If the confidence trick is the oldest scam in the book, then phishing is merely its latest incarnation. But thanks to the efficiency and anonymity of public networks, this relatively simple ploy has been elevated to a crime of mass proportions. Phishers typically hook their marks by sending emails that appear to come from a trusted third party (such as a bank or email provider). Once their marks click on an embedded link in the email, they are sent to a site that mimics the trusted site's appearance and asks them to reveal personal information, such as a password or Social Security number.
According to Dave Jevans of the Anti-Phishing Working Group, between 75 million and 150 million phishing emails are sent every day. Five percent of recipients (compared to one percent of spam recipients) respond to phishing emails. The total direct cost to businesses adds up quickly -- to the tune of around $500 million in losses every year, according to Jevans' best estimate. While harder to measure, indirect costs -- a besmirched brand image, loss of trust, and increased customer service expenses -- are no less significant.
With the increased prominence given to crimes like identity theft, prosecution has emerged as a viable tool to combat phishing. Indeed, experts agree that it would be relatively easy to charge phishers with a number of prosecutable crimes, assuming -- and it's a big assumption -- that victims can identify the phishers. In order to identify phishers, companies are increasingly turning to civil lawsuits, which give them the opportunity to recapture lost money and, more importantly, issue subpoenas that might force ISPs to reveal the identity of the phishers.
On March 31 of this year, Microsoft fired the latest salvo in the ongoing war against phishers. In Seattle's federal district court, Microsoft filed 117 "John Doe" lawsuits against phishers who had set up fake versions of Microsoft properties, including MSN and Hotmail. The suits were filed under the Lanham Act, a federal trademark protection act that carries a maximum penalty of $1 million per violation.
The lawsuits allow Microsoft to collect monetary compensation, but they also permit the company to seek subpoenas that order ISPs to reveal the identity of the phishers. Similar to the strategy employed by the recording and motion picture industries in their wars against anonymous file sharers, these subpoenas potentially allow Microsoft to track down the identity of the scammers.
"Prosecution is not the issue. Phishers can be prosecuted easily under computer fraud, wire fraud, mail fraud, access device fraud, and identity theft," explains Jevans. "But the reality is that before the legal stuff can do anything about phishing, you need to know who's doing it. The lawsuits are merely a tool to pressure the ISPs into turning over information on the phishers."
Pursuing legal action
While Microsoft may be ahead of the curve in terms of legal action, other companies are sure to follow. The most important element in a lawsuit seeking to uncover the identity of phishers is the amount and quality of evidence. For companies contemplating a lawsuit, it's important to gather as much information as possible, and to turn over any evidence of a criminal act to the FBI or Secret Service in as timely a manner as - possible. Here are a number of steps companies can take to - potentially pursue legal action:
Adopt appropriate technologies In order to gather information about the location or identity of phishers, companies should consider adopting emerging standards like Sender ID, which allow ISPs and other users to see if suspect email came from an illegitimate source.
Archive email logs Once an incident of phishing has been reported, it's important to be able to create a paper trail back to the offending mail server. This step will help companies subpoena the ISP.
Consider automated log file analysis Technology vendors offer tools that can scan log files and alert companies to likely phishing activity. These technologies provide timely alerts to help catch a phisher in the act.
Take screen captures If a phishing site is mimicking a legitimate business site, a screen capture can serve as evidence.
Perform regular domain name audits Nip phishing in the bud by looking for URLs that are likely to be targeted by phishers. Third-party companies offer audit services that can scan for likely phishing URLs. Jevans estimates that this step alone could reduce phishing by 40 to 50 percent, and it will surely pay dividends in the event of a lawsuit.
Alert the authorities In addition to civil action, companies should report any suspected criminal act to the FBI or other law enforcement authorities immediately.
While civil action may emerge as a viable tool for combating phishing, Jevans says that the ultimate goal should remain criminal prosecution. In order to prosecute phishers, Jevans offers the following advice: "Most companies, especially those in financial services, are not well set up to go after phishers. Customer support is not tied into the fraud investigators, and the fraud folks are not tied into the IT department. If companies are serious about going after phishers, they need to set themselves up internally to handle cyber enforcement."