Your inbox has an email from your bank. You open it to find an urgent request to verify your account by re-submitting some account information. Don’t do it! It’s almost certainly a phishing scam.
These online scams can be sophisticated fakes with logos and an email format exactly like the real thing. It can claim to be from the IRS, Microsoft or your credit card company.
Phishing – as in fishing for confidential information – happens when someone attempts to fraudulently obtain and uses your personal or financial information through fraud.
How Phishing Scams Work
Phishing scams often play out like this:
- A consumer receives an email which appears to originate from a financial institution, government agency, or other well-known, reputable entity.
- The message describes a compelling reason you must "verify" or "re-submit" personal or confidential information by clicking on a link embedded in the message.
- The provided link appears to go to the website of the financial institution, government agency or reputable entity; but in phishing scams, the website belongs to the scammer.
- Once inside the fraudulent website, the consumer may be asked to provide their date of birth, Social Security numbers, account numbers, passwords or other personal identifying information, such as their mother’s maiden name.
- When the consumer provides the information, the scammer can begin to access consumer accounts or assume the person's identity (see also Identity Theft).
Phishing, like its cousin spoofing, often involves requests for credit card numbers, Social Security numbers, bank account numbers, birth dates, or various passwords. But legitimate businesses and government agencies almost never ask for personal or confidential information in this manner.
Anti-Phishing State Laws
In 2005, California became the first state to enact legislation designed specifically to deter phishing. Under the state's Anti-Phishing Act of 2005, it is unlawful:
"for any person, by means of a Web page, electronic mail message, or otherwise through use of the Internet, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the authority or approval of the business."
Other, broader California computer crime laws are also on the books.
Texas also has broad computer crime laws, including making it a crime to:
"Reference the name, domain address, phone number or any other identifying information of a person without that person's consent, intending to cause the recipient to think the message is truly coming from that person, with the intent to harm or defraud someone."
A handful of other states have enacted anti-phishing laws. For more information, FindLaw's state computer crime laws section is a good resource.
No Specific Anti-Phishing Federal Statute
On the federal level, Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act in 2003 order to combat “spam” email. But it doesn't specifically mention phishing. That's not to say lawmakers haven't tried to pass federal anti-phishing legislation. But when both the Anti-Phishing Act of 2004 and Anti-Phishing Act of 2005 were introduced in Congress, they both died in committee. Those tougher bills proposed a five-year prison sentence for those convicted of phishing.
Fear not, though, as federal authorities can still prosecute many forms of online fraud via other statutes. While there is no specific mention of "anti-phishing," the strongest laws on the books are 18 U.S.C. section 1028 and related fraud or identity theft laws which could potentially be applied to phishing offenders.
For more information on other computer-based crimes, visit our Online Scams section.