Home / Articles

Phishing in Cyberspace: Issues and Solutions

August 19, 2006 · Mohamed CHAWKI

**Abstract: **

This paper analyses and addresses the growing threat of phishing in cyberspace. Digital transactions and communications have, over the past decade, been increasingly transpiring at an accelerated rate. This non-linear progression has generated a myriad of risks associated with the utilization of information and communication technologies in cyberspace communications, amongst the most important of which is the online phishing crime. This paper aims to provide an overview of the risks related to this crime and seeks to offer some solutions based on the necessity of pursuing an international policy encompassing strategic, regulatory and technical approaches.

*Keywords: Phishing - Cybercrime – Cyberspace - Identity theft *

**1. Introduction **

Phishing [1] is the act of sending an email to a user falsely claiming to be an established legitimate business in an attempt to scam the user into surrendering private information that will be used for identity theft. [2] The email directs the user to visit a Web site where he or she is asked to update personal information, [3] such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has issued. [4] The Web site, however, is bogus and set up only to steal the user’s information. [5] Phishing combines the power of the internet with universal human nature to defraud millions of people out of billions of dollars. [6] Nearly every internet user has received a phishing email by now.

On such account, phishing is a serious crime that merits due consideration and adequate prevention and combating. Phishing may be committed in whole or in part by the use of  information and  communication  technologies (ICTs), which dispenses with face – to – face physical contact and allows for distance counters. [7] Historically, fraud  involved face-to-face communication since physical contact was primarily the  norm. [8]  Even  when  remote  communication — i.e.,  snail mail—could be used to set up a fraudulent transaction, it was often still necessary for the parties  to meet and consummate  the crime with a physical transfer of the tangible property obtained  by  deceit. [9]  Nevertheless, the proliferation of ICTs has exerted a profound impact upon the nature and form of the crime, and has altered the mechanisms of crime commission. [10] Nowadays, perpetrators can use fraudulent emails  and  fake  websites  to  scam  thousands of victims located around the globe, and may expend less effort in doing so than their predecessors. [11]  This new form of automated or electronic crime distinguishes online virtual fraud from real-world fraud in at least two important respects: [12] (a) it is far more difficult for law enforcement officers to identify and apprehend online fraudsters; and (b) these offenders can commit crimes on a far broader scale than their real-world counterparts.

 Studies indicate that the number of phishing incidents is increasing at an alarming rate. [13] A recent report by the Anti – Phishing Working Group (APWG) found that phishing attacks have increased. [14] In May 2006, alone, more than 20, 109 emails and 11, 976 phishing web sites, representing 137 hijacked brands were reported and tracked by the APWG. [15]  In the United States, it was estimated that between May 2004 and May 2005, 1,2 million internet users were victims of phishing, totaling approx. $ 929 million USD. [16] In the United Kingdom, losses from phishing almost doubled to £ 23.2 m in 2005, from £ 12.2 m in 2004.  [17]

Finally, online phishing  does  carry  the  seeds  of  a  potential  conflict between national legal systems due to the intrinsic transnational and cross-border implications of such crimes, and the relative variation and divergence of national and regional policies dealing with such crimes. Whilst national and international efforts are underway to establish harmonized and consistent national strategies and policies to combat cybercrime, global condemnation as well as adequate universal policies may not be achieved in the near future at least until all states recognize the importance of ICTs and the need for existence of an adequate regulatory framework.     [18]

**2. Phishing techniques ** There are many techniques used by phishers in cyberspace. [19] Perhaps the most frequently ones are: [20]

**2.1 Dragnet method ** On January 26, 2004, the Federal Trade Commission filed the first lawsuit against a suspected phisher. [21] The defendant, a Californian teenager, allegedly created and used a webpage designed to look like the America Online website, so that he could steal credit card numbers.[22] In the same year, California federal prosecution, prosecuted a 21 years old defendant who used spoofed eBay emails and Web pages to acquire users’ names and passwords, then ran fraudulent auctions on eBay under the victim’s names. [23] This particular crime involved the use of the dragnet method. This method involves the use of spammed emails, bearing falsified corporate identification (e.g., trademarks, logos, and corporate names), that are addressed to a large class of people (e.g., customers of a particular financial institution or members of a particular auction site) to websites or pop-up windows with similarly falsified identification. [24]

