|Summary: Tricking people into revealing private information|
|Outcome: Fraud, theft, identity theft, distrust|
|Addressed by ICANN Policy: Y|
|Addressed by Legislation: Y|
|Related to: Pharming, Malware, Spam|
Phishing, according to the Anti-Phishing Working Group (APWG), is using “social engineering and technical subterfuge” with the goal of luring people into revealing their private financial or personal information. Phishing attacks that involve social engineering ask for personal information in the guise of a message or pop up, frequently on behalf of a well-known company, while technical subterfuge may use viruses or other malware to obtain information. Types of phishing include brand spoofing, creating fake websites that mimic popular brands or companies, and carding.
With the vast amount of information available about phishing and the threat of identity theft, many people tend to be at least to some degree aware of the dangers associated with phishing. The public perception is mainly anti-phishing and associates phishing with criminal behaviors like fraud and identity theft.
The outcome of phishing is fraud, theft, identity theft, and a general skepticism directed toward emails and website security.
- Phishing originated in the mid-1990s, and began with hackers luring unsuspecting AOL users into emailing them passwords, credit card numbers, and other personal information. Phishing since that time has increased in both volume and sophistication. In 2009, in an operation dubbed "Phish Phry," the FBI worked with Egyptian authorities, the Secret Service, and the Electronics Crimes Task Force of L.A. among others, in order to break up a nearly 100 person phishing scheme. Phishers in this group stole an estimated 1.5 million dollars and were charged by their respective governments.
- Phishing is generally used to trick people into sharing sensitive personal information. To accomplish this aim, phishers can use a variety of methods, not limited to but including:
- Official looking emails claiming to be from legitimate companies or banks that contain suspicious links or ask for information
- Fake company webpages that require log in or other information
- Malware that compromises network security
- According to a quarterly report by APWG, in June 2013 there were 38,110 unique phishing websites detected and 14, 698 phishing emails reported to APWG.
ICANN has no policy directed at phishing and does not gather complaints about phishing. However, the 2013 Registry Agreement (RA), which all new gTLD applicants were required to sign, states that registries must require their registrars to include policies that prohibit registrants from activities like phishing. Additionally, registries are required to "periodically conduct a technical analysis to assess whether domains in the TLD are being used to perpetrate security threats" and to keep security files on threats and the remedial actions taken by the registries.
- Although anti-phishing acts have been previously proposed in the senate, the United States currently has no national law that specifically addresses phishing. This is not to say that phishing is not a crime as it coincides with multiple types of fraud and identity theft. In the FBI "Phish Phry" case, phishers were charged with "computer fraud, conspiracy to commit bank fraud, money laundering, and aggravated identify theft."
- Phishers can be tried using the U.S. Wire Fraud Statute, which prohibits any fraud or deception that uses "wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice." It has previously been used to address computer crimes, such as phishing, although it was not originally created for this purpose. Phishers often commit fraud in order to gain their victims personal information; for example, a phisher might send an email pretending to be a representative of the victim's bank asking for login information. This can qualify as wire fraud.
- Despite a lack of national legislation, 24 states have anti-phishing legislation on the books.
- Additionally, if phishers use deceptive emails and Spam to solicit personal information, they can be tried under the CAN-SPAM Act of 2003
Many other countries have initiatives and organizations dedicated to controlling phishing, such as China's Anti-Phishing Alliance of China (APAC). However, legislatively, phishing is often addressed as fraud.
Awardees engage in preventative measures to help identify and stop malicious practices, like phishing.
- Report phishing scams and messages to the FTC or file a complaint.
- Learn more and view quarterly phishing reports at APWG's website
- Also, find tips on how to avoid phishing scams
- Phishing Attack Trends Report - 2Q2013 (PDF), APWG Phishing Attack Trends Reports, Anti-Phishing Working Group, Inc.
- Phishing at ICANNWiki
- http://www.allspammedup.com/2009/02/history-of-phishing/ by Carl Reid
- Operation Phish Phry (October 7, 2009), Federal Bureau of Investigation
- About Phishing, Internet Corporation for Assigned Names and Numbers (ICANN)
- View the Updated Registry Agreement (PDF), ICANN
- Anti-Phishing Laws by Troy Dooly, eHow.com
- 18 U.S. Code § 1343 - Fraud by wire, radio, or television, Legal Information Institute, Cornell University Law School
- Wire Fraud, FindLaw
- Federal Computer Crime Laws by Maxim May, Maxim, SANS Institute
- STATE LAWS ADDRESSING "PHISHING" (December 30, 2013), National Conference of State Legislatures
- Articles of Anti-Phishing Alliance of China (November 29, 2010), Anti-Phishing Alliance of China