Black, Peter --- "Phish to Fry: Responding to the Phishing Problem" [2005] JlLawInfoSci 4; (2005) 16 Journal of Law, Information and Science 73
* Associate Lecturer, Queensland University of Technology.
[1] James Riley, ‘NAB customers baited in email ‘phishing’ scam’ The Australian (Sydney) 27 December 2005 <http://www.australianit.news.com.au/ articles/0,7204,17666685%5E15306%5E%5Enbv%5E,00.html> at 27 December 2005.
[2] United States Department of Justice, Special Report on ’Phishing’: <http://www.usdoj.gov/criminal/fraud/Phishing.pdf> at 17 April 2007. For other definitions, see Australian Department of Communications, Information Technology and the Arts, Attorney-General’s Department, Australian Communications Authority, ‘Phishing: don’t take the bait!’: <http://www.dcita.gov.au/communications_and_technology/publications_and_reports/2004/may/phishing_-_dont_take_the_bait!_-_fact_sheet> at 17 April 2007; and Anti-Phishing Working Group, Anti-Phishing Resources <http://www.antiphishing.org/resources.html> at 17 April 2007.
[3] Peter Black, ‘Catching a phish: protecting online identity’ (2006) 8 Internet Law Bulletin 133, at 133.
[4] See Australian Government, Australian Institute of Criminology (2005) 9 High Tech Crime Brief 1: <http://www.aic.gov.au/publications/htcb/ htcb009.pdf> at 18 April 2007.
[5] See Anti-Phishing Working Group, Origins of the Word ‘Phishing’: <http://www.antiphishing.org./word_phish.html> .
[6] See Anita Ramasastry, ‘The Anti-Phishing Act of 2004: A Useful Tool Against Identity Theft’ (2004) Writ 16 August 2004: <writ.findlaw. com/ramasastry/20040816.html>.
[7] Russel Kay, ‘Phishing’ (2004) ComputerWorld 19 January 2004: <http://www.computerworld.com/action/article.do?command=viewArticleBasic & articleId=89096 & pageNumber=1> at 18 April 2007.
[8] See Camille Calman, ‘Bigger Phish to Fry: California’s Anti-Phishing Statute and Its Potential Imposition of Secondary Liability on Internet Service Providers’ (2006) 13 Richmond Journal of Law & Technology 2, [8].
[9] Tracey Baker, ‘Ignore and bait: Don’t Get Hooked by Phishing Scams’ (2005) 16 Plugged In 2, 54.
[10] For example, in December 2005, Microsoft filed 117 civil lawsuits in the United States District Court for the Western District of Washington targeting unnamed defendants who sent spam email and put up websites targeting Microsoft services such as MSN and Hotmail. See Grant Gross, ‘Microsoft files 117 phishing lawsuits’, Computerworld, 31 March 2005: <http://computerworld.com/securitytopics/security/story/0,10801,100777,00.html> at 23 April 2007.
[11] For example, Google, whose users were targeted in November 2005 with a copy of Google’s front page with a large message claiming ‘You have WON $400.00!!!’. Users were then presented with instructions to claim their prize money. These instructions required users to enter their credit card number and shipping address. See Joris Evers, ‘Google phishing scam promises a $400 windfall’ CNET News, 8 November 2005: <http://www.news.com.com/Google+phishing+scam+promises+a+400+windfall/2100-7349_3-5940682.html> at 20 April 2005.
[12] For example, the United States Federal Bureau of Investigation warned that many of the 4,000 websites advertising relief services for Hurricance Katrina victims in Louisiana could be fake. A similar situation occurred after the tsunami devastated the coast of Indonesia in December 2004. See Deborah Radcliff, ‘Fighting back against phishing’ Computerworld, 21 April 2005: <http://www.computerworld.com.au/pp.php?id=70761714 & fp=16 & fpid=0> .
[13] See Calman, above note 8, [8].
[14] Eric L. Carlson, ‘Phishing for Elderly Victims: As the Elderly Migrate to the Internet Fraudulent Schemes Targeting Them Follow’ (2006) 14 The Elder Law Journal 423, 435 citing ‘Internet Fraud Hits Seniors: As Senior Venture into the Web, the Financial Predators Lurk and Take Aim’: Hearing Before the U.S. Senate Spec. Comm. On Aging, 109th Cong. 78 (2004) at 78 (statement of David Jevans, Chairman, Anti-Phishing Working Group).
[15] Matthew Bierlein and Gregory Smith, ‘Internet: Privacy Year in Review: Growing Problems with Spyware and Phishing, Judicial and Legislative Developments in Internet Governance, and the Impacts on Privacy’ (2005) 1 I/S: A Journal of Law and Policy for the Information Society 279, 307.
[16] Defined as: ‘Crimeware code which is designed with the intent of collecting information on the end-user in order to steal those users' credentials. Unlike most generic keyloggers, phishing-based keyloggers have tracking components which attempt to monitor specific actions (and specific organizations, most importantly financial institutions and online retailers and ecommerce merchants) in order to target specific information, the most common are; access to financial based websites, ecommerce sites, and web-based mail sites.’ See AGPW, Phishing Attack Trends Reports February 2007, 5:
<http://www.antiphishing.org/reports/apwg_report_ february_2007.pdf> at 18 April 2007.