Dragnet phishers don’t identify specific prospective victims in advance. [25] Instead, they rely on the false information they include in the e-mail to trigger an immediate response by victims – typically, clicking on links in the body of the email to take them to the websites or pop-up windows where are requested to enter bank or credit-card account data or other personal data. [26]

2.2 Rod – and – Reel method In a 2004 Connecticut federal prosecution, a young husband and wife team worked together to access chat rooms, use a device to capture the screen names of chat room participants, and send e-mails that directed recipients to disclose their correct billing information, including current credit-card numbers. [27] Two years later, eight people were arrested by Japanese police on suspicion of phishing fraud by creating bogus Yahoo Japan Web sites, netting themselves 100 million yen ($870 thousand USD). [28] The principals in the scheme then used the credit – card numbers and other personal data to arrange for wire transfers of funds via Western Union, but had others pick up the funds from Western Union. In rod and reel method, phishers identify specific prospective victims in advance, and convey false information to them to prompt their disclosure of personal and financial data. [29]

2.3 Lobsterpot method This technique relies solely on the use of spoofed websites. It consists in the creation of spoofed websites, similar to legitimate corporate ones, that a narrowly defined class of victims is likely to seek out. In lobsterpot phishing, the phishers identify a smaller class of prospective victims in advance, but do not rely on a call to action to redirect prospective victims to another site. It is enough that the victims mistake the spoofed website they discover on their won as a legitimate and trust worthy site. [30] In fact, spoof attacks occur at the Protocol layer level. When the spoofer’s goal is to either gain access to a secured site or to mask his or her true identity, he or she may hijack an unsuspecting victim’s address by falsifying the message’s routing information so that it appears to have come from the victim’s account instead of his or her own. [31] He or she may do so through the use of “sniffers.” Since information intended for a specific computer must pass through any number of other computers while in transit, the data essentially becomes fair game, and sniffers may be used to essentially capture the information en route to its destination. Sniffer software can be programmed to select data intended for any or every computer.[32]

**2.4 Gillnet phishing ** At West Point in 2004, teacher and National Security Agency expert Aaron Ferguson sent out a message to 500 cadets asking them to click a link to verify grades. [33] The messages appeared to come from a Colonel Robert Melville of West Point. Over 80% of recipients clicked the link in the message; in response they received a notification that they’d been duped and warning that their behavior could have resulted in downloads of spyware, Trojan horses, and/or other malware. [34] This technique relies far less on social engineering than the preceding techniques. In gillnet phishing, phishers introduce malicious code into emails and websites. They can, for example misuse browser functionality by injecting hostile content into another site’s pop – up window. [35] Merely by opening a particular email, or browsing a particular website, Internet users may have a Trojan horse introduced into their systems. In some cases, the malicious code will change settings in user’s systems, so that users who want to visit legitimate banking websites will be redirected to a lookalike phishing site. In other cases, the malicious code will record user’s keystrokes and passwords when they visit legitimate banking sites, then transmit those data to phishers for later illegal access to users’ financial accounts. [36]

**2.5 New phishing techniques ** In fact, not all phishing attacks use a fake website. [37] In an incident in 2006 , messages that claimed to be from a bank asked the users to dial a phone number regarding a technical problem with their bank account. [38] Once the phone number was dialed, prompts told users to enter their account numbers and PIN. The number was provided by a Voice over IP provider. [39]

Another effective tool that is being used nowadays by phishers is the Botnet. This is a jargon term for a collection of software robots, or bots, which run autonomously. [40] This can also refer to the network of computers using distributed computing software.

Botnets are used in several purposes, including denial-of-service attacks, creation or misuse of SMTP mail relays for spam, click fraud, and the theft of application serial numbers, login IDs, and financial information such as credit card numbers. [41] The botnet controllers features a constant and struggle over who has the most bots, the highest overall bandwidth, and the largest amount of “high-quality” infected machines.[42]

Accordingly a 63-year-old man in Suffolk, a 28-year-old man in Scotland, and a 19 year-old man in Finland were arrested on June 27, 2006 in connection with an international conspiracy to infect computers using botnets. [43] The Metropolitan Computer Crime Unit, the Finnish National Bureau of Investigation (NBI Finland) and the Finnish Pori Police Department collaborated to arrest the men, who are all suspected of being members of the M00P cybercriminal gang. [44]

