U.S. SENATOR PATRICK LEAHY

New Leahy Bill Targets Internet "PHISHING"And “PHARMING”
That Steal Billions Of Dollars Annually From Consumers

[Below are (1) the Senate Floor speech of Sen. Patrick Leahy introducing his bill to explicitly target Internet “phishing,” and “pharming” with new federal criminal penalties, and (2) a fact sheet on the bill.  Leahy (D-Vt.), the ranking Democratic member of the Senate Judiciary Committee, is sometimes referred to as the “cyber senator” for his enthusiasm for and leadership on Internet issues. He is co-founder and co-chairman of the Senate Internet Caucus.  Internet phishing has grown to become a serious fraud on consumers and on online commerce costing billions of dollars a year.]

Statement Of Senator Patrick Leahy
Introduction Of The “Anti-Phishing Act Of 2005”
Monday, February 28, 2005

Today I am introducing a bill, the Anti-Phishing Act of 2005, which targets a serious threat to the security of the Internet.

Phishing is a rapidly growing class of identity theft scams on the Internet that is causing both short-term losses and long-term economic damage.  In the short-term, these scams defraud individuals and financial institutions.  Estimated losses from phishing attacks are now in the billions of dollars, and those losses are growing.  The short-term losses, however, are just a chapter in a larger story.  In the long-term, phishing undermines the public’s trust in the Internet.  By making consumers uncertain about the integrity of the Internet’s complex addressing system, phishing threatens to make us all less likely to use the Internet for secure transactions.  If you can’t trust where you are on the web, you are less likely to use it for commerce and communications.

Those well versed in popular culture may guess that phishing was named after the phenomenally popular Vermont band, Phish.  But phishing over the Internet was in fact named from the sport of fishing, as an analogy for its technique of luring Internet prey with convincing email bait.  The “F” is replaced by a “P-H” in keeping with a computer hacker tradition. 

Phishing attacks usually start with emails that are, in Internet jargon, “spoofed.”  That is, they are made to appear to be coming from some trusted financial institution or commercial entity.  The spoofed email usually asks the victim to go to a website to confirm or renew private account information.  These emails offer a link that appears to take the victim to the website of the trusted institution.  In fact the link takes the victim to a phony website that is visually identical to that of the trusted institution, but is in fact run by the criminal.  When the victim takes the bait and sends their account information, the criminal uses it – sometimes within minutes – to transfer the victim’s funds or to make purchases.  Phishers are the new con artists of cyberspace. 

Phishing is on the rise.  The Anti-Phishing Working Group reports that the number of new phishing messages climbed at a monthly rate of 38 percent in the last six months of 2004.  The number of new phishing websites has climbed 24 percent per month since last August.  And phishing attacks are increasingly sophisticated.  Early phishing attacks were by novices, but there is now evidence that some attacks are backed by organized crime.  Some of the attacks these days also include spyware, a type of software that is secretly installed on the victim’s computer to surreptitiously capture account information when the victim visits legitimate websites.

In addition, the Internet faces the threat of “pharming.”  This insidious crime does not rely on email bait.  Rather, it attacks web browsers and the Internet’s addressing system.  The effect is that even individuals who type a desired Internet destination into their web browser may be redirected to a phony web site, with the same disastrous result as clicking on the phony link in a phishing attack.

Some phishers and pharmers can be prosecuted under wire fraud or identity theft statutes, but often these prosecutions take place only after someone has been defrauded.  For most of these criminals, that leaves plenty of time to cover their tracks.  It has been reported that the average phishing website is active on the Internet for less than six days.  Moreover, the mere threat of these attacks undermines everyone’s confidence in the Internet.  When people cannot trust that websites are what they appear to be, they will not use the Internet for their secure transactions.  Traditional wire fraud and identity theft statutes are not sufficient to respond to phishing and pharming. 

The Anti-Phishing Act of 2005 protects the integrity of the Internet in two ways.  First, it criminalizes the bait.  It makes it illegal to knowingly send out spoofed email that links to sham websites with the intention of committing a crime.  Second, it criminalizes the sham websites that are the true scene of both types of crime. 

There are, of course, important First Amendment concerns to be protected.  The Anti-Phishing Act protects parodies and political speech from being prosecuted as Phishing.  We have worked closely with various public interest organizations to ensure that the Anti-Phishing Act does not impinge on the important democratic role that the Internet plays. 

To many Americans, phishing and pharming are new words.  They are certainly a new form of an old crime.  They are also very serious, and we need to act aggressively to keep them from eroding the public’s trust in online commerce and communication.  I look forward to working with others in the Senate in addressing this growing threat to the Internet with effective and responsible action. 

# # # # #

(See following fact sheet for more information) 

The Anti-Phishing Act Of 2005
Fact Sheet

The Anti-Phishing Act of 2005, introduced in the U.S. Senate on February 28 by Sen. Patrick Leahy (D-Vt.), is intended to combat a rapidly growing Internet scam called “phishing.”  Phishers are con-artists in cyberspace.  Phishing refers to a popular Internet scam in which the victim receives an email that appears to come from a trusted source such as a financial institution, and that asks for certain personal information.  The email typically includes a hyperlink that appears to take the victim to the website of that financial institution, but which is actually a sham site. 

Any personal information entered is stolen and used – sometimes within minutes – for unlawful purposes such as transferring funds or purchasing goods. Phishing is growing exponentially.  In the last few years alone, the estimated losses have exceeded billions of dollars, and the losses continue to mount.  In addition, the Leahy bill responds to the threat of pharming.  This insidious crime attacks web browsers and the Internet’s addressing system.  The effect is that even individuals who type a desired Internet destination into their web browser may be redirected to a phony web site, with the same disastrous result as clicking on the phony link in a phishing attack.  Moreover, current law does not adequately respond to these problems.  Neither phishing nor pharming always fit neatly into traditional wire fraud and identity theft statutes.  Neither wire fraud nor identity theft statutes protect against one of the greatest harms caused by phishing and pharming: a diminished trust in the Internet’s system of addressing and linking. Trust in this system is crucial to the Internet fulfilling its potential as a medium for all manner of secure communications. 

The Anti-Phishing Act of 2005 would enter two new crimes into the U.S. Code.  The first prohibits the creation or procurement of a website that represents itself to be that of a legitimate business, and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft.  The second prohibits the creation or procurement of an email that represents itself to be that of a legitimate business, and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft. 

In order to protect important First Amendment concerns, the Leahy bill carefully protects speech -- even speech that may be deceptive, such as the innocent parodying of commercial websites for political commentary.  The bill protects such important speech by including the requirement that the actor must have the specific criminal purpose of committing a crime of fraud or identity theft.