• Legislative Affairs
• State Governmental Affairs
• Gov. Affairs Staff
• Gov. Affairs Committee
• Gov. Affairs Home

110th CONGRESS, LEGISLATIVE ISSUES A - Z

PHISHING

ISSUE: One way identity theft can happen is through “phishing.” Phishing refers to a practice where someone misrepresents their identity or authority in order to induce another person to provide PII (Personal identifiable information) over the Internet. Some common phishing scams involve e-mails that purport to be from a financial institution, ISP (Internet Service Provider), or other trusted company claiming that a person’s record has been lost or that their account information needs to be renewed. The e-mail directs the person to a website that mimics the legitimate business’ website and asks the person to enter a credit card number and other PII so the record can be restored. In fact, the e-mail or website is controlled by a third party who is attempting to extract information that will be used in identity theft or other crimes.

Preventing these scams is extremely difficult given that the overwhelming bulk of them originate outside the United States, particularly in Africa and other nations that neither have the resources nor desire to work with US authorities in shutting down these operations and prosecuting the offenders. Educating the public is usually the best route in dealing with this problem.

CURRENT LAW:

There are not any specific laws or regulations that tackle phishing specifically, though there are some laws that would punish identity thieves (including those that steal private information through fraudulent websites). Several laws restrict the disclosure of consumer information and require companies to ensure the security and integrity of the data in certain contexts -- Section 5 of the Federal Trade Commission Act, the Fair Credit Reporting Act (FCRA), and Title V of the Gramm-Leach-Bliley Act. Congress also has passed several laws specifically related to identity theft: the 1998 Identity Theft and Assumption Deterrence Act; the 2003 Fair and Accurate Credit Transactions (FACT) Act; and the 2004 Identity Theft Penalty Enhancement Act.

EDUCATING CONSUMERS AND FINANCIAL INSTITUTIONS:

The NCUA, Fed, FDIC, OCC, and OTS put out a brochure to educate consumers on phishing:

• http://www.ncua.gov/Publications/brochures/IdentityTheft/PhishBrochure-Web.pdf

NCUA's "phishing guidance":

• http://www.ncua.gov/letters/2005/CU/05-CU-20.pdf
  
• http://www.ncua.gov/letters/2004/04-CU-06.doc
  
• http://www.ncua.gov/RiskAlert/2005/05-Risk-02.pdf

The FTC issued the following:

• A Consumer Alert in October, 2006 on protecting against Phishing
• Internet Scam facts for consumers
• Information on protecting information online
• Consumer information on Identity Theft

The OCC issued a consumer alert:

• http://www.occ.treas.gov/consumer/phishing.htm

PROPOSED LEGISLATION:

H.R. 1525, the Internet Spyware (I-SPY) Prevention Act, passed the House of Representatives on May 22, 2007 and was sent to the Senate Judiciary Committee for consideration.

This bill would amend the federal criminal code to prohibit intentionally accessing a protected computer without authorization, or exceeding authorized access, by causing a computer program or code to be copied onto the protected computer, and intentionally using that program or code (1) in furtherance of another federal criminal offense; (2) to obtain or transmit personal information (including a Social Security number or other government-issued identification number, a bank or credit card number, or an associated password or access code) with intent to defraud or injure a person or cause damage to a protected computer; or (3) to impair the security protection of that computer. The bill also prohibits any person from bringing a civil action under state law premised upon the defendant’s violating this act. Additionally, the bill provides that this act does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency or a U.S. intelligence agency. The bill also authorizes appropriations to the Attorney General for prosecutions needed to discourage the use of spyware and the practices called phishing and pharming and expresses the sense of Congress that the Department of Justice should vigorously prosecute those who use spyware to commit crimes and those that conduct phishing and pharming scams.

CUNA ACTIONS:

CUNA has reported extensively on phishing and maintains a webpage with resources to educate consumers on how to spot these fraudulent e-mails. See http://www.cuna.org/initiatives/internet_fraud.html. In addition, CUNA will continue to monitor H.R. 1525, the Internet Spyware (I-SPY) Prevention Act, and its progress in the Senate. Finally, CUNA's regulatory department will continue to monitor actions taken on this issue by the FTC and financial institution regulators.

CONTACT: John Hildreth, (202) 508-6724, jhildreth@cuna.coop