**3. Online phishing proposed solutions: Legislative approaches ** From logical, and pragmatic perspectives, knowing the problem, risks associated therewith, and the ills resulting from online phishing is an important step towards a possible solution. Furthermore, such determination constitutes an integral part of devising effective vaccines and serums to eradicate and prevent this crime. Having described the problem and the diverse types of online phishing, we shall now address some of the potential solutions thereto. Thus, we shall first analyze the American approach, then the European one before we move to the technical solutions that aim to enhance privacy and provide a secure medium for data transfer in a manner that protects the confidentiality and integrity of personal information.

**3.1 The American approach ** Many federal laws are applicable to online phishing, some of which may be used for the prosecution of identity theft offences, and some of which were adopted specially to combat online phishing.

The main identity theft statute is 18 U.S.C. § 1028(a)(7). It was enacted on October 30, 1998, as part of the Identity Theft and Assumption Deterrence Act. [25] This act was needed because 18 U.S.C. § 1028 previously addressed only the fraudulent creation, use, or transfer of identification documents, and not the theft or criminal use of the underlying personal information. [46] This new act added Section §1028(a)(7) which penalizes fraud in connection with the unlawful theft and misuse of personal identifying information, regardless of whether the information appears or is used in documents.

Section 1028(a)(7) provides that it is unlawful for anyone who: “ Knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law…”

The Identity Theft Act amended the penalty provisions of §1028(b) by extending its coverage to offenses under the new §1028(a)(7) and applying more stringent penalties for identity thefts involving property of value. [47] Furthermore, the Identity Theft Act added §1028(f) which provides that attempts or conspiracies to violate §1028 are subject to the same penalties as those prescribed for substantive offences under §1028. [48]

Finally, the Identity Theft Act is intended to cover a variety of individual identification information that may be developed in the future and utilized to commit identity theft crimes. [49] The Identity Theft Act also directed the United States Sentencing Commission to review and amend the Sentencing Guidelines to provide appropriate penalties for each offence under Section §1028. [50] Other federal crimes that could be committed through involvement in a phishing scheme are wire fraud (18 U.S.C. § 1343), credit card fraud (18 U.S.C. § 1029), bank fraud (18 U.S.C. § 1344), and computer fraud 18 U.S.C. § 1030(a)(4). [51]

For example, the wire fraud act prohibits “Whoever, having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice”. [52] The offender “shall be fined under this title or imprisoned not more than 20 years, or both. If the violation affects a financial institution, such person shall be fined not more than $1,000,000 or imprisoned not more than 30 years, or both”.

 When the criminal uses computer virus or worms to commit his crime, this may violate other provisions of the computer fraud and abuse statute relating to damage to computer systems and files {18 U.S.C. § 1028 (a)(5)}. [53]

	On March 1, 2005, Democratic Senator Patrick Leahy introduced the Anti – Phishing Act of 2005.  [54] According to this bill, criminals who create fake web sites and spam bogus emails in order to defraud consumers could receive a fine up to $ 250, 000 and receive jail terms of up to five years. [55]

Finally, phishing crimes may violate several State statutes. For example, California’s anti- phishing law makes it illegal for “any person, through the Internet or other electronic means, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the approval or authority of the business”. [56]   The State of Connecticut “ prohibits using the Internet or an e-mail message to solicit or induce another to provide identifying information by pretending to be an on-line Internet business and  provides civil and criminal penalties”. [57]  Florida’s anti – phishing act “prohibits inducing, requesting, or soliciting identifying information with an intent to engage in conduct involving the fraudulent use or possession of another person's identifying information; authorizes civil actions for violations; provides for; provides for nonapplication to certain entities' good faith handling of identifying information”.  [58] Moreover the act prohibits the “fraudulent use of a web page or Internet domain name to obtain personal identifying information from a resident of Florida; prohibits the fraudulent use of electronic mail to obtain personal identifying information from a resident of Florida; provides a civil action for injunction and damages”. [59]

	On April 18, 2006 Louisiana passed a new Anti – Phishing Act which prohibits the “use of the Internet to obtain identifying information of another person for a fraudulent purpose and provides for civil relief”.[60]  New Jersey’s Anti – Phishing Act “ makes it an unlawful practice for any person, through the use of the Internet, to take any action to induce another person to provide personal information by representing oneself, either directly or by implication, to be a business without the authority or approval of that business”.  [61]

On May 17, 2006 New York State Senate gave the final legislative approval to the “ Anti – Phishing Act of 2006”. [62] The act prohibits “ the misuse of the internet to obtain identifying information by misrepresenting oneself as an online business; authorizes the Attorney General, internet service providers, and those owning a web page or trademark, who are adversely affected by such conduct to bring an action for injunctive relief and damages”. On April 17, 2006 the Governor of Oklahoma signed a new Anti – Phishing Act. [63] It prohibits persons from creating and using web pages with certain fraudulent intent; allows certain persons to bring civil actions for violations of the act; provides damages; makes unlawful acts under act violations of the Oklahoma Consumer Protection Act; and exempts certain actions by telecommunications providers or Internet service providers from the act. [64] Finally, the Governor of Tennesse signed on May 1, 2006 the “Anti – Phishing Act of 2006”. [65] It penalizes persons who, without authorization or permission of subject of identifying information, obtain, record, access or distribute identifying information of another person through use of Internet, e-mail or wireless communication; establishes that any violation shall be construed to be an unfair or deceptive act or practice affecting trade or commerce; and provides for civil relief. [66]

**3. 2 European approach ** The Council of European Union has adopted a Directive of the European Parliament and the Council on data retention, [67] amending Directive 2002/58/EC. [68] The Directive aims to harmonise Member States’ provisions concerning the obligations of the providers of publicly available electronic communications service or of public communications networks with respect to the retention of certain data which are generated or processed by them. [69] In any phishing case, the Directive will insure that the communication data between criminals and victims, i.e phishing emails, spoofed web sites, etc are available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law. [70]

The Directive is applied to traffic and location data on both legal entities and natural persons and to the related data necessary to identify the subscriber or registered user. [71] It shall not be applied to the content of electronic communications; including information consulted using an electronic communications network. [72] The data retained is provided only to the competent national authorities in specific cases and in accordance with national law. Data is retained for periods of not less than six months and not more than two years from the date of communication. [73] Member States have to take necessary measures to insure that any intentional access to, or transfer of; data is punishable by penalties, including administrative or criminal penalties that are effective, proportionate and dissuasive. Each Member State will designate a public authority to be responsible for monitoring the application within its territory of the provisions adopted regarding the security of sorted data.   Following entry into force of the directive, Member States will have as a general rule 18 months in which to comply with its provisions.[74]

At the same time, European countries have confronted the dangers of cyberspace by devoting significant resources towards formulating a legal framework that addresses the technical and operational challenges of cybercrime.  [76] The Convention on Cybercrime is considered “one of the most important legal instruments elaborated within the Council of Europe”. [77]  It was approved by the Committee of Ministers of the Council of Europe (COE), and on November 23, 2001, the Convention was signed by twenty-six member states of the COE along with four non-member states — Canada, Japan, South Africa, and the United States, and entered into force on July 7, 2004, [78] and is actually ratified by 15 member States of the Council of Europe. [79] This Convention is the first international treaty to allow police in one country to request that their counterparts abroad collect an individual’s computer data, have the individual arrested and extradited to serve a prison sentence abroad. [80]  It aims principally at (1) harmonising the domestic criminal substantive law elements of offences and connected provisions in the area of cyber-crime; (2) providing for domestic criminal procedural law powers necessary for the investigation and prosecution of such offences as well as other offences committed by means of a computer system or evidence in relation to which is in electronic form; (3) setting up a fast and effective regime of international co-operation. [81]  The Convention defines substantive criminal laws to be legislatively adopted by all signatory states. It covers crimes in four main categories: (a) “offences  against  the confidentiality, integrity and availability of computer  data  and  systems;”  [82] (b)  computer-related  offences; [83]  (c) content-related  offences  (for example, child pornography) ;  [84] and (d) “offences related to infringements of copyright and related rights ”. [85]  Phishing attacks may be prohibited by either the first or the second group of offences.

