[Congressional Record Volume 150, Number 94 (Friday, July 9, 2004)]
[Senate]
[Pages S7897-S7898]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




          STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS

      By Mr. LEAHY:
  S. 2636. A bill to criminalize Internet scams involving fraudulently 
obtaining personal information, commonly known as phishing; to the 
Committee on the Judiciary.
  Mr. LEAHY. Mr. President, today I am introducing a bill, the Anti-
Phishing Act of 2004, that targets a large and growing class of crime 
that is spreading across the Internet.
  Phishing is a rapidly growing class of identity theft scams on the 
Internet that is causing both short-term losses and long-term economic 
damage.
  In the short-term, these scams defraud individuals and financial 
institutions. Some estimates place the cost of phishing at over two 
billion dollars just over the last 12 months.
  In the long run, phishing undermines the Internet itself. By making 
consumers uncertain about the integrity of the Internet's complex 
addressing system, phishing threatens to make us all less likely to use 
the Internet for secure transactions. If you can't trust where you are 
on the web, you are less likely to use it for commerce and 
communications.
  Phishing is spelled ``P-H-I-S-H-I-N-G.'' Those well-versed in popular 
culture may guess that it was named after the phenomenally popular 
Vermont band, Phish. But phishing over the Internet was in fact named 
from the sport of fishing, as an analogy for its technique of luring 
Internet prey with convincing email bait. The ``F'' is replaced by a 
``P-H'' in keeping with a computer hacker tradition.
  Phishing attacks usually start with emails that are, in Internet 
jargon, ``spoofed.'' That is, they are made to appear to be coming from 
some trusted financial institution or commercial entity. The spoofed 
email usually asks the victim to go to a website to confirm or renew 
private account information. These emails offer a link that appears to 
take the victim to the website of the trusted institution. In fact the 
link takes the victim to a sham website that is visually identical to 
that of the trusted institution, but is in fact run by the criminal. 
When the victim takes the bait and sends their account information, the 
criminal uses it--sometimes within minutes--to transfer the victim's 
funds or to make purchases. Phishers are the new con artists of 
cyberspace.
  To give an idea of how easy it is to be fooled, we have reproduced 
some recent phishing charts, with the help of the Anti-Phishing Working 
Group. These are just two examples of a problem that affects countless 
companies. The website on the right is an actual website of MBNA, a 
well-established financial institution and credit card issuer. On the 
left is a recently discovered phishing site that mimicked the MBNA 
site.
  As you can see, the two websites are practically identical. Both have 
the MBNA logo, and both have the same graphics, in the same layout. But 
if you end up going to the website on the left, when you enter your 
account information, you are giving it to an identity thief.
  As another example, the next two websites both appear to be from 
eBay. Again, the one on the right is from the genuine website. The one 
on the left is a fake website that is controlled by a phisher. As you 
can see, if you end up at the website on the left, it would be next to 
impossible to know that you are not at the real eBay website. Informed 
Internet users can avoid this problem if they simply use their web 
browser to go to the website, instead of using a link sent to them in 
an email, but far too many people do not do this.
  This is a growing problem. Phishing is on the rise. In recent months 
there has been an explosion of these types of attacks. As you can see 
from the next chart, these attacks are growing at an alarming rate. 
Roughly one million Americans already have been victims of phishing 
attacks.
  And phishing attacks are increasingly sophisticated. Early phishing 
attacks were by novices, but there is evidence now that some attacks 
are backed by organized crime. And some attacks these days include 
spyware, which is software that is secretly installed on the victim's 
computer, which waits to capture account information when the victim 
even goes to legitimate websites.
  Phishers also have become more sophisticated in how they cast their 
huge volumes of email bait on the Internet waters. Security experts 
recently discovered that vast networks of home computers are being 
hijacked by hackers using viruses, and then they are rented to 
phishers--all without the knowledge of the owners of these home 
computers.
  Some phishers can be prosecuted under wire fraud or identity theft 
statutes, but often these prosecutions take place only after someone 
has been defrauded. Moreover, the mere threat of phishing attacks 
undermines everyone's confidence in the Internet. When people cannot 
trust that websites are what they appear to be, they will not use the 
Internet for their secure transactions. So traditional wire fraud and 
identity theft statutes are not sufficient to respond to phishing.
  The Anti-Phishing Act of 2004 protects the integrity of the Internet 
in two ways. First, it criminalizes the bait. It makes it illegal to 
knowingly send out spoofed email that links to sham websites, with the 
intention of committing a crime. Second, it criminalizes the sham 
websites that are the true scene of the crime.
  It makes it illegal to knowingly create or procure a website that 
purports to be a legitimate online business, with the intent of 
collecting information for some criminal purpose.
  There are important First Amendment concerns to be protected. The 
Anti-Phishing Act protects parodies and political speech from being 
prosecuted as Phishing.

