The crime of phishing occurs when a person sends an e-mail, text message, or other communication to someone else in an attempt to convince the recipient to reveal sensitive personal information. Phishing scams attempt to conceal the fraudulent nature of the message by portraying it as some sort of official communication. For example, someone engaging in a phishing scam might send out a mass e-mail that looks as if it originated from a well-known company, such as eBay or Bank of America, or from a government agency, such as the Federal Trade Commission.
Phishing messages ask the recipient to send sensitive information, such as the person's name, date of birth, Social Security number, account passwords, personal identification numbers, and anything else a criminal can use to commit identity theft. The end goal of these phishing scams is to acquire information the criminal can use to open fraudulent accounts in the victim's name, or otherwise fraudulently access or use the victim's identity for financial gain.
Phishing is really just one type of a broader category of crime known as identity theft. Identity theft covers any instance where someone attempts to use someone else's personal information in a fraudulent or illegal manner, though phishing scams are very common.
Phishing occurs when someone intentionally tries to obtain sensitive information by using fraudulent or misleading communications. If, for example, you send someone an e-mail message and that person responds with a message that includes personal information, this doesn't mean you have committed phishing. To be found guilty of this crime you must intentionally solicit the sensitive information by portraying yourself to be someone you are not, with the intention to defraud the message's recipient.
For example, if you run a small business and send an e-mail to a customer asking for his or her credit card number, this is not phishing. However, if you pretend to be a representative of a bank or a government agency and you are not, that is phishing.
Phishing laws also apply to websites that are set up to acquire sensitive information. For example, an email might direct people to visit a website that asks them to enter their names, social security numbers, and bank account numbers. These websites are designed to look like legitimate websites, such as those owned by a bank or company. Anyone creating or operating a site is also guilty of phishing.
Like other forms of identity theft, phishing does not rely upon a successful attempt. In other words, you can be convicted of phishing if you send out an e-mail simply in an attempt to persuade others to provide you with the desired information. The person who receives the message does not have to respond to you, and even if a response is sent, you do not have to use the sensitive information to be convicted of phishing.
While all states have laws that prohibit fraudulently acquiring someone else's personal information, not all states have laws that specifically address phishing. According to the National Conference of State Legislatures, a minority of states currently have specific phishing laws. However, even in those states that do not have specific phishing laws, other criminal laws can apply to phishing activity (computer crimes, identity theft), meaning the activity is a crime in every state. States without these laws may also adapt phishing laws as the crime becomes more common.
While phishing is covered under various state laws, there is no single federal statute that directly criminalizes this type of activity. However, there are broader federal criminal laws that do apply to phishing and other identity theft crimes. For example, because phishing involves solicitations that are usually sent over the Internet, the federal law against wire fraud is often used to punish phishing crime on a federal level.
The penalty for a phishing crime depends greatly on the nature of the circumstances surrounding the case. State laws differ significantly, and while most laws that specifically target phishing categorize the crime as a felony, some of these crimes might be punished as a misdemeanor or felony in other states. Misdemeanors are considered less serious than felonies, though a conviction for either brings the possibility of significant criminal penalties.
If you are charged with, or suspected of, a phishing crime, you should consult with an experienced criminal defense attorney near you. Local attorneys will know what laws apply in your case and can advise you what to do based on their experience with the local criminal justice system.