The Convention provides that signatory countries must adopt measures to establish jurisdiction over any offences committed in their respective territories or by their nationals. [86]  Moreover, it empowers legal authorities and police in one country to collect evidence of cybercrimes for police in another country, and establishes a 24/7 network [87] operating around the clock, seven days per week, to provide immediate assistance with ongoing investigations. This will help in collecting evidences and sharing information related to phishing in any member country.

Article 2 of the Convention prohibits the illegal access to a computer system. [88] “Access” comprises the entering of the whole or any part of a computer system (hardware, components, stored data of the system installed, directories, traffic and content-related data). [89] “Access” also includes the entering of another computer system, where it is connected via public telecommunication networks, or to a computer system on the same network, such as a LAN (local area network) or Intranet within an organisation. The method of communication does not matter. [90] This article may be applied to the act of accessing to bank accounts by the phishers after obtaining their confidential information. The act must also be committed ‘without right’.

The application of specific technical tools may result in an access under Article 2, such as the access of a web page, directly or through hypertext links, including deep-links or the application of “cookies” or “bots” to locate and retrieve information on behalf of communication. The application of such tools per se is not ‘without right’. The maintenance of a public web site implies consent by the web site-owner that it can be accessed by any other web-user. This article may be applied to some phishing scams that use JavaScript commands in order to alter the address bar. [91] This is done either by placing a picture of the legitimate entity’s URL over the address bar, or by closing the original address bar and opening a new one containing the legitimate URL. [92]

Article 3 of the Convention aims to protect the right of privacy of data communication. The offence represents the same violation of the privacy of communications as traditional tapping and recording of oral telephone conversations between persons. The offence established under Article 3 applies this principle to all forms of electronic data transfer, whether by telephone, fax, e-mail or file transfer. [93] As we have mentioned before, not all phishing attacks require a fake website and that confidential data may be intercepted by a voice over IP provider. [94] This article may be applied in this case.

The communication in the form of transmission of computer data can take place (a) inside a single computer system, (b) between two computer systems belonging to the same person, (c) two computers communicating with one another, or (d) a computer and a person. [95] Nonetheless, Parties may require as an additional element that the communication be transmitted between computer systems remotely connected.

Article 19 of this Convention aims at modernising and harmonising domestic laws on search and seizure of stored computer data for the purposes of obtaining evidence with respect to specific criminal investigations or proceedings. [96] Any domestic criminal procedural law includes powers for search and seizure of tangible objects. However, in a number of jurisdictions stored computer data per se will not be considered as a tangible object and therefore cannot be secured on behalf of criminal investigations and proceedings in a parallel manner as tangible objects, other than by securing the data medium upon which it is stored. [97]  The aim of this article is to establish an equivalent power relating to stored data which is contained either within a computer system or part of it (such as a connected data storage device), or on an independent data storage medium. In phishing cases, this article may be applied for the search and seizure of digital evidence. It also helps in criminal investigations and proceedings as mentioned above.

**4. Online phishing proposed solutions: Technical approaches ** Information and communication technologies are a double-edged sword that, despite being used to commit online phishing could act as risk minimizing or mitigating factors to enhance privacy and secure the confidentiality and secrecy of personal identifying information.

**4.1 Message source analysis ** In order to prevent online phishing, the first step that law enforcement officers can do is to get the correct identity information of the phisher’s message source and then decide if the source is trustworthy or not. [98] From the system’s point of view, every computer on the Internet is identified by its IP address. It does not have semantic meanings until humans assign some meanings to it. [99]

Blacklist indicates whether a computer with an IP address is good or bad. A bad computer means that it was known to be used by phishers to send fraudulent emails on the Internet. [100] The blacklist publisher assigns the “goodness” (the machines’ IP addresses are not in the list) and the “badness” (the machines’ IP addresses are in the list) to all Internet machines. The problem of the blacklist is that it is hard to keep the list up-to-date since it is easy to register new IP addresses in the Internet. [101] After a phishers gets a new IP address, he can broadcast solicit emails and wait for victims. Without constant updates, the blacklist gives human users a wrong sense of security to newly-setup phishing sources.

