The alarming growth of phishing has spawned a variety of responses,
including technological, organizational and, lately, legislative.
President Bush just signed legislation to increase penalties against
phishing and other identity theft-related cyber crimes. While the Identity
Theft Penalty Enhancement Act, or ITPEA, doesn’t win awards for having a
compelling title (unless the word “enhancement” is a clever tip-of-the-hat
to spammers), its goal is admirable: To make it harder for identity theft to pay.
Phishing is an
insidious cyber scam perpetrated by identity thieves who use
official-looking but bogus e-mail to lure recipients to a dummy Web site ready to steal visitors’ personal and bank information (provided they hand it over). Nearly anyone online
in the past year has been e-mailed repeatedly by “eBay,” “MasterCard” or
their “private bank,” urging them to take urgent action to solve an urgent
problem with their account (“Did we mention this is urgent?”) by clicking on
the provided Web site link.
Of course, like the e-mail, the Web site also looks “official,” but is
instead a phishing hole, so to speak. And if you aren’t careful, you could
end up handing over credit card numbers, user names, passwords and other
information for phishers to use or sell.
Lots of people haven’t been careful — the good scams are
realistic-looking — and the number of Americans who fall victim to identity
fraud each year runs between seven million and 10 million, according to some
A scourge indeed. But for many people convicted of identity-theft crimes,
punishment often comes in the form of probation, restitution, home
confinement and perhaps a stern lecture from the judge — a reliable recipe
ITPEA tries to toughen things up by establishing a new crime — aggravated
identity theft, which the federal government defines as using a stolen
identity to commit other crimes. Convictions for aggravated identity theft
would carry a mandatory two-year prison sentence.
Mandatory sentencing usually arises from several factors — a climate of
fear or urgency fueled by genuine frustration about a certain type of
widespread crime, pressure on politicians to appear “tough” and the eternal
desire for easy solutions.
The trouble with easy solutions is that they’re not always “just,” and
“just” should be the top priority of a “justice” system. The imposition of
mandatory sentencing essentially replaces some bad judgment with no
judgment, while providing a forum for public representatives to dispense
some “sheriff” sound bytes.
So while the president and the ITPEA’s congressional sponsors undoubtedly
feel good about their tough stand on identity theft, it’s not likely that
phishers, especially the many based in Asia and Eastern Europe, will be
A better piece of anti-phishing legislation was introduced to the U.S.
Senate on July 9 by Sen. Patrick Leahy, D-Vt. The Anti-Phishing Act
of 2004 defines phishing as a federal crime. Specifically, the proposed
law prohibits spoofing a Web site in order to “induce, request, ask or solicit any
person to transmit, submit or provide any means of identification to
The bill tackles the “lure” part of the phishing equation by outlawing the
transmission of e-mail disguised to look like it’s from a legitimate
business, but is intended to trick online users into providing personal and
financial information with the intent to commit identity theft or fraud.
Convictions under the Anti-Phishing Act of 2004 could mean up to five years
in prison — a stiff sentence — and a $250,000 fine. Plus the bill is
proactive: Charges could be filed against phishers just for attempting an
online scam, so law enforcement doesn’t have to wait for a victim to be
No legislation is perfect, but as long as criminal elements roam the
Internet, clearly we’ll need evolving laws to deal with them. In this case,
I prefer the Leahy bill because it’s tough but flexible and gives federal
officials the ability to pre-empt scams.
Chris Nerney is executive editor of Jupitermedia’s Earthweb and IT Management Channel