Abu Bakar Munir
Professor, Faculty of Law, University of Malaya
Kuala Lumpur, Malaysia
Phishing and identity theft is emerging as one of the crimes of the 21st century. It is one of the fastest growing forms of Internet fraud. According to the U.S Federal Bureau of Investigation, phishing has become the hottest, and most troubling, new scam on the Internet. Credible estimates of the direct financial losses due to phishing alone exceed a billion dollars per year.1 Indirect losses are much higher, including customer service expenses, account replacement costs, and higher expenses due to decreased use of online services in the face of widespread fear about the security of online financial transactions.2 According to the Anti-phishing Working Group (APWG), in January 2007 alone, it received 29,930 unique phishing reports the highest recorded number. There are 27,221 phishing websites and 135 brands were hijacked in that month.3 In the U.S, it was estimated that between May 2004 and May 2005, 1.2 million Internet users were victims of phishing, totalling approximately USD 929 million. Meanwhile, in the U.K, losses from phishing almost doubled to 23.2 million pounds in 2005, from 12.2 million pounds in 2004.4 It is a multimillion pound problem. The BBC News on 13 December 2006 reported that the UK has seen an 8,000 percent increase in fake internet banking scams in the past two years. 5
Banks and financial institutions, around the world, are the prime target. They have been and they will be.6 The list of phishing attacks in 2003 and 2004 reads like a “Who’s Who,” lncluding the Bank of America, Bank One, Citizens Bank, U.S Bank, Sun Trust, MBNA, Wells Fargo, and Visa, to name a few.7 Phishing attacks have become a sobering reminder of the vulnerability of the Internet banking. Trust in online payment systems and the ability of financial institutions to mitigate fraud are diminished by successful attacks. The magnitude of the problem has prompted the Australian Prudential Regulation Authority (APRA) to issue an advice entitled “Emerging Threats to Internet Banking” on 26 August 2004.8 As Avivah Litan, Vice President and Research Director of Gartner Inc., puts it, “The whole promise of e commerce-lower costs, increased revenue and quicker launches of marketing campaigns-all goes out the window if consumers cannot trust email communications.”9
3 See the Anti-Phishing Working Group, “August Phishing Trends Report ,available at http://www.antiphishing.org/reports/apwg_report_january _2007.pdf
4 According to the U.K Home Office Identity Fraud Steering Committee, a collaboration between the U.K financial bodies, government and the police to combat the threat of identity theft, the latest estimate is that identity fraud costs the U.K economy l.7 billion pounds. Available at http://www.identitytheft.org.uk/
5 BBC News, “Online Banking Fraud ‘up 8,000%’ “, available at http://newsvote.bbc.co.uk/mpapps/pagetools/print/news.bbc.co.uk/I/hi/uk_politics/61775…
6 The 2006 Global Security Survey by Deloitte finds that the threat that respondents most anticipated over the coming years was phishing and pharming. The APWG in its January 2007 report states that financial services continue to be the most targeted sector at 88.9 percent of attacks in the month of January, supra n. 3.
7 See Frederick W. Stakelbeck Jr, “Phishing: A Growing Threats to Financial Institutions and E-Commerce”, at p. 2.
8 Australian Prudential Regulation Authority, Emerging Threats to Internet Banking, 26 August 2004.
9 Alice Dragoon, “Fighting Phish, Fakes, and Frauds,” CIO, September 22, 2004