States Tell Phishers To Cut Bait Or Else

In a move to deter phishing crimes and make them easier to prosecute, Virginia lawmakers have taken the uncommon step of categorizing the practice as a felony and in July will begin handing out punishments of up to five years in prison and $2,500 in fines. The state is also cracking down on people who sell or distribute phished information, marking those people as felons even if they didn't actually steal the information they're passing.

Virginia in January added the phishing statute to its Computer Crimes Act, defining the practice as fraudulently obtaining, recording, or accessing from a computer any number of sensitive data points, including a person's Social Security, driver's license, and bank account numbers.

Virginia isn't the only state cracking down on cybercrime through legislation. New Mexico earlier this month enacted a law that in July will make phishing a felony. That state defines phishing as the use of computers and electronic equipment to defraud or otherwise steal an individual's personal or financial identifying information and then use that information to strip the victim's assets or destroy his or her credit rating.

January was the first time Virginia lawmakers had addressed phishing, "which is a form of identity theft or out-and-out fraud, a con game over the computer," says Stewart Petoe, director of legal affairs for the Virginia State Crime Commission. The commission is a legislative entity authorized by the state to research and make recommendations on all aspects of criminal-justice and public-safety issues.

The appearance of such laws isn't surprising, considering the rise in phishing scams. There were 2,625 active phishing sites in February, growing at an average monthly rate of 26% since July, according to a recent report from the Anti-Phishing Working Group, a coalition of financial institutions, online retailers, Internet service providers, and law enforcement formed to prevent identity theft and fraud caused by phishing, pharming, and E-mail spoofing. In February, there were 13,141 new, unique phishing E-mail messages reported to the organization, an increase of 2% over the number of unique reports for January, despite February being a shorter month. The most targeted industry sector for phishing attacks continues to be financial services, and most phishing sites were hosted in the United States, followed by China.

In some respects, Virginia's Computer Crimes Act's crackdown on phishing is harsher than on conventional identity theft, which requires the state to prove that a person was going to do something unlawful with the information. "This can be very, very difficult in the world of cybercrime, so mens rea, or the offender's mental state, isn't required," Petoe says. The Virginia State Crime Commission and the Legislature thought the law's rigidity appropriate, given that one person using a PC can send out millions of fraudulent E-mails in a short period of time, making it a more efficient weapon than even the telephone.

The commission agreed that phishing is dangerous enough that it should be considered a felony, although most other cybercrimes are classified as misdemeanors, Petoe says. Although the commission sometimes debates the definitions of what constitutes different cybercrimes, "there was perfect agreement on phishing," he says.

The commission hopes that, as with any criminal law, the new phishing component of the Computer Crimes Act will serve as a deterrent. For those who don't heed the warning, the statute will make it easier for the state to prosecute phishers.

Next on the commission's agenda is helping the Legislature draft and pass a statute for 2006 outlawing the use of spyware, adware, and bots, which are programs that perform a repetitive function such as posting a message to multiple newsgroups or searching for information or news. This issue is grayer than phishing, because it's more difficult to determine the intent of using such software. The commission, which works closely with companies in the tech industry, Petoe says, doesn't want to pass any legislation that would criminalize any legitimate business practice.