suffered any actual damages.[14] It would criminalize the act of creating a phishing website regardless of whether any visitors to the website suffered any actual damages.[15] Senator Leahy described the effects of the Act in this way: The [Act] protects the integrity of the Internet in two ways. First, it criminalizes the bait. It makes it illegal to knowingly send out spoofed email that links to sham websites, with the intention of committing a crime. Second, it criminalizes the sham websites that are the true scene of the crime.[16] The Act is also notable for what it does not contain. The bill provides no guidance or allocation of additional resources for its enforcement. This is in contrast with a recently proposed bill in the House of Representatives[17] aimed primarily at "spyware."[18] While the House bill adds no law related to phishing, it does provide for the appropriation of "the sum of $10,000,000 to the Attorney General for prosecutions needed to discourage the use of spyware and . . . phishing."[19] Because the House bill adds no new law directed at phishing,[20] this iBrief does not further discuss or analyze it. It is noted here only for the purpose of pointing out a possible deficiency in the Act.

B. History and Status of the Act

7. There is little information indicating how the Act came into being. Senator Leahy, himself, at the time he introduced the 2004 version of the bill said only that "we have worked closely with various public interest organizations to ensure that the Anti-Phishing Act does not impinge on the important democratic role that the Internet plays."[21] For instance, Senator Leahy has attempted to address First Amendment concerns that some groups may have had regarding certain provisions within the bill since Senator Leahy also stated when he introduced the bill, "[t]here are important First Amendment concerns to be protected. The Anti-Phishing Act protects parodies and political speech from being prosecuted as Phishing."[22] Beyond the congressional record, there is some indication that the Act had the support of some influential Internet entities including the Anti-Phishing Working Group, the Center for Democracy and Technology, and eBay.[23]

C. Analysis

1. Where the Act helps

8. The main area in which the Act will likely help in the current fight against phishing attacks is in allowing the prosecution of phishers without requiring a showing of specific damages to any individual. As explained by a member of Senator Leahy’s staff:

[p]hishing scammers already violate a host of identity theft and fraud laws, but prosecuting them under those statutes can be challenging . . . . To charge scammers now, law enforcers need to prove that a victim suffered measurable losses. By the time they do that . . . the scammer has often disappeared.[24]

9. This reasoning is bolstered by data compiled by the APWG finding that the average life span for phishing sites, measured by how long they continue to respond with content, is 5.8 days.[25] Accordingly, law enforcement personnel have, on average, 5.8 days from the time the phisher first initiates the scam to track him or her down and compile sufficient evidence to bring charges.[26]

10. Additionally, removing the requirement to show damages permits businesses to more easily come forward as the prime complainant against a phisher that has "stolen" their web identity to scam their clients. Recall that a phishing attack involves two victims, the business and the consumer.[27] While the consumer’s economic damages are usually fairly obvious, the reputational damages that a business incurs as the result of a phishing scam are often much more difficult to quantify.[28]

2. Where the Act falls short

11. Any legislation aimed at punishing Internet-related offenses faces three formidable hurdles: (1) difficulty inherent in finding the perpetrator of an on-line crime, (2) obtaining personal jurisdiction, and (3) collecting the judgment. Unless these can be overcome, the net impact of bills such as the Anti-Phishing Act will be limited, at best.

12. The first problem, finding the perpetrator, is illustrated by two related phishing incidents at the University of Michigan and Duke University. In the fall of 2002, the University of Michigan hosted a conference of the Palestinian Solidarity Movement ("PSM"). Shortly before the conference was to begin, an email was sent to "a large number of [the university’s] faculty, staff, and students"[29] purporting to be sent by a member of a student organization involved with the conference and with the approval and assistance of university administration.[30] The email, which was not in fact authorized by anyone connected with the conference or the university,[31] contained "many misstatements of fact"[32] and "violated norms of civility and respect."[33] Despite "pursuing a vigorous investigation"[34] into the source of the offending email that included the services of "campus information technology security experts"[35] the investigators were only able to conclude was that "the message originated in California."[36]

13. A university administrator in charge of the investigation explained the inability to track down the sender of the unauthorized email more precisely:

It is important to recognize that when e-mail is sent from one point on the Internet to another, it can follow a complex path as it travels through multiple mail servers. In this case, the senders used an unsecured server known as an "open relay" in order to help hide their identity....
Original article

Add comment  Email to a Friend

Discussion is closed - view comments archieve
2005-09-02 06:29:19 - Very nice Mira
2005-04-11 07:51:00 - I am really amaged at the international... Prof. D. R. Kiran
Total 2 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo