"Phishers" Settle Federal Trade Commission Charges

Operators who used deceptive spam and copycat Web sites to con consumers into turning over confidential financial information have agreed to settle Federal Trade Commission charges that their scam violated federal laws. The two settlements announced today will bar the defendants from sending spam, bar them from making false claims to obtain consumers’ financial information, bar them from misrepresenting themselves to consumers, and bar them from using, selling, or sharing any of the sensitive consumer information collected. Based on financial records provided by the defendants, the FTC agreed to consider the $125,000 judgments in each case satisfied. If the court finds that the financial documents were falsified, however, the defendants will pay $125,000 in consumer redress. One of the defendants also faces 46 months in prison on criminal charges filed by the Justice Department.

The scam, called “phishing,” worked like this: Posing as America Online, the con artists sent consumers e-mail messages claiming that there had been a problem with the billing of their AOL accounts. The e-mail warned consumers that if they did not update their billing information, they risked losing their accounts. The messages directed consumers to click on a hyperlink in the body of the e-mail to connect to the “AOL Billing Center.” When consumers clicked on the link they landed on a site that contained AOL’s logo, AOL’s type style, AOL’s colors, and links to real AOL Web pages. It appeared to be AOL’s Billing Center. But it was not. The defendants had hijacked AOL’s identity and used it to steal consumers’ identities. The defendants ran a similar scam using the hijacked identity of PayPal.

The FTC charged the defendants with violating the FTC, which bars unfair and deceptive practices, and the Gramm Leach Bliley Act, which bars using false or fictitious statements to obtain consumers’ financial information.

The settlements bar the defendants from sending spam for life. They bar the defendants from:

• Misrepresenting their affiliation with a consumer’s ISP or online payment service provider;
• Misrepresenting that consumers’ information needs to be updated;
• Using false “from” or “subject” lines; and
• Registering Web pages that misrepresent the host or sponsor of the page.

The settlements bar the defendants from making false, fictitious, or fraudulent statements to obtain financial information from consumers. They bar the defendants from using or sharing the sensitive information collected from consumers and require that all such information be turned over to the FTC. Financial judgments were stayed based on financial disclosure documents provided by the defendants showing they currently are unable to pay consumer redress. Should the court find that the financial disclosure documents were falsified, the defendants will be required to give up $125,000 in ill-gotten gains. The settlements contain standard record keeping provisions to allow the FTC to monitor compliance with the orders.

The defendant named in one of the complaints is Zachary Keith Hill. The Hill case was filed in December 2003, in the U.S. District Court for the Southern District of Texas. The other case, filed in May 2004, charged an unnamed minor in U. S. District Court for the Eastern District of New York.

These cases were brought with the invaluable assistance of the Department of Justice Criminal Division’s Computer Crimes and Intellectual Property Section, Federal Bureau of Investigation’s Washington Field Office, and United States Attorney for the Eastern District of Virginia’s Computer Hacking and Intellectual Property Squad.

The Commission vote to accept the settlements was 5-0.

A newly revised FTC Consumer Alert, “How Not to Get Hooked by a ‘Phishing’ Scam” warns consumers who receive e-mail that claims an account will be shut down unless they reconfirm their billing information not to reply or click on the link in the e-mail. Consumers should contact the company that supposedly sent the message directly. More tips to avoid phishing scams can be found at http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm.

Consumers who believe they have been scammed by a phishing e-mail can file a complaint at http://www.ftc.gov, and then visit the FTC's Identity Theft Web site at www.consumer.gov/idtheft to learn how to minimize their risk of damage from ID theft. Consumers can also visit www.ftc.gov/spam to learn other ways to avoid e-mail scams and deal with deceptive spam.

NOTE: Stipulated final judgments and orders are for settlement purposes only and do not constitute

an admission by the defendant of a law violation. Consent judgments have the force of law when signed by the judge.

Copies of the complaints and stipulated final judgments and orders are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint in English or Spanish (bilingual counselors are available to take complaints), or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.

(FTC File No.X04 0021)