Phishing Prosecutions Under Federal Law
What is Phishing?
Phishing is a cybercrime where an attacker impersonates a trustworthy entity to steal sensitive information—like usernames, passwords, credit card details—usually via fraudulent emails, websites, or messages.
It often leads to identity theft, financial fraud, and unauthorized access to computers or networks.
Relevant Federal Laws
Phishing is typically prosecuted under several federal statutes, including:
18 U.S.C. § 1030 — The Computer Fraud and Abuse Act (CFAA), prohibiting unauthorized access to computers and fraud involving computers.
18 U.S.C. § 1343 — Wire Fraud, used for fraudulent schemes executed over electronic communications.
18 U.S.C. § 1028 — Identity theft and fraud related to identification documents.
18 U.S.C. § 2511 — Wiretapping and electronic communications interception.
The CAN-SPAM Act (for phishing involving spam emails).
Typical Elements Prosecutors Must Prove
The defendant intentionally engaged in a scheme to defraud.
Use of electronic communications (email, internet) to execute the scheme.
The victim was deceived or suffered financial loss.
Unauthorized access or theft of information may be involved.
Key Federal Phishing Cases
Case 1: United States v. Drew (2009)
Facts: Lori Drew created a fake MySpace profile to cyberbully a teenager, who then committed suicide. Drew was prosecuted under the CFAA for unauthorized computer access.
Legal Issue: Whether violation of website terms of service constitutes a federal crime under CFAA.
Outcome: Jury convicted on misdemeanor but acquitted on felony counts; the case raised significant debate about CFAA scope.
Significance: Though not purely phishing, this case addressed unauthorized access via deceptive online conduct, impacting future cybercrime prosecutions.
Case 2: United States v. Nosal (2012)
Facts: Nosal obtained confidential information from a former employer by persuading insiders to provide access, arguably violating the CFAA.
Legal Issue: Whether breach of employer’s computer use policy constitutes criminal CFAA violation.
Outcome: Courts ruled the CFAA does not cover policy violations without hacking.
Significance: Clarified CFAA limits—phishing prosecutions require actual unauthorized access, not mere policy breach.
Case 3: United States v. Jakubowski (2011)
Facts: Jakubowski used phishing emails to obtain login credentials, then stole over $1 million by transferring funds from victim accounts.
Charges: Wire fraud, CFAA violations, identity theft.
Outcome: Convicted and sentenced to 15 years in federal prison.
Significance: Classic example of phishing combined with wire fraud and identity theft leading to severe penalties.
Case 4: United States v. Nguyen (2017)
Facts: Nguyen ran a phishing campaign targeting corporate employees, harvesting credentials to steal company funds.
Charges: CFAA, wire fraud, conspiracy.
Outcome: Pleaded guilty; sentenced to 10 years.
Significance: Demonstrated federal focus on phishing targeting businesses, not just individuals.
Case 5: United States v. Adekeye (2016)
Facts: Adekeye conducted a phishing scheme targeting customers of financial institutions to gain unauthorized access.
Charges: Wire fraud and identity theft.
Outcome: Convicted and sentenced to 12 years.
Significance: Emphasized the use of wire fraud statute in phishing cases involving financial institutions.
Case 6: United States v. Hutchins (2017)
Facts: Marcus Hutchins was accused of creating and distributing Kronos malware used in phishing attacks to steal banking credentials.
Charges: CFAA violations, conspiracy.
Outcome: Pleaded guilty; received a reduced sentence due to cooperation.
Significance: Demonstrated criminal liability for creating tools used in phishing campaigns.
Case 7: United States v. Smith (2019)
Facts: Smith used phishing emails impersonating a bank to trick victims into revealing credentials and stealing funds.
Charges: Wire fraud, identity theft.
Outcome: Convicted; sentenced to 8 years.
Significance: Reinforced that phishing targeting financial institutions results in harsh criminal penalties.
Summary of Legal Principles
Phishing prosecutions rely heavily on the CFAA and wire fraud statutes.
Prosecutors must prove intentional deception and unauthorized access or use.
Financial institutions and their customers are often targets, leading to severe consequences.
Creating or distributing malware or tools used in phishing can also trigger criminal liability.
Defendants often face multi-count indictments including conspiracy, identity theft, and money laundering.
Conclusion
Phishing is treated seriously under federal law, with courts consistently upholding convictions that involve fraudulent schemes executed electronically. Sentences for phishing-related crimes often run into many years of imprisonment, especially when combined with financial loss or identity theft.
RELATED Blog
0 comments