**4.2 Intrusion detection systems: Honeypots ** A honeypot is a trap set to detect, deflect or in some manner counteract attempts at unauthorized use of computer systems. [102] Generally honeypots consist of a computer, data or a network site that appears to be part of a network but which is actually isolated and protected, and which seems to contain information or a resource that would be of value to phishing attacks. [103] A honeypot is considered a surveillance and early-warning tool. [104] While often a computer system, a honeypot can take on other forms, such data records, unused IP address space or files. Honeypots should have no production value and hence should not see any legitimate traffic or activity. Whatever they capture can then be surmised as malicious or unauthorized. [105] One practical implication of honeypots is that they are designed to thwart spam by masquerading as systems of the types abused by spammers to send spam can categorize the material they trap 100% accurately: it is all illicit. A honeypot needs no spam-recognition capability, no filter to separate ordinary e-mail from spam. Ordinary email never comes to a honeypot. [106]

**4.3 Sharing information **

• The Anti-Phishing Working Group (APWG) is the global pan-industrial and law enforcement association focused on eliminating the fraud and identity theft that result from phishing, pharming and email spoofing of all types. [107] The APWG has over 2300 members from over 1500 companies and agencies worldwide. Member companies include leading security companies such as Symantec, McAfee and VeriSign. Financial Industry members include the ING Group, VISA, Mastercard and the American Bankers Association.

• Another body is the internet Crime Prevention and Control Institute (ICPCI). [108] This is a private membership based organization whose goals are to take actions against internet crimes, to educate a variety of groups regarding internet crime issues, to research future threats and trends in internet crimes, and to provide information and contact resources for victims of interent crimes. [109]

**4.4 Using anti – phishing tool bars ** A toolbar is effectively a giant neighbourhood watch scheme to defend every internet user against phishing acts. They trap suspicious URLs containing characters which have no common purpose than to deceive. [110] They also enforce display of browser navigational controls in all windows, to defend against pop up windows which attempt to hide the navigational controls. [111] Finally, some tool bars display sites’ hosting location, including country, helping the internet user to evaluate fraudulent urls (e.g. the real citibank.com or barclays.co.uk sites are unlikely to be hosted in the former Soviet Union). [112]

**4.5 Using identity scoring systems: Fair Isaac ** Fair Isaac Corporation was founded in 1956 by engineer Bill Fair and mathematician Earl Isaac. It provides decision management systems and consulting services. [114] They developed the FICO scores, a measure of credit risk, that are the most used credit scores in the world. These scores are available through all of the major consumer reporting agencies in Canada and the United States.

**4.6 Consumer education **

• Moving on to consumer education, we suggest that internet users follow the following steps: (a) Choose safer software. (b) Avoid using peer – to – peer programs. (c) Backup their data. (d) Make good passwords. (e) Don’t share their personal information online. (f) Don’t believe everything they read. (g) Check their bank statements. (h) Install a firewall. (i) Install patches. (j) Pull the plug. (k) Turn off services they don’t need. (l) Close used accounts.

• If you have been phished, be sure to do the following: (a) Close your accounts. (b) Change your passwords. (c) Get a credit report. (d) Contact the Federal Trade Commission. (e) File a police report.

Conclusion

Online phishing is a persisting international evil that transcends national boundaries in a manner that renders this form of organized crime a global concern. Online phishing may take several forms including stealing credit card numbers, creating email lists, sending machines and hosting web sites. However, taking over someone’s identity is a major criminal activity and a blatant evil that should be effectively tackled on all levels. It has been seen that amongst the major reasons that facilitate online phishing are: economic, educational, and social conditions. On a different note, the globalisation of technology and the revolutionary advancement of ICTs have impacted on criminal activity, especially online phishing. Trojans, botnets, keyloggers, and templates are amongst the tools utilized by criminals to commit their crime and promote their services. By and large, it is submitted that online phishing should be subject to a global principle of public policy that aims at combating and preventing this form of organized crime through raising global awareness and increasing literacy rates, promoting economic development, improving social conditions in least developed source and transit countries, coordinating legislative efforts on national, regional and global levels, and establishing a high level global network of cooperation between national, regional, and international enforcement agencies and police forces.