[[Page S7898]]

  We have worked closely with various public interest organizations to 
ensure that the Anti-Phishing Act does not impinge on the important 
democratic role that the Internet plays.
  To many Americans, phishing is a new word. It certainly is a new form 
of an old crime. It also is a serious crime, and we need to act 
aggressively to keep phishing from infecting the Internet and from 
eroding the public's trust in online commerce and communication. I look 
forward to working with others in the Senate in addressing this growing 
threat to the Internet, with effective and responsible action.
  Again, this is called the Anti-Phishing Act. It targets a large and 
growing class of crime that is spreading across the Internet.
  Phishing is a rapidly growing class of identity theft scams. It 
causes both short-term losses, but long-term economic problems. In the 
short-term, these scams defraud individuals and financial institutions.
  To give some idea that this is not a minor matter, some estimates 
place the cost of phishing at over $2 billion over the last 12 months. 
You can imagine the outcry in this country if they said we had $2 
billion worth of bank robberies in that same period of time. But it is 
not only the economic loss that undermines the Internet itself; it 
makes consumers uncertain about the integrity of the Internet's complex 
addressing system. It makes us all less apt to use it for commerce and 
communication, because if you cannot trust where you are on the Web, 
you are not going to use it for commerce or communication.
  Incidentally, fishing is spelled P-H-I-S-H-I-N-G. Those who are well 
versed in popular culture might think it was named after the 
phenomenally popular Vermont band called Phish. But phishing over the 
Internet was named for the sport of fishing, as an analogy for its 
technique of luring Internet prey with a convincing e-mail bait. The 
``F' was replaced by ``PH'' in keeping with computer hacker tradition.
  Phishing usually starts with e-mails that are, in Internet jargon, 
``spoofed.'' They appear to come from some trusted commercial entity or 
financial institution. The spoofed e-mail asks the victim to go to a 
Web site and confirm their identity, in effect, their Social Security 
number, credit card numbers, and so on. What it does is, the victim 
thinks they are going to a trusted institution, perhaps one they have 
dealt with for years. Instead, it takes them to a sham Web site that is 
visually identical to that of the trusted institution, but it is run by 
a criminal. When the victim takes the bait, when they send their 
account information, of course, the criminal uses it. Sometimes they 
use it within minutes. They can transfer the victim's funds or make 
purchases. These phishers are new con artists of cyberspace.
  I will give you an idea of how easy it is to do it. Here on this 
chart we have the genuine Web site. We actually had to mark them as 
``genuine Web site'' and ``fake Web site'' because they look so 
identical. I am a heavy user of the Internet, and I could not tell them 
apart. On the other side, of course, is the fake Web site. They both 
have the MBNA logo. That is a trusted financial institution. They have 
the same graphic layout.
  Suppose you were a customer of MBNA and they asked you to put your 
user name in, your password, and so on, and you go on there and they 
would continue to ask information. You would have given up your account 
number, whatever ID number you use, and it could be 20 minutes later, 
when you go on the right site and you want to withdraw some money or 
make a cash transfer, you may find it is all gone in that short time.
  In fact, we also have a chart for eBay. I wasn't going to show it, 
but it is worthwhile, I think. We will show the two from eBay. Again, I 
have had them marked ``genuine Web site'' and ``fake Web site.'' Here 
is the genuine one. For those who use PayPal, it is increasingly used 
if you are using eBay. Anybody who has done that is well aware of 
PayPal. It is something you could be safe with, you know where your 
money is going, you know who is handling it, and you know you are going 
to get paid for something you might have sold.
  Look what we have here. When you look at it, it is hard to tell the 
difference. Of course, the internal address is different. What do you 
do? You send money, you pay money, you are supposed to receive money. 
You are not going to do it. Somebody else is going to do it and they 
are going to walk off not only with your money but with your trust of 
the Internet.
  That is why it is important that we do this, that we have some way of 
criminalizing this. We have in every one of our States businesses that 
thrive and survive because they can use the Internet. This is trying to 
stop them. Again, we must address this growing threat to Internet 
users.

                          ____________________