Season over for 'phishing'?

President Bush has signed into law a bill that mandates minimum sentences for ID fraudsters, including Net-reliant "phishers."

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
6 min read
The latest innovation in identity fraud typically begins with an unexpected e-mail message from a financial institution proclaiming something like: "Your account information needs to be updated due to inactive members, frauds and spoof reports."


What's new:
President Bush has signed into law a bill that mandates minimum sentences for perpetrators of identity fraud, including "phishers," who fake e-mails and Web sites to steal bank account information and other potentially valuable data.

Bottom line:
Some say that by putting the matter into federal hands, the new legislation will solve the problem of inadequate enforcement on the part of state agencies. Others, though, say it's not likely that a minimum five year sentence, for example, will deter someone intent on committing a crime that can, under current law, already lead to a punishment as harsh as 15 years of jail time.

More stories on this topic

Anyone who clicks on the included hyperlink and types in their personal details is unwittingly connecting not to their own bank, but to a scam artist engaged in the sport of "phishing" for illegally obtained credit card numbers, bank account information, and Social Security numbers.

President Bush on Thursday signed into law a bill that boosts criminal penalties against phishing and many other forms of identity fraud, also called identity theft. Known as the Identity Theft Penalty Enhancement Act, or ITPEA, the measure sets up punishment guidelines for anyone who possesses someone else's identification-related information with intent to commit a crime.

"Identity theft undermines the basic trust on which our economy depends," Bush said before signing the legislation. "When a person takes out an insurance policy, or makes an online purchase, or opens a savings account, he or she must have confidence that personal financial information will be protected and treated with care. Identity theft harms not only its direct victims, but also many businesses and customers whose confidence is shaken."

Though solid numbers are hard to come by, identity fraud has been called the fastest-growing crime in the United States, affecting millions of Americans at a cost of billions of dollars a year. The Federal Trade Commission estimates that 10 million Americans become victims of identity fraud a year, while researcher Gartner places the annual number at around 7 million.

It's a problem that appears to be growing quickly. The Social Security Administration says reports of misuse of Social Security numbers have leaped from about 11,000 in 1998 to 65,000 in the 2001 fiscal year. Bank fraud is also on the rise, according to the FBI, which warns that terrorists have relied on false identification documents.

"Once it is damaged, it can take years to completely clear one's credit history, and in the meantime, the obstacles pile up," said House Judiciary Chairman F. James Sensenbrenner, R-Wisc., after the House of Representatives approved the ITPEA in June. "Purchasing large items like cars and homes becomes almost impossible because the victim is unable to qualify for a decent loan rate--if he or she qualifies at all."

Mandatory minimums
By mandating minimum prison sentences, ITPEA is designed to deter the type of identity fraudsters who have been prosecuted but have received little jail time. A House report says one woman, Dolores Rodriguez, surreptitiously worked under her husband's SSN while receiving more than $80,000 in disability benefits--but was sentenced only to home confinement and probation. In another case, after Diana Fergerson pleaded guilty to stealing another person's identity and obtaining credit and Social Security benefits, she was sentenced to five years probation and restitution.

Tips on preventing identity fraud

• Shred bank statements, credit card bills and other correspondence with sensitive information on it.

• Ask for a copy of your credit report from the three major bureaus (Equifax, Experian and TRW) at least once a year. That can reveal whether someone's been opening up fraudulent accounts under your name.

• Withhold your Social Security Number whenever possible. Ask creditors and utility companies to set a password on your account instead of using your SSN or mother's maiden name, and request that ID cards not display your SSN.

• Minimize what personal information you keep in your wallet or purse. Don't carry your Social Security card around with you, and make sure that you don't write down PINs for your bank card, either.

• Be wary of unexpected e-mail messages that seem to be from a legitimate company but ask you to divulge sensitive information. Consider opening up a new e-mail account only for business-related purposes.

Sources: U.S. Department of Justice, CNET News.com research

ITPEA toughens those penalties. It says that anyone who, while engaged in any of a long list of crimes, knowingly "transfers, possesses, or uses, without lawful authority" someone else's identification will be sentenced to an extra prison term of two years with no possibility of probation. Committing identity fraud while engaged in certain major crimes sometimes associated with terrorism--such as aircraft destruction, arson, airport violence or kidnapping top government officials--gets an automatic extra five years.

In addition, ITPEA rewrites a second section of the current law, which restricts only transferring or using someone else's ID. That 1998 law was part of Congress' earlier effort to tackle identity fraud. Now merely possessing the "identification of another person with the intent to commit, or to aid or abet" a crime is illegal.

Chris Hoofnagle, deputy director of the Electronic Privacy Information Center in Washington, D.C., says that ITPEA is intended to encourage prosecutors to bring more ID fraud cases.

"A big problem in identity theft comes from lack of enforcement," Hoofnagle said. "There are problems with state authorities who tend not to want to deal with the problem. If you're a Washington, D.C., resident and someone in California steals your identity, both Washington and California police will play ping-pong with your case to avoid dealing with it. They have other priorities. Enforcement at a federal level may deter the crime and provide the opportunity to capture thieves who are evading state enforcement."

But ITPEA's mandatory minimum prison terms have irked some Democrats, who say judges should be granted considerable leeway when handing out sentences.

"Congress is not in a better position to determine what the appropriate sentences are in individual cases before the crime occurs than a judge is when he has heard the evidence," Rep. Robert Scott, D-Va., said at a House committee meeting on May 12. "Mandatory minimum sentences not only defeat the rational sentencing system that Congress adopted, but (they also) make no sense in our separation-of-powers scheme of governance. Moreover, the notion that mandating a two- or five-year sentence to someone who is willing to risk a 15-year sentence already is not likely to add any deterrence."

Phishing season over?
Though not all the reasons for the reported rise in identity fraud are clear, most appear to stem from relying on SSNs as a means of identification, coupled with the dramatic growth in credit card use in the past 20 years. The U.S. Justice Department warns Americans to be extremely cautious before divulging their SSNs.

Laptops can be rich sources of personal data for thieves, as the University of California found out recently, warning 145,000 blood donors that they could be at risk for identity theft due to a stolen university laptop. In 2002, the IRS admitted it lost 2,300 computers that potentially contained personal information about American taxpayers. In addition, persistent bugs in Microsoft Windows and Internet Explorer can permit criminals to seize control of a PC and read all the information on it.

Phishing, or sending spam that impersonates a legitimate business, is one of the biggest worries of e-commerce companies. Security firm MessageLabs says phishing messages were almost nonexistent in September 2003 but have become a huge problem since then.

MasterCard International announced last month that it was going to try to track down the culprits and shut down Web sites that pose as its own, and EarthLink is taking steps to block access to the fraudulent Web sites. Some privacy advocates recommend that consumers open a new e-mail account just for business-related purposes and never use it for general correspondence.

For now, though, identity fraudsters appear to be traditionalists: A report released last year by the Federal Trade Commission said only 3 percent of people who reported identity fraud cited misuse of their Internet accounts.