[17] Defined as: ‘Crimeware code which is designed with the intent of redirecting end-users network traffic to a location where it was not intended to go to. This includes crimeware that changes hosts files and other DNS specific information, crimeware browser-helper objects that redirect users to fraudulent sites, and crimeware that may install a network level driver or filter to redirect users to fraudulent locations. All of these must be installed with the intention of compromising information which could lead to identify theft or other credentials being taken with criminal intent.’ See AGPW, above note 16, at 7.
[18] Carlson, above note 14, at 435.
[19] See AGPW, above note 16 at 1.
[20] Lauren L Sullins, ‘Phishing for a solution: domestic and international approaches to decreasing online identity theft’ (2006) 20 Emory International Law Review 397 at 402.
[21] Jennifer Lynch , ‘Identity Theft in Cyberspace: Crime Control Methods and Their Effectiveness in Combating Phishing Attacks’ (2005) 20 Berkeley Technology Law Journal 259 at 266-67.
[22] ‘Internet Fraud Hits Seniors: As Senior Venture into the Web, the Financial Predators Lurk and Take Aim’: Hearing Before the U.S. S. Spec. Comm. On Aging, 109th Cong. 78 (2004) at 78 (statement of David Jevans, Chairman, Anti-Phishing Working Group).
[23] See Australian Institute of Criminology, above note 4.
[24] See AGPW, above note 16 at 1.
[25] Ibid.
[26] Ibid.
[27] Ibid at 5.
[28] Javelin Strategy and Research, 2005 Identity Fraud Survey Report.
[29] This is according to a survey conducted by the Ponemon Institute in 2004: <http://www.ponemon.org> . See Leydon J, ‘US phishing losses hit $500 million’ The Register: <http://www.theregister.co.uk/2004/09/29/phishing_ survey/> at 18 April 2007.
[30] See Gartner, ‘Gartner Study Finds Significant Increase in E-mail Phishing Attacks’ (Press Release, 6 May 2004): <http://www.gartner.com/press_ releases/asset_71087_11.html> at 20 April 2007.
[31] See Statement of United States Senator Patrick Leahy, ‘Introduction of “The Anti-Phishing Act of 2004”’, Senate Floor, Congressional Record, Friday 9 July 2004: <http://www.leahy.senate.gov/press/200407/ 070904c.html> at 21 April 2007.
[32] Jennifer Barrett, “Phishing for Dollars’, Newsweek, 28 January 2004: <http://www.msnbc.msn.com/id/4079364/> at 20 April 2007.
[33] RSA Security, ‘RSA Security Announces Key Findings from Annual Financial Institution Consumer Online Fraud Survey’ (Press Release, 14 March 2006): <http://www.cyota.com/press-releases.asp?id=78> at 22 April 2007.
[34] Declan McCullagh, ‘Season over for ‘phishing’?’, CNET News.com, 15 July 2004: <http://news.com.com/Season+over+for+phishing/2100-1028 _3-5270077.html> at 21 April 2007.
[36] See Black, above note 3, at 134-135.
[37] A similar list is contained in Model Criminal Law Officers’ Committee of the Standing Committee of Attorneys-General, Discussion Paper Model Criminal Code Chapter 3: Identity Crime (April 2007), at 13-23. Neither lists are exhaustive lists but rather provide an illustration of the kinds of offences with possible application.
[38] Model Criminal Code Officers Committee of the Standing Committee of Attorneys-General, Discussion Paper Model Criminal Code Chapter 3: Credit Card Skimming Offences (March 2004), 3.
[39] Innis M, ‘Log-on rip-off’ Sydney Morning Herald 23 April 2003.
[40] Innis M, Above note 38 at 23.
[41] Ibid.
[42] See s 480.2 of the Criminal Code Act 1995 (Cth).
[43] See s 480.1 of the Criminal Code Act 1995 (Cth).
[44] See s 480.1 of the Criminal Code Act 1995 (Cth).
[45] See above note 37, at 24.
[46] For a summary of spam legislation in Australia, the US and Europe, see Philip Argy, ‘Will the new code keep the lid on spam?’ (2005) 8(1) Internet Law Bulletin 1.
[47] See s 16 of the Spam Act 2003 (Cth).
[50] See s 52 of the Trade Practices Act 1974 (Cth), s 12 of the Fair Trading Act 1992 (ACT), s 42 of the Consumer Affairs and Fair Trading Act 1990 (NT), s 42 of the Fair Trading Act 1987 (NSW), s 38 of the Fair Trading Act 1989 (Qld), s56 of the Fair Trading Act 1987 (SA), s 14 of the Fair Trading Act 1990 (Tas), s11 of the Fair Trading Act 1985 (Vic), and s 10 of the Fair Trading Act 1987 (WA).
