Phishing is a crime in which a perpetrator sends a form of communication (usually email) to someone else because they want the recipient to inadvertently reveal personal information. The fraudulent nature of a phishing message is cleverly disguised, as they look as if the communication is official. In the message, the recipient is requested to provide sensitive information, like personal identification numbers (PINs), login details, bank accounts, social security numbers, and so on. A phishing email is almost always related to a plan to commit identity theft.
All states have laws in place to stop people from obtaining another person’s personal details. However, they do not all have specific phishing laws in place. In fact, only a minority of states do. If no phishing laws are in place, other criminal laws can be applied, however. This means that phishing is a crime across the nation. It is also believed that more states will soon adopt specific laws because the practice is now so common. There also isn’t a specific federal statute that makes phishing illegal. Rather, there are laws that can apply to the crime.
Phishing Crimes & Charges
Phishing crimes are almost always covered under identity theft laws. These laws cover any situation in which one person illegally or fraudulently obtains the personal details of someone else. In order for phishing to take place, it has to be a knowing and intentional communication, aimed at misleading the recipient. As with many laws, the key factor is intent – a phisher has to intentionally try to take the details of a second person for ways other than what they are describing. A store asking a customer for their credit card details, for instance, is not classed as phishing. Phishing laws, when in place, also apply to phishing websites, which are the sites that are made to look like official sites, to which victims are directed through the phishing communication. Creating, maintaining, or operating such a site is classed as a crime. As with all identity theft crimes, phishing isn’t only criminalized if the victim actually falls for the scam.
Penalties for phishing depend on circumstances. Different states have different laws, but most of them class the crime as a felony, with some exceptions. If the crime is not very serious, then a misdemeanor conviction may be considered. Common punishments for phishing include:
- A jail or prison sentence, usually between one and five years
- Fines, usually no more than a few thousand for a misdemeanor crime, but can go up to over $10,000 per offense in felonies
- Restitution, meaning the perpetrator has to pay back any money their victims, often including financial institutions, have lost
- Probation, generally of between one and five years, during which the perpetrator has to adhere to strict terms
Phishing Sentencing Guidelines
It is often difficult to prove culpability in cases of phishing, because criminals use sophisticated methods to keep themselves hidden. Furthermore, they often operate from different countries where regulations are very different. This is also why trials usually do not take place until the prosecution is very sure that they can secure a conviction. As such, most defendants will try to make a plea bargain. If successful, they are often given only a probation sentence. Additionally, it is common for judges to impose lower sentences if the defendant participates in the investigation to identify other perpetrators. These are all mitigating factors. Aggravating factors usually include the fact that the victim is an elderly or otherwise vulnerable.
Phishing Statute of Limitations
The statute of limitations for phishing in most states is 5 years. The statute can be tolled if the perpetrator is out of state or out of the country. This is very common with phishing, in which perpetrators often operate from abroad.
- Phishing campaigns are using the Facebook platform against itself. They use the Transport Layer Security (TLS) certificates, which keep user communication and domains secure. Users are presented with information that looks completely legitimate, in which they are asked for certain credentials. Unfortunately, anyone can be targeted by this, whether they are logged in to Facebook or not. Those who provide their credentials will find that they are sold on straight away. Anyone who has recently had a report asking them to change their login details, be that through Facebook or otherwise, is asked to change their passwords again. (ZDNet)
- A ‘spear phishing’ campaign has hit Kalamazoo College. One employee received a phishing email and believed it to be real, sending it on to everyone who has a Kalamazoo College email address, be they staff or student. It is not clear who is behind the phishing scheme, but the IRS, the FBI, and Michigan State Police have all been informed. All students and employees are also encouraged to contact TransUnion to place an alert on their file. (8 Wood TV)
- It has been observed that in 2015, phishing attacks were even more common and successful than in 2014. This has been confirmed by a United Kingdom computer emergency response team, the European cybercrime response center, and the U.S. Secret Service. It appears that 30% of phishing messages are now opened, up from 23% in 2014. Additionally, most phishing emails now include malware, presenting a double attack. Cyber warfare is becoming increasingly widespread as it appears that 80% of hackers take just a few minutes to break into a system, and less than 25% of breaches being detected within the first few days. (FT Technology)
- It seems that the Google Play police efforts are poorly done. Malicious apps frequently manage to filter through. Since the start of 2016, 11 malicious apps have been found on Google Play, all of which were very effective. Often, these lead to authentic-looking login pages that are actually phishing scams. It is not clear yet how successful the phishing scams have been. (PC World)
- The Rhode Island Blood Center has been successfully targeted by a phishing campaign. They were targeted by the same email as the Kalamazoo College, which was an email asking for W-2 tax information from 2015. It is not clear whether the two incidents are related, or whether there were joint contacts, meaning that the email was accidentally forwarded. All RI Blood Center employees have been informed of the situation and have been given assistance for identity protection. No donor information was compromised. (Turn to 10)
Phishing Laws by State
Alabama, Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, Wyoming