Spammer Posed as AOL and Paypal to Con Consumers Into Providing Credit Card Numbers
In a joint law enforcement initiative, the Federal Trade Commission and the Department of Justice have brought two separate actions to shut down a spam operation that hijacked logos from AOL and Paypal to con hundreds of consumers into providing credit card and bank account numbers. At the request of the FTC, a U.S. District Court ordered the defendant to halt his identity theft scam, known as “phishing.” The Justice Department obtained a criminal conviction and the defendant is awaiting sentencing.
The scam worked like this: Consumers received e-mail that appeared to come from America Online or Paypal. The “from” line identified the sender as “billing center,” or “account
department” and the subject line carried warnings such as “AOL Billing Error Please Read Enclosed Email,” and “Please Update Account Information Urgent!” The text of the message contained a warning that if the consumers did not respond to the e-mail, their account would be cancelled. Some of the spam said, “. . . we have to ask all our members for updated/correct billing information. Please be advised that this is mandatory. If we do not get your updated billing information, your account will be revoked and put under review and may be cancelled.” A hyperlink in the e-mail took consumers to what appeared to be the AOL Billing Center, with AOL’s logo and live links to real AOL Web pages. But the copy-cat Web page belonged to the defendant. The defendant asked consumers to provide information such as their names and mothers’ maiden names, billing addresses, Social Security numbers, dates of birth, bank account numbers, and bank routing numbers. The defendant also asked consumers to provide their AOL screen names and passwords.
The FTC alleges that the defendant used the information that consumers submitted to establish new credit card accounts and to make unauthorized changes – such as changing the address – on existing credit accounts. According to the FTC, he placed orders and made purchases using the unwitting consumers’ credit information.
The Paypal scheme worked in a similar way, with the defendant using the Paypal passwords that consumers provided to access consumers’ Paypal accounts and to purchase goods or services on their accounts.
The FTC charged that the acts and practices were deceptive and unfair, in violation of the FTC Act. In addition, the FTC alleged that the defendant’s practices violated provisions of the Gramm Leach-Bliley Act designed to protect the privacy of consumers’ sensitive financial information.
Defendant Zachary Keith Hill of Houston, Texas was named in the FTC complaint and the DOJ criminal information filed in United States District Court for the Eastern District of Virginia, Alexandria Division.
“As the Hill case demonstrates, the government can make a difference when agencies work together to crack down on Internet identity theft scams,” said Assistant Attorney General Christopher A. Wray of the Criminal Division of the U.S. Department of Justice. “The Department of Justice remains committed to working closely with the FTC to shut down these phishing operations and protect Internet users from thieves who seek to steal their valuable identity and financial information.”
“This investigation demonstrates the importance of interagency cooperation in clamping down on cyberscammers,” said Howard Beales, Director of the FTC Bureau of Consumer Protection. “The DOJ and FTC contributed complimentary skills and enforcement tools to catch up with this phishing scam, shut it down, and send a clear message that electronic identity theft won’t be tolerated.”
These cases were brought with the invaluable assistance of the Federal Bureau of Investigation’s Washington Field Office, and the United States Attorney for the Eastern District of Virginia’s Computer Hacking and Intellectual Property Squad.
The FTC has established a special Criminal Liaison Unit to expand criminal prosecution of consumer fraud. The Criminal Liaison Unit identifies enforcement agencies that may bring specific types of consumer fraud cases, educates criminal law enforcers in areas of FTC expertise, and coordinates training with criminal authorities to help the FTC prepare cases for referral and parallel prosecutions. Since 1996, dozens of FTC civil cases have resulted in concurrent or subsequent criminal prosecutions. The Criminal Liaison Unit will build on these existing FTC efforts to ensure appropriate criminal prosecution of consumer fraud.
An FTC Consumer Alert, “How Not to Get Hooked by a ‘Phishing’ Scam” warns consumers who receive e-mail that claims an account will be shut down unless they reconfirm their billing information not to reply or click on the link in the e-mail. Consumers should contact the company that supposedly sent the message using a telephone number or Web site address they know to be genuine. More tips to avoid phishing scams can be found at http://www.ftc.gov/opa/2003/07/phishing.htm.
The Department of Justice has issued a special report on phishing that can be found at
Copies of the legal documents are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint, or to get free information
on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1 877-382-4357), or use the complaint form at http://www.ftc.gov. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.
(FTC File No. 032 3102)
FTC Office of Public Affairs
DOJ Office of Public Affairs