[52] 18 U.S.C. 1028 (2000).
[53] 18 U.S.C. 1343 (2000 & Supp. II 2002).
[54] 18 U.S.C. 1029 (2002).
[55] 18 U.S.C. 1344 (2000).
[56] 15 U.S.C. 1643(a)(1) (2000).
[57] 15 U.S.C. 6821(b) (2000).
[58] Amending 18 U.S.C.
[59] Amending scattered sections of 15 U.S.C., 18 U.S.C., 28 U.S.C. and 27 U.S.C. For a summary of the CAN-SPAM Act, see note 46.
[60] Deborah Fallows (Pew Internet and American Life Research Fellow), ‘CAN-SPAM a year later’, April 2005: <http://www.pewinternet.org/pdfs/ PIP_Spam_Ap05.pdf> .
[61] See Calman, above note 8, [2].
[62] VA. CODE ANN. § 18.2-152.5:1 (2005).
[63] S.B. 720, 2005 Leg., Reg. Sess. (N.M. 2005), N.M. STAT. ANN. § 30-16-24.1 (West2005).
[64] Assemb. 8025, 2005 Assemb., Reg. Session (N.Y. 2005).
[65] Anti-Phishing Act, 79th Leg. R.S., ch. 544, § 1, 2005 Tex. Gen. Laws 1468. For a discussion of the Act, see Justin Vaughan, ‘Texas’s New E-Consumer Protection Acts: a (ph)arewell to phishing and spyware? (2006) 13 Texas Wesleyan Law Review 265.
[66] H.B. 1888, 2005–2006 Leg. Reg. Sess. (Wash. 2005), WASH. REV. CODE § 19.190.010 . (2005). See also Eric Chabrow, ‘Washington State Enacts Anti-Spyware and Anti-Phishing Legislation’, Government Enterprise, May 19 2005: <http://www.governmententerprise.com/news/ 163105506> at 23 April 2007.
[67] CAL. BUS. & PROF. CODE § 22948–22948.3 (West Supp. 2006). See Calman, above note 8, [4].
[68] For an excellent discussion of how best to deter cybercime, see Neal Kumar Katyal, ‘Criminal Law in Cyberpsace’ (2001) 149 University of Pennsylvania Law Review 1003.
[69] These hurdles are expanded upon by Robert Stevenson, ‘Plugging the ‘Phishing’ Hole: Legislation Versus Technology’ (2005) Duke Law and Technology Review 6, [14]-[23].
[71] Thomas Fedorek, ‘Computers + Connectivity = New Opportunities for Criminals and Dilemmas for Investigators’ (2003) 76(2) New York State Bar Association Journal 10, at 16.
[72] See above note 71, at 17.
[73] Federal Trade Commission, A CAN-SPAM Informant Reward System: A Report to Congress (September 2004), 36, fn 38: <http://www.ftc.gov/ reports/rewardsys/040916rewardsysrpt.pdf> at 22 April 2007.
[74] Andrew Colley, ‘AusCERT: AFP looks to French connection to arrest phishing scam’ ZDNet 7 April 2004: <http://www.zdnet.com.au/news/ security/0,2000061744,39144081,00.htm> at 17 April 2007.
[75] See Australian Federal Police, ‘Man arrested over phishing scam’ (Press Release, 10 August 2004): <http://www.afp.gov.au/media_releases/ national/2004/ahtcc/man_arrested_over_phishing_scam> at 20 April 2005.
[77] Sullins, above note 20, at 417-426.
[78] See Black, above note 3, at 136.
[79] See, for example, the Australian Bankers’ Association (prepared by the Australian Bankers’ Association and the Australian High Tech Crime Centre): <http://www.bankers.asn.au/Default.aspx?ArticleID= 846> at 19 April 2007.
[80] See, for example, MasterCard: <http://www.mastercard.com/us/personal/ en/securityandbasics/fraudprevention/emailfraud/index.html> at 19 April 2007.
[81] See, for example, eBay: <http://pages.ebay.com/help/confidence/isgw-account-theft-spoof.html> at 19 April 2007.
[82] See <http://www.antiphishing.org/consumer_recs.html> at 21 April 2007.
[83] See <http://www.fraudwatchinternational.com/phishing/> at 21 April 2007.
[84] Australian Government Net Alert Limited, ‘How to Avoid a Phishing scam’: <http://www.netalert.net.au/01604-How-to-avoid-a-Phishing-scam. asp> at 19 April 2007.
[85] Anti-Phishing Working Group, Whitepaper: Proposed Solutions to Address the Threat of Email Spoofing Scams (12 December 2003): <http://www.antiphishing.org/form_wp_scamsolution.htm> at 17 April 2007.
[86] In evaluating the pros and cons of using digital signatures, the APWG notes that this approach would make it impossible to forge the ‘From:’ address without detection. However, it would still be possible for a phisher to obtain a valid digital certificate for a domain that is deceptively similar to that of a target company (e.g. the phisher could use ‘ebay.custservices.com’, which is an entirely different domain from ‘ebay.com’). See above note 85.