For Release: July
Thief Goes “Phishing” for
Consumers’ Credit Information
An identity thief who allegedly used hijacked
corporate logos and deceptive spam to con consumers out of credit
card numbers and other financial data has agreed to settle Federal
Trade Commission charges that his scam violated federal laws.
If approved by the court, the defendant, a minor, will be barred
for life from sending spam and will give up his ill-gotten gains.
FTC alleged that the scam, called “phishing,” worked
like this: posing as America Online, the con artist sent consumers
e-mail messages claiming that there had been a problem with the
billing of their AOL account. The e-mail warned consumers that
if they didn’t update their billing information, they risked
losing their AOL accounts and Internet access. The message directed
consumers to click on a hyperlink in the body of the e-mail to
connect to the “AOL Billing Center.” When consumers
clicked on the link they landed on a site that contained AOL’s
logo, AOL’s type style, AOL’s colors, and links to
real AOL Web pages. It appeared to be AOL’s Billing Center.
But it wasn’t. The defendant had hijacked AOL’s identity
and was going to use it to steal consumers’ identities,
as well, the FTC alleged.
defendant’s AOL look-alike Web page
directed consumers to enter the numbers from the credit card they
had used to charge their AOL account. It then asked consumers to
enter numbers from a new card to correct the problem. It also asked
for consumers’ names, mothers’ maiden names, billing
addresses, social security numbers, bank routing numbers, credit
limits, personal identification numbers, and AOL screen names and
passwords - the kind of data that would help the defendant plunder
consumers’ credit and debit card accounts and assume their
to the FTC, the defendant used the information to charge online
purchases and open accounts with PayPal.
In addition, he used consumers’ names and passwords to log
on to AOL in their names and send more spam. Finally, he recruited
others to participate in the scheme by convincing them to receive
fraudulently obtained merchandise he had ordered for himself.
agency charged the defendant’s practices
were deceptive and unfair, in violation of the FTC Act. In addition,
the FTC alleged that the defendant’s practices violated provisions
of the Gramm-Leach-Bliley Act designed to protect the privacy of
consumers’ sensitive financial information.
“Phishing is a two time scam,” said
Timothy J. Muris, Chairman of the FTC. “Phishers first
steal a company’s identity and then use it to victimize
consumers by stealing their credit identities. This is the FTC’s
first law enforcement action targeting phishing. It won’t
be the last.”
The settlement would bar the defendant from
future violations of the FTC Act and the Gramm-Leach- Bliley Act.
It also would bar the defendant from sending spam in the future.
In addition, the order would require the defendant to give up $3,500
in ill-gotten gains.
FTC Consumer Alert, “How
Not to Get Hooked by a ‘Phishing’ Scam” warns
consumers who receive e-mail that claims an account will be shut
down unless they reconfirm their billing information not to reply
or click on the link in the e-mail. Consumers should contact
the company that supposedly sent the message using a telephone
number or Web site address they know to be genuine. More tips
to avoid phishing scams can be found at http://www.ftc.gov/bcp/conline/edcams/spam/coninfo.htm
The Commission vote to authorize staff to file
the complaint and stipulated final judgment and order was 5-0.
It will be filed in the U.S. District Court for the Central District
of California in Los Angeles and is subject to court approval.
case was brought with the invaluable assistance of the Department
of Justice Criminal Division’s Computer
Crimes and Intellectual Property Section, Federal Bureau of Investigation’s
Washington Field Office, and United States Attorney for the Eastern
District of Virginia’s Computer Hacking and Intellectual
Property Squad, the United States Postal Inspectors and the Los
Angeles District Attorney’s High Technology Crimes Unit.
NOTE: Stipulated final judgments
and orders are for settlement purposes only and do not constitute
an admission by the defendant of a law violation. Consent judgments
have the force of law when signed by the judge.
the complaint and stipulated final judgment and order for permanent
injunction are available from the FTC’s Web site at http://www.ftc.gov and
also from the FTC’s Consumer Response Center, Room 130, 600
Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works
for the consumer to prevent fraudulent, deceptive, and unfair business
practices in the marketplace and to provide information to help
consumers spot, stop, and avoid them. To file a complaint, or to
get free information on any of 150 consumer topics, call toll-free,
1-877-FTC-HELP (1 877-382-4357), or use the complaint form at http://www.ftc.gov.
The FTC enters Internet, telemarketing, identity theft, and other
fraud-related complaints into Consumer Sentinel, a secure, online
database available to hundreds of civil and criminal law enforcement
agencies in the U.S. and abroad.
Claudia Bourne Farrell,
Office of Public Affairs
Eric Wenger or James Kohm,
Bureau of Consumer Protection
202-326-2310 or 202-326-2640
(FTC File Nos. 032-3101 and 022-3209)
Commission, Plaintiff, v. __________________, a minor, also
known as _______________, by his parent ____________, Defendant
(Central District of California).
Not to Get Hooked by a ‘Phishing’ Scam