WASHINGTON -- A form of Internet fraud known as "phishing" is becoming widespread enough to draw the attention of lawmakers and regulatory agencies.
This particular cybercrime involves hijacking the appearance of Web pages owned by well-known banks, online retailers, and credit card companies to fool customers. Phishers coax victims into divulging personal financial data such as credit card numbers, account usernames, and passwords or social security numbers.
The Anti-Phishing Working Group got more than 1000 complaints during April, an increase of 180 percent over March. Reports of phishing have been growing at a rate of 75 percent each month since December 2003, the group says.
"You are starting to see a rise in the attention this issue is getting in Congress," said Jesse Wadhams, technology policy counsel for the Senate Republican High Tech Task Force. "We are getting calls, and folks are starting to send e-mail to their congressmen." He was among those expressing concern at an Internet security conference sponsored by Americans for a Secure Internet at the U.S. Capitol Wednesday.
Agencies, Lawmakers Act
Analysts at the Gartner Group report 57 million adults know or suspect that they have been "phished." What's more, 11 million, or 19 percent of those attacked, actually took the bait.
Lawmakers have taken notice.
Last week, President Bush signed the Identity Theft Penalty Enhancement Act, which amends the criminal code to prescribe jail time for anyone who possesses another's identification-related information with intent to commit a crime.
The new legislation is a valuable deterrent, says Dan Caprio, deputy secretary for the technology administration at the Department of Commerce.
"Anybody who wants to go out and commit these crimes on the Internet will know that if they get caught, they are going to jail," Caprio said, also at the security conference.
While passing new laws and enforcing existing ones are crucial, legislation is just one of several aspects of a complete solution, Caprio added.
Sana Coleman, with the Bureau of Consumer Protection of the Federal Trade Commission, stressed the importance of educating the public on identity theft. "People need to know how to recognize attempts to steal their identity, and what to do about it," she said.
The FTC has brought civil suits against phishers in Texas, California, and New York, and has won settlements totaling $125,000 from two of the defendants, Coleman said. One case was referred to the Department of Justice for criminal prosecution.
The FTC and other agencies also try fight cybercrime with education. Coleman advises Internet users should not open attachments from e-mail addresses they don't recognize, and should report suspicious e-mail to their Internet service provider.
Technology is also providing weapons against identity thieves. Attendees at the Internet security conference described authentification software that can follow the trail of a fraudulent e-mail, tracking it back to reveal its sender. The ISP can then close the sender's account.
Some tech companies, including VeriSign and TRUSTe, continue to work on more reliable certificates to accompany e-mail messages and identify the identity of the sender. Advocates liken the approach to the guarantee provided by an embossed company logo on a letterhead.
But identity thieves have proven a clever lot, and can be counted on to try to forge even certificates if money can be made. The thieves and their whereabouts, both in cyberspace and in the physical world, are a constantly moving target.
For that reason, Wadhams says, the government should assume a supporting role in the tech industry's development of authentification and certification standards.
"Congress' best role here is to codify existing laws, not try to legislate a technological solution," Wadhams said. "Because by the time it was developed it would already be 12 steps behind."