Charlotte Walker-Osborn, senior associate solicitor, Eversheds LLP examines what the law can do to combat phishing.

Phishing (also known as carding, brand spoofing or identity theft) is a method used by fraudsters to seek to elicit security details with a view to gaining unauthorised access to personal and financial information. The perpetrators ("phishers") use various ploys to attempt to trick the unwary into giving out personal details.

Typically, a phishing scam involves the phisher sending spam emails from an apparently legitimate source, such as a reputable bank. The emails will instruct recipients to visit a website to update or verify their details. However, the website is bogus and any security or account details disclosed are then collected by the phisher and used to gain access to the victim's bank account.  

Phishing has been a big problem for organisations and individuals since at least the mid-1990s and is an increasingly widespread form of identity theft. Media reports of cases of online identity theft and phishing scams are increasingly common. According to a recent report by the Financial Services Authority instances of phishing have risen by 8000 per cent in the UK in the past few years.

Other sources report that phishing attacks targeting banks and their customers increased dramatically in the first half of 2006 compared to the previous year, with a sharp increase in the number of phishing websites from March to April 2007.

A KPMG report reveals that in the first half of 2007 fraud cost the UK government and businesses £594m, nearly three times the amount recorded over the previous six months. The government suffered the greatest loss with the next biggest targets being investors and financial institutions.

Although the figures fluctuate from time to time, the overall trend is that phishing scams are likely to continue to increase in number as more people have internet and email access, use online banking and make purchases online, thereby becoming potential victims for fraudsters.

Other communications technologies like internet telephony and text messaging offer further opportunities for phishers. Law enforcement agencies have enjoyed some successes though, a recent example being the arrest of members of a 26 strong phishing gang in Italy in August. 

The law in the UK is gradually adapting to address phishing and other forms of cyber-crime. Forthcoming amendments to the Computer Misuse Act 1990 (in the Police and Justice Act 2006) aim to bring it up to date with developments in computer crime and to increase penalties for breach (up to 10 years imprisonment).

Meanwhile, the Fraud Act 2006 resolves uncertainty over whether statutory offences under earlier anti-fraud law applied to activities like phishing and introduces new offences to better equip police and prosecutors to deal with the challenge of combating fraud in the 21st century.

It addresses phishing by establishing the offence of making a false representation (including via email or the internet) with a view to making a gain for oneself or another, or to causing loss to another or exposing another to a risk of loss.

The Fraud Act also addresses other aspects of cyber-crime, for example by introducing an offence of possessing software or data for use in fraud and of creating software knowing that it is designed or adapted for use in connection with fraud. Offences under these Acts are punishable by fines and / or imprisonment up to 10 years.

Despite new legislation in the UK, a question remains as to international deterrents since phishing attacks can take place on a global scale without regard to jurisdictional boundaries.

The obstacles include differing laws and standards of evidence to prosecute offenders, and the need for mutual cooperation to take effective cross-jurisdictional action. We are seeing international cooperation happen more and more - recently the US and the UK cooperated to extradite a UK national to the US to face a trial related to hacking offences.

Organisations need to take steps to protect themselves against liability under regulatory requirements in the event that they or their customers are victims of phishing. For instance, the Data Protection Act 1998 requires organisations to take steps to safeguard individuals' personal information including an obligation to have in place appropriate technical and organisational measures to protect personal information from unauthorised use.

Compliance with this requirement might include, for example, procedures to proactively inform customers of when to be suspicious of communications purporting to come from the organisation and to promptly warn them once a phishing scam is detected. 

Organisations should also have in place appropriate policies and staff training and should try to ensure that their technology provides sufficient security for the type of information it uses. In addition, organisations can try to reduce the risk contractually; for example by obliging technology suppliers to ensure IT systems meet the organisation’s security needs.

Often contracts with customers can also set out the levels of security that the organisation will provide and, as far as legally possible, disclaim liability for a security breach causing loss beyond those levels (more difficult in consumer situations).

It is important that organisations address these issues to protect themselves and their customers against phishing and other cyber-crime. As a basic rule, organisations should ensure that they can prove that they have done all they reasonably can to guard against cyber-crime, even if they have been unsuccessful in a specific instance.

For example, it is far more difficult for the Information Commissioner dealing with breaches of data protection law to deal harshly with an organisation which has, practically-speaking, made every effort to keep information secure.

© Copyright 2007 Eversheds
Please note that the information provided above is for general information purposes only and should not be relied upon as a detailed legal source.