Moreover, Dr. TULIANI suggests that the most obvious way to combat online phishing is to stop it arising in the first place. [115] This requires the widespread deployment of a trustworthy and foolproof PC interface, something which is beyond the current technology horizon. Finally, adoption of SMS – based security measures must be carefully managed, particularly the procedures used for registering and maintaining records of user’s mobile phone numbers. [116]

** References**

1 The term phishing comes from the fact that Internet scammers are using increasingly sophisticated lures as they “fish” for users’ financial information and password data. The most common ploy is to copy the Web page code from a major site — such as AOL — and use that code to set up a replica page that appears to be part of the company’s site. (This is why phishing is also called brand spoofing.) A fake e-mail is sent out with a link to this page, which solicits the user’s credit card data or password. When the form is submitted, it sends the data to the scammer while leaving the user on the company’s site so they don’t suspect a thing. Hackers have an endearing tendency to change the letter “f” to “ph,” and phishing is but one example. Available at: (visited 27/07/2006). 2 See, What is phishing : A word definition from the Webopedia, available at: (visited 27/07/2006). The term “identity” is commonly used arbitrarily and imprecisely in popular media and literature and the terms “identity theft” and “identity crime” are frequently used interchangeably. Occasional misuses are not surprising because in the contemporary context, the traditional meaning underlying those concepts have become increasingly known as information and information technology (IT). The Oxford English Dictionary defines “identity” as “the set of behavioral or personal characteristics by which an individual is recognized”. The traditional use of the word “identity” spoke to one’s name, familial membership and occupation. The contemporary meaning of “identity” has, however, assumed a candidly IT connotation that extends traditional meanings to include such things as one’s consumer and credit histories, financial accounts, and Social security number. It is this contemporary usage of “identity” that is at issue when it comes to conceptualizing identity theft. See J. COLLINS, Preventing Identity Theft in Your Business: How to Protect Your Business, Customers and Employees (John Wiley and Sons), [2005], p. 7. 3 According to the American Heritage Dictionary of the English Language, information is “knowledge of specific events or situations that has been gathered or received by communication, intelligence, or news”. 4 Ibid. 5 Ibid. 6 See R. LININGER and R. DEAN, Phishing, cutting identity theft line (Wiley, Canada), [2005], p. 1. 7 See New Phishing Techniques: Safe Like Money in the Bank. Available at: (visited 07/08/2006). 8 See S. BRENNER, Cybercrime Metrics: Old Wine, New Bottles (Virginia, Virginia Journal of Law and Technology), [2004], p. 6. 9 Ibid. 10 See M. CHAWKI and M. Abdel WAHAB, Identity Theft in Cyberspace: Issues and Solutions (LexElectronica), [Spring 2006]. 11 Ibid. 12 Ibid. 13 See ( visited 07/08/2006). 14 Ibid. 15 Ibid. 16 See Damage caused by phishing, available at http://en.wikipedia.org/wiki/Phishing#_note-18 (visited 07/08/2006). 17 Ibid. 18 See M. CHAWKI and M. Abdel WAHAB, op. cit. 19 In fact, the term cyberspace literally means ‘navigable space’ and is derived from the Greek word kyber (to navigate). In William Gibson’s 1984 novel, the original source of the term, cyberspace refers to, a navigable, digital space of networked computers accessible from computer consoles, a visual, colourful, electronic, Cartesian datascape known as ‘The Matrix’ where companies and individuals interact with, and trade in, information. Since the publication of this novel, the term cyberspace has been re-appropriated, adapted and used in a variety of ways, by many different constituencies, all of which refer in some way to emerging computer- mediated communication and virtual reality technologies. Here, we refocus the definition back to the envisaged by Gibson, so that cyberspace refers to the conceptual space within ICTs, rather than the technology itself. See W. GIBSON, Neuromancer (New York, Grafton), [1984]; M. DODGE, Mapping Cyberspace (N.Y, Routeldge), [2001] p. 1. 