Identity Thief Goes Phishing for Consumers Credit Information

An identity thief who allegedly used hijacked corporate logos and deceptive spam to con consumers out of credit card numbers and other financial data has agreed to settle Federal Trade Commission charges that his scam violated federal laws. If approved by the court, the defendant, a minor, will be barred for life from sending spam and will give up his ill-gotten gains.

The FTC alleged that the scam, called “phishing,” worked like this: posing as America Online, the con artist sent consumers e-mail messages claiming that there had been a problem with the billing of their AOL account. The e-mail warned consumers that if they didn’t update their billing information, they risked losing their AOL accounts and Internet access. The message directed consumers to click on a hyperlink in the body of the e-mail to connect to the “AOL Billing Center.”

When consumers clicked on the link they landed on a site that contained AOL’s logo, AOL’s type style, AOL’s colors, and links to real AOL Web pages. It appeared to be AOL’s Billing Center. But it wasn’t. The defendant had hijacked AOL’s identity and was going to use it to steal consumers’ identities, as well, the FTC alleged.

The defendant’s AOL look-alike Web page directed consumers to enter the numbers from the credit card they had used to charge their AOL account. It then asked consumers to enter numbers from a new card to correct the problem. It also asked for consumers’ names, mothers’ maiden names, billing addresses, social security numbers, bank routing numbers, credit limits, personal identification numbers, and AOL screen names and passwords - the kind of data that would help the defendant plunder consumers’ credit and debit card accounts and assume their identity online.

According to the FTC, the defendant used the information to charge online purchases and open accounts with PayPal. In addition, he used consumers’ names and passwords to log on to AOL in their names and send more spam. Finally, he recruited others to participate in the scheme by convincing them to receive fraudulently obtained merchandise he had ordered for himself.

The agency charged the defendant’s practices were deceptive and unfair, in violation of the FTC Act. In addition, the FTC alleged that the defendant’s practices violated provisions of the Gramm-Leach-Bliley Act designed to protect the privacy of consumers’ sensitive financial information.

“Phishing is a two time scam,” said Timothy J. Muris, Chairman of the FTC. “Phishers first steal a company’s identity and then use it to victimize consumers by stealing their credit identities. This is the FTC’s first law enforcement action targeting phishing. It won’t be the last.”

The settlement would bar the defendant from future violations of the FTC Act and the Gramm-Leach- Bliley Act. It also would bar the defendant from sending spam in the future. In addition, the order would require the defendant to give up $3,500 in ill-gotten gains.

An FTC Consumer Alert, “How Not to Get Hooked by a ‘Phishing’ Scam” warns consumers who receive e-mail that claims an account will be shut down unless they reconfirm their billing information not to reply or click on the link in the e-mail. Consumers should contact the company that supposedly sent the message using a telephone number or Web site address they know to be genuine. More tips to avoid phishing scams can be found at http://onguardonline.gov/phishing.html

The Commission vote to authorize staff to file the complaint and stipulated final judgment and order was 5-0. It will be filed in the U.S. District Court for the Central District of California in Los Angeles and is subject to court approval.

This case was brought with the invaluable assistance of the Department of Justice Criminal Division’s Computer Crimes and Intellectual Property Section, Federal Bureau of Investigation’s Washington Field Office, and United States Attorney for the Eastern District of Virginia’s Computer Hacking and Intellectual Property Squad, the United States Postal Inspectors and the Los Angeles District Attorney’s High Technology Crimes Unit.

NOTE: Stipulated final judgments and orders are for settlement purposes only and do not constitute an admission by the defendant of a law violation. Consent judgments have the force of law when signed by the judge.

Copies of the complaint and stipulated final judgment and order for permanent injunction are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint, or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1 877-382-4357), or use the complaint form at http://www.ftc.gov. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.

(FTC File Nos. 032-3101 and 022-3209)