Washington lawmakers passed legislation yesterday to increase penalties against "phishing," spam that attempts to get consumers' financial...

Share story

Washington lawmakers passed legislation yesterday to increase penalties against “phishing,” spam that attempts to get consumers’ financial data by posing as a bank or other company.

The e-mails often contain links to Web sites that appear to belong to genuine banks, persuading some recipients to provide their account, credit-card or other personal information.

A recent survey of Internet users by the Pew Internet & American Life Project found that phishing spam is on the rise, while pornographic spam is declining.

The legislation would create special penalties for people caught phishing.

Most Read Stories

Unlimited Digital Access. $1 for 4 weeks.

Currently, law-enforcement officials must use traditional property-crime laws to address the relatively new form of theft, said Rep. Jeff Morris, D-Anacortes, a co-sponsor of the anti-phishing bill and chairman of the House Technology, Energy and Communications Committee.

“This allows us to go after perpetrators and civilly go after the resources they’ve stolen,” Morris said. “It’s a priority to make sure people feel comfortable doing business over the Internet.”

Trouble is, phishers are extremely difficult to catch.

“It’s definitely a crime where we must concentrate on prevention, because the threat of law enforcement as a deterrent isn’t going to get us very far,” said Jim Bruene, editor of the Online Banking Report, a Seattle-based newsletter.

The same is true for spyware perpetrators, Bruene said. Lawmakers earlier approved legislation against spyware, another way people can steal personal data from Internet users to tap their bank or credit-card accounts or steal their identities. Both bills are expected to be signed by the governor.

The anti-phishing measure would allow victims to sue for $500 or actual damages, whichever was greater. Internet service providers that are victims could get $5,000 or actual damages.

In both cases, the court could increase the award up to three times the damages allowed, plus costs and attorneys’ fees.

The anti-spyware legislation would allow the state attorney general and some business victims to seek damages up to $100,000 per violation or actual damages, whichever is greater. A court could triple that award as well, as long as it did not exceed $2 million.

Spyware perpetrators are difficult to trace because people often do not know the spyware is running on their computers. They become victims of fraud without knowing where it originated, Bruene said.

Phishers are hard to track, too, because they quickly open and close e-mail accounts and the bogus Web sites to which the e-mail is linked, said Charles Harwood, Northwest regional director for the Federal Trade Commission (FTC).

“They might leave a name, address and long-distance phone number” attached to a Web site, Harwood said. “And they could lie about all of it.”

The FTC has filed only three cases against phishers over the past two years; one of those phishers faces nearly four years in prison.

Other agencies have had trouble nabbing the new Internet criminals as well. Last year, the FTC, FBI, Secret Service, industry representatives and others banded together in a project called “Digital PhishNet” to coordinate efforts to fight phishing.

Officials also are making contacts to help internationally.

Digital PhishNet’s Web site promises, “Phishing is about to become a very dangerous sport.”

Some banks and other companies susceptible to phishing have hired firms to detect and shut down phishing sites.

Companies such as Toronto-based Brandimensions go to great lengths to attract spam, then sift through e-mails looking for phishing attacks.

“From there, we notify the bank, and some want to deal with it first themselves,” said Hugh Hyndman, chief technology officer for Brandimensions.

A bank might set up fake accounts, then give suspected phishers that account information and track their activity, he said.

When Brandimensions handles the job, its aim is to shut down the bogus site, and that requires “a really good Rolodex,” Hyndman said.

The company has contacts with Internet service providers and law-enforcement officials around the world who together help shut down bogus sites in an average four hours, he said.

Brandimensions does not try to catch the perpetrators, however.

“That’s up to the bank’s fraud department and the FBI,” Hyndman said. “And that’s the difficulty. There are not that many arrests going on.”

Melissa Allison: 206-464-3312 or mallison@seattletimes.com