Two years ago, Justin Clements discovered that his employer's computers were being used for a scam. He tried to nip it in the bud, cutting off access to the fraudster, or fraudsters, and he reported it to the police. But that would prove to be the tip of the iceberg. Over the next couple of years he fought a prolonged battle to keep the scam off his machines - and watched helplessly as dozens of people fell for it online. Clements works for Portland Communications, a Surrey-based internet service provider (ISP). The fraudsters were using Portland's free web-hosting service to display a web page that looked very like a page from PayPal, the internet payment company. The page requested payment; there were spaces to type in your name and credit card details, and a "submit" button to send the information.
Somewhere else, an e-mail server was sending thousands of authentic-looking PayPal e-mails advising people that they needed to use the fake page and "re-supply" their credit card details or their PayPal account would be terminated. Of course, any details entered never went to PayPal. Instead they were stored in a file, for the hackers to pick up at leisure. It was a classic "phishing" scam.
"PayPal contacted us and told us that someone had posted a fake PayPal web page on our servers and they asked us to take it down, which we did immediately," says Clements. He informed Surrey police of the scam. They investigated, but nothing came of it. Clements would have been happy to forget about it, except that the scammers came back. "They would disappear for a couple of months but then return and run several scams within a few days," says Clements. "We would be alerted by whichever company was being spoofed and usually managed to take a site down within four to six hours of it being created. But in that time the sites would have started collecting numbers. The scammers must have been sending out e-mails within an hour of setting up the site."
The scams became so frequent that in July Clements and his team monitored one to see how successful the scam really was. "Every 30 seconds a credit card number arrived," says Clements. "And every two minutes a credit card number would arrive accompanied by an ATM [cash machine] PIN."
The scam, therefore, was successful, ubiquitous and reported to police. So what were they doing about it? Not much, it seems. DC Tony Noble of Surrey police, says: "One problem was that we didn't have any victims."
The laws surrounding phishing scams are untested. For the police to have a good chance of a successful prosecution, they want to identify someone who has lost money because of a particular scam. That is not easy, but they have now done it. During the spate of phishing scams on banks in October, Barclays identified "fewer than 10" customers who lost money. Their names were passed on to the National Hi-Tech Crime Unit, where officers say that an international investigation involving the US, Canada, Australia