20 See J. RUSCH, The compleat cyber – angler : A guide to phishing, Computer Fraud and Security (Jan. 2005). 21 See Phishing Scams Reel in Your Identity. Available at: ( visited 07/08/2006). 22 Ibid. 23 See J. RUSCH, The compleat cyber – angler : A guide to phishing, Computer Fraud and Security (Jan. 2005). 24 Ibid. 25 Ibid. 26 Ibid. 27 See J. RUSCH, The compleat cyber – angler : A guide to phishing, Computer Fraud and Security (Jan. 2005). 28 Available at ( visited 07/08/2006) 29 See J. RUSCH, The compleat cyber – angler : A guide to phishing, Computer Fraud and Security (Jan. 2005). 30 Ibid. 31 Ibid. 32 Ibid. 33 See Spear Phishing, available at : (visited 07/08/2006). 34 Ibid. 35 See J. RUSCH, The compleat cyber – angler : A guide to phishing, Computer Fraud and Security (Jan. 2005). 36 Ibid. 37 See Phishing techniques, available at ( visited 07/08/2006) 38 Available at ( visited 07/08/2006). 39 Ibid. 40 See Botnet, available at ( visited 07/08/2006). 41 Ibid. 42 Ibid. 43 Available at ( visited 07/08/2006). 44 Ibid. 45 Available at ( visited 07/08/2006). 46 See M. CHAWKI and M. WAHAB, op. cit. p. 26. 47 Ibid. 48 Ibid. 49 Ibid 50 Ibid. 51 See Special Report on Phishing. Available at: ( visited 07/08/2006). 52 Available at ( visited 07/08/2006). 53 Ibid. 54 Available at ( visited 07/08/2006). 55 Ibid. 56 See (visited 07/08/2006). 57 Ibid. 58 Ibid. 59 Ibid. 60 Available at: ( visited 07/08/2006) 61 Available at : ( visited 07/08/2006). 62 Available at: (visited 07/08/2006). 63 Available at: (visited07/08/2006). 64 Available at: ( visited 07/08/2006). 65 Available at ( visited 07/08/2006). 66 Ibid. 67 Directive on Data Retention (2005/0182/COD); V. SQUARCIALUPI, Lutte de l’Europe contre la Criminalité Economique et le Crime Organisé Transnational, Progrès ou Recul ? (Conseil de l’Europe), [6 avril 2001]. 68 Directive 2002/58/EC of the European Parliament and of the Council, concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). 69 Article 1.1 70 Article 1.2 71 Article 1.2 72 Ibid. 73 Article 6. 74 See N. FERQUSON, Practical Cryptography (N.Y., John Wiley), [2003], p. 8. 75 Article 15. 76 See Aldesco, The Demise of Anonymity: A Constitutional Challenge to the Convention of Cybercrime, available at (visited 05/08/2006). 77 Ibid. See also S. HOPKINS, Cybercrime Convention: A Positive Beginning to a Long Road Ahead (Journal of High Technology Law), [2004], p. 105. 78 See Convention on Cybercrime, available at (visited 05/08/2006). 79 See status as of 10/08/2006.Available at: (visited 07/08/2006). 80 See generally Mike Godwin, International Treaty on Cybercrime Poses Burden on High-Tech Companies, IP Worldwide [Apr. 4, 2001], at (explaining that this treaty would permit extradition of computer users in other countries); see also S. BRENNER, Cybercrime Metrics: Old Wine, New Bottles (Virginia, Virginia Journal of Law and Technology), [2004]. 81 Council of Europe, Convention on Cybercrime, European Treaty Series (ETS) no. 185, at: (visited 07/08/2006). 82 Cybercrime Convention, arts. 2 – 6. 83 Cybercrime Convention, arts. 7 – 8. 84 Ibid art. 9. 85 Ibid art. 10. 86 Ibid art. 22. 87 Ibid art. 35. 88 Ibid art. 2. 89 See Explanatory report. 90 Ibid. 91 See Phishing, available at (visited 07/08/2006). 92 Ibid. 93 Ibid. 94 For more information, see Voice over IP at the following website: (visited 07/08/2006). 95 See Explanatory report, op. cit. 96 Cybercrime Convention, art. 19. 97 Ibid. 98 See M. WU, Fighting Phishing at the User Interface (Thesis), available at: (visited 06/08/2006). 99 Ibid. 100 Ibid. 101 Ibid. 102 See Honeypot available at : (visited 07/08/2006). 103 Ibid. 104 Ibid. 105 Ibid. 106 Ibid. 107 Available at ( visited 07/08/2006). 108 See ( visited 07/08/2006). 109 Ibid. 110 See ( visited 07/08/2006). 111 Ibid. 112 Ibid. 113 Available at ( visited 07/08/2006). 114 Ibid. 115 See J. TULIANI, The Future of Phishing (Computer fraud and security), [2004], p. 11. 116 Ibid.