Spamming, phishing, pharming, keystroke logging, anti-spyware, Trojan horses – all of these terms (and many more) are all related to one desired end result, namely misuse of other's branding and trade mark rights, theft and fraud. The term "phishing" is derived from "fishing expedition" and is essentially e-mail fraud. The legitimate-looking email is sent out in bulk (spammed) to many recipients in the hope that someone takes the bait and naively hands over enough personal information to allow the sender to commit identity theft and fraud. The emails appear to be from trustworthy, known businesses but the hook is the emails request you to disclose personal details such as bank account details and PINs that would not usually be requested in such a manner by the real business. Alternatively, a phishing email can direct the recipient to a website which appears to be legitimate but is in fact a spoof site where the recipient is asked to enter their personal details. In recent months, there has been a rise in phishing scams which use keystroke logging programmes. These programmes are unleashed onto the unwitting user of the spoof website and planted on that user's system to record the keystrokes made when the user enters in passwords and account details. These details are then automatically sent to the phisher to use as they please.
"Pharming" takes the process to the next step where the spammed email contains malicious code which is released upon the email or its attachment being opened by the recipient. Pharming cultivates the unwitting recipient into a system where the recipient tries to enter a website but the malicious code directs them to a spoof site which appears to be the legitimate website including showing a legitimate URL. The masked site then gathers all the confidential information it can for the purposes of misuse. This tactic can be done via domain name system poisoning so that the computer files are not corrupted but the problems occur instead on the server thus evading detection for much longer and affecting many more users.
By sending out thousands of these phishing emails, it only takes a few fish to be hooked to make the scam worthwhile. The set up costs are cheap and the sender can be virtually untraceable so risk of being caught is low. The Anti-Phishing Working Group (www.antiphishing.org) is the largest global association focussed in eliminating the fraud and identity theft that results from phishing. The APWG publishes regular trend reports and statistics and in July 2005, 71 brands were hijacked by phishing campaigns with 6 brands making up the top 80% of phishing campaigns. Financial services (mainly, the banking sector) continues to be the most targeted industry sector growing to nearly 86% of all phishing attacks.
Therefore, misuse of trade marks and branding including domain names is one of the biggest legal issues that arise out of phishing scams. Trade marks are used without authority within the text of the phishing email, the spoof website, the domain name for the spoofed website and the source code for the spoofed website. This not only leads to dilution of the trade mark but damage to reputation in that the owner of the trade mark could somehow either be involved with the scam or be perceived as not doing enough to prevent its unwitting association with the scam. Therefore, it is important for entities in the financial services areas to not only ensure that their branding is protected as registered trade marks but that use of their trade marks are monitored and any misuse acted upon immediately by:
- notifying customers to raise their awareness of potential phishing scams;
- taking legal action against the phishers; and
- working with the authorities (such as the police) and industry bodies (such as APWG and UK Trading Standards) to report the phishing attack.
Other major legal issues that arise from phishing are misuse of personal information ("identity theft") for a variety of purposes. Not only does this infringe an individual's right to privacy but often leads to that individual's bank and credit accounts being abused. Fraud is an enormous issue for banks and phishing is the latest and largest in the types of scams targeted at the financial services sector which continues to grow in strength and sophistication.
In order to combat identity theft and fraud, software makers have been designing technical solutions to help safeguard individuals against phishing emails and spoof websites. The other half of the strategy is to raise social awareness of phishing so recipients detect the scam and avoid being hooked. Earlier this year, the Home Office launched www.itsafe.gov.uk to help advise consumers and small business owners in how to protect their IT systems. To support industry activities to combat phishing, the Cabinet Office is currently building www.getsafeonline.org.uk which is a joint government and private sector initiative aimed to help people use the internet safely. In addition, banks and other entities targeted by phishing scams should continue notifying their customers about phishing and advising on how to detect and avoid such scams. To help give these incentives teeth, a new Fraud Bill 2005 (UK) has had a second reading and is now before a parliamentary committee for full consideration. Fraud (including fraudulent misrepresentation) is usually dealt with as part of the general law. The Fraud Bill seeks to define in legislation particular offences for fraud and clearly states that such offences can lead to up to 10 years' imprisonment and high fines. One new offence, fraud by false representation, is particularly aimed at phishing activities. It is hoped that all of these activities and initiatives will muddy the waters to such an extent that the phishers will focus their activities elsewhere.