Will Antiphishing Legislation Be Effective?

Some Internet security experts don’t place much hope for pending antiphishing legislation to do much to prevent ID theft and related scams. They view the prospect of new laws as being too little, too late to stop an out-of-control problem.

Phishing scams trick e-mail recipients into clicking a link in the message to reach a vendor’s Web site, where they are asked to enter account information, order information and passwords. The messages look so official that the victim doesn’t notice the Web site is only a look-alike version. Using look-alike Web sites is called spoofing.

There is no question that phishing attacks are increasing dramatically. In fact, the attack rate is so high that federal legislators are now considering new laws to deal with the problem. E-mail security company MessageLabs reported earlier this year that phishing and spoofing activities increased from 279 to 215,643 since late last year.

Other watch groups report that more than 1.4 million computer users have suffered from identity theft fraud, costing banks and card issuers $1.2 billion in direct losses in the past year.

According to the Federal Trade Commission, 10 million Americans become victims of identity fraud each year.

Federal Efforts

Only two noteworthy pieces of antiphishing legislation have gained the attention of federal lawmakers. The first is a bill signed recently by President George W. Bush. The other is a bill introduced this past summer that might do little more than scare some would-be scammers.

The Identity Theft Penalty Enhancement Act, or ITPEA, increases criminal penalties for phishing and other forms of identity fraud. This measure, signed by the President in July, establishes punishment guidelines for anyone who possesses someone else’s personal information with intent to commit a crime.

Under these new federal guidelines, anyone using another person’s identification information fraudulently is guilty of a new crime: aggravated identity theft. Convictions for aggravated identity theft, in addition to other penalties, would result in a mandatory additional two-years in federal prison with no possibility of parole.

The Antiphishing Act of 2004 was introduced by Sen. Patrick Leahy (D-Vermont) on July 9. If passed, it will define phishing as a federal crime. The bill would ban the act of spoofing a Web site for the purpose of acquiring another person’s identity.

The bill addressed the core tactic of Internet scammers. It prohibits the creation of e-mail that represents itself as a legitimate message to trick the recipient into divulging personal information with the intent to steal that identity.

Laws Ill Conceived

Network security firm CEO Guy Morgan said he believes such laws won’t do much to curb phishing attacks. He sees phishing as an unsophisticated approach to ID theft. However, it is effective, he conceded.

“The law doesn’t focus on phishing. Instead, it focuses on ID theft. This is one of the related attacks that phishing produces,” said the CEO and founder of Farm9, a network security company providing regulatory-compliant solutions to the financial services industry.

James Gildea, director of marketing for e-mail management firm IntelliReach, does not put much faith in such legal proposals. He sees attempts to legislate curbs on phishing attacks as having much the same results as recently enacted antispam laws.

“To date, 32 states have enacted antispam laws. These laws haven’t done much to stop the flood of spam,” he said.

California Law Working

One of the most successful efforts on the state level to fight phishing might be occurring in California. That state recently adopted a breach notification law.

Under the terms of this state law, anybody doing business with California’s consumers must notify them when a vendor’s network security has been breached. Failure to comply subjects the offending company to severe penalties.

“This is causing a real fear for corporations,” Morgan said.

Mixed Reactions

Gildea does not view phishing scams as being a business problem. Rather, he sees ID theft issues as more of a concern for consumers.

“Phishing only impacts a business when its reputation is affected due to a hijacked Web site,” Gildea told the E-Commerce Times.

Farm9 CEO Morgan also does not expect too much success from antiphishing legislation.

“I have mixed feelings about antiphishing laws,” Morgan told the E-Commerce Times. “Antispam legislation has no teeth.” However, it might have helped to put some, but not nearly enough, spammers out of business. At best, proposed legislation might force similar results in stopping some ID scammers.

For example, Morgan’s spam filter used to run about 5,000 interceptions per day. Now he gets about 700. He said he is not doing anything different. So something is happening to reduce this flow.

New Laws Not the Answer

Gildea is not a fan of legislation to solve the wave after wave of phishing attacks. He favors applying technology to stop that tide.

He suggested that the biggest tool in fighting phishing scams is the control ISP’s already have.

“ISP’s have to develop black lists of phishing sites. ISP’s need to verify the server that sends mail to ensure that the e-mail is legitimate,” Gildea said.

Consumer awareness is also critical. Too many consumers, according to Gildea, aren’t savvy enough about Internet security.

“Just as they do with a door-to-door salesman, consumers have to know not to open the door or respond to uninvited sales pitches they receive in their in-boxes,” Gildea said.

Another tool in fighting phishing attacks is the paid solution. Third-party intervention has been very successful. The technology involved in screening e-mail is well known.

“I don’t know why more people aren’t making use of it,” he said.

Internal Security Needed

Network security expert Morgan said antiphishing laws may have little impact on stopping one of the major sources of information for ID thieves. The weak point in many financial institutions is the employees.

“The big fear in the industry now is the spyware/adware blended threat that includes phishing scams,” Morgan told the E-Commerce Times. “In the last few months we have seen blended attacks cause banks to be concerned about risk factors posed by their own employees. Traffic at financial institutions needs to be cleaned up.”

According to Morgan, corporate executives are beginning to see the scope of these threats. There is now a huge effort to rid enterprise networks of spyware and adware intrusion, he said. This takes a tremendous effort to keep up with it.

Net Advertisers Help

Rachel Lyubovitzky, Searchfeed.com’s market research analyst, told the E-Commerce Times that Internet advertisers can be influential in discouraging phishing and related identity scams.

She said data shows a trend in consumer Internet use might be contributing to some connected crime.

“In the online advertising industry, we have noticed a few specific areas, such as adult entertainment and gambling, where we have seen slightly higher levels of Internet crimes,” Lyubovitzky said. “To counteract phishing attempts in these areas, we have initiated an extra account verification process to protect our advertisers.”

Lyubovitzky said problems related to phishing attacks and the prominence of international e-commerce are causing new challenges for Internet advertisers under pending legislation.

“When fraud is committed outside of the United States, it is difficult to enforce antiphishing laws,” Lyubovitzky points out.

Consumers Are Key

From an industry point of view, Lyubovitzky sees the main burden of protection from phishing scams falling on the consumer. It is up to the consumer to have sufficient knowledge of phishing attacks to prevent them.

“We always advise customers to only respond to correspondence that they initiated and to be cautious of spyware. There is a growing amount of information from the government and other outlets on how to prevent cyber crime and cyber fraud,” Lyubovitzky said.

“Moreover, customers should work with a firm that takes preventative measures and has strict enforcement polices to protect online consumers from phishing attacks,” she said.

Worst Yet To Come

Despite new federal laws, Morgan only sees more bad things happening from continued phishing attacks. So far there is no technical solution to preventing or safeguarding from it, he said.

“You can’t spot a phishing attack until it has happened. When the horse is out of the barn, it is too late,” Morgan said. “Bad guys are still a half a step ahead, and it will take some time to stop them.”