[Congressional Record Volume 151, Number 20 (Monday, February 28, 2005)]
[Senate]
[Pages S1804-S1805]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. LEAHY:
  S. 472. A bill to criminalize Internet scams involving fraudulently 
obtaining personal information, commonly known as phishing; to the 
Committee on the Judiciary.
  Mr. LEAHY. Mr. President, today I am introducing a bill, the Anti-
Phishing Act of 2005, which targets a serious threat to the security of 
the Internet.
  Phishing is a rapidly growing class of identity theft scams on the 
Internet that is causing both short-term losses and long-term economic 
damage. In the short-term, these scams defraud individuals and 
financial institutions. Estimated losses from phishing attacks are now 
in the billions of dollars, and those losses are growing. The short-
term losses, however, are just a chapter in a larger story. In the 
long-term, phishing undermines the public's trust in the Internet. By 
making consumers uncertain about the integrity of the Internet's 
complex addressing system, phishing threatens to make us all less 
likely to use the Internet for secure transactions. If you can't trust 
where you are on the web, you are less likely to use it for commerce 
and communications.
  Those well versed in popular culture may guess that phishing was 
named after the phenomenally popular Vermont band, Phish. But phishing 
over the Internet was in fact named from the sport of fishing, as an 
analogy for its technique of luring Internet prey with convincing email 
bait. The ``F'' is replaced by a ``P-H'' in keeping with a computer 
hacker tradition.
  Phishing attacks usually start with emails that are, in Internet 
jargon, ``spoofed.'' That is, they are made to appear to be coming from 
some trusted financial institution or commercial entity. The spoofed 
email usually asks the victim to go to a website to confirm or renew 
private account information. These emails offer a link that appears to 
take the victim to the website of the trusted institution. In fact the 
link takes the victim to a phony website that is visually identical to 
that of the trusted institution, but is in fact run by the criminal. 
When the victim takes the bait and sends their account information, the 
criminal uses it--sometimes within minutes--to transfer the victim's 
funds or to make purchases. Phishers are the new con artists of 
cyberspace.
  Phishing is on the rise. The Anti-Phishing Working Group reports that 
the number of new phishing messages climbed at a monthly rate of 38 
percent in the last six months of 2004. The number of new phishing 
websites has climbed 24 percent per month since last August. And 
phishing attacks are increasingly sophisticated. Early phishing attacks 
were by novices, but there is now evidence that some attacks are backed 
by organized crime. Some of the attacks these days also include 
spyware, a type of software that is secretly installed on the victim's 
computer to surreptitiously capture account information when the victim 
visits legitimate websites.
  In addition, the Internet faces the threat of ``pharming.'' This 
insidious crime does not rely on email bait. Rather, it attacks web 
browsers and the Internet's addressing system. The effect is that even 
individuals who type a desired Internet destination into their web 
browser may be redirected to a phony web site, with the same disastrous 
result as clicking on the phony link in a phishing attack.
  Some phishers and pharmers can be prosecuted under wire fraud or 
identity theft statutes, but often these prosecutions take place only 
after someone has been defrauded. For most of these criminals, that 
leaves plenty of time to cover their tracks. It has been reported that 
the average phishing website is active on the Internet for less than 
six days. Moreover, the mere threat of these attacks undermines 
everyone's confidence in the Internet. When people cannot trust that 
websites are what they appear to be, they will not use the Internet for 
their secure transactions. Traditional wire fraud and identity theft 
statutes are not sufficient to respond to phishing and pharming.
  The Anti-Phishing Act of 2005 protects the integrity of the Internet 
in two ways. First, it criminalizes the bait. It makes it illegal to 
knowingly send out spoofed email that links to sham websites with the 
intention of committing a crime. Second, it criminalizes the sham 
websites that are the true scene of both types of crime.
  There are, of course, important First Amendment concerns to be 
protected. The Anti-Phishing Act protects parodies and political speech 
from being prosecuted as Phishing. We have worked closely with various 
public interest organizations to ensure that the Anti-Phishing Act does 
not impinge on the important democratic role that the Internet plays.
  To many Americans, phishing and pharming are new words. They are 
certainly a new form of an old crime. They are also very serious, and 
we need to act aggressively to keep them from eroding the public's 
trust in online commerce and communication. I look forward to working 
with others in the Senate in addressing this growing threat to the 
Internet with effective and responsible action.

[[Page S1805]]

                                 ______