Phishing refers to an online scam that targets consumers and their personal information.
The crime of phishing occurs when a person sends an e-mail, text message, or other communication to someone else in an attempt to convince the recipient to reveal sensitive personal information.
Phishing scams attempt to conceal the fraudulent nature of the message by portraying it as some sort of official communication. For example, someone engaging in a phishing scam might send out a mass e-mail that looks as if it originated from a well-known company, such as eBay or Bank of America, or a government agency, such as the Federal Trade Commission.
Phishing messages ask the recipient to send sensitive information, such as the person's name, date of birth, Social Security number, account passwords, personal identification numbers, and anything else a criminal can use to commit identity theft. The end goal of these phishing scams is to acquire information the criminal can use to open fraudulent accounts in the victim's name, or otherwise fraudulently access or use the victim's identity for financial gain.
Phishing is one type of a broader category of crime known as identity theft. Identity theft covers any instance where someone attempts to use someone else's personal information fraudulently or illegally, though phishing scams are very common.
Phishing occurs when someone intentionally tries to obtain sensitive information by using fraudulent or misleading communications. If, for example, you send someone an e-mail message and that person responds with a message that includes personal information, this doesn't mean you have committed phishing. To be found guilty of this crime, you must intentionally solicit the sensitive information by portraying yourself to be someone you are not, with the intent to defraud the message's recipient.
For example, if you run a small business and send an e-mail to a customer asking for his or her credit card number, this is not phishing. However, if you pretend to be a representative of a bank or a government agency and you are not, that is phishing.
Phishing laws also apply to websites that are set up to acquire sensitive information. For example, an email might direct people to visit a website that asks them to enter their names, social security numbers, and bank account numbers. These websites are designed to look like legitimate websites, such as those owned by a bank or company. Anyone creating or operating a site is also guilty of phishing.
Like other forms of identity theft, phishing does not rely upon a successful attempt. In other words, you can be convicted of phishing if you send out an e-mail simply in an attempt to persuade others to provide you with the desired information. The person who receives the message does not have to respond to you, and even if a response is sent, you do not have to use the sensitive information to be convicted of phishing.
While all states have laws that prohibit fraudulently acquiring someone else's personal information, not all states have laws that specifically address phishing. However, even in those states that do not have specific phishing laws, other criminal laws can apply to phishing activity (computer crimes, identity theft), meaning the activity is a crime in every state.
State penalties for phishing and identity theft crimes vary. Some states base penalties for identity theft-type crimes on monetary loss to a victim or victims. In these states, felony penalties might not apply unless a victim loses a certain amount of money (say $1,000 or more). Other states impose felony penalties on any type of scam used to attempt to gain another's identifying information, regardless of the outcome or losses.
While phishing is covered under various state laws, there is no single federal statute that directly criminalizes this type of activity. However, there are broader federal criminal laws that do apply to phishing and other identity theft crimes. For example, because phishing involves solicitations that are usually sent over the internet, the federal law against wire fraud is often used to punish phishing crimes on a federal level.
If you are charged with, or suspected of, a phishing crime, consult an experienced criminal defense attorney near you. Local attorneys will know what laws apply in your case and can advise you on what to do based on their experience with the local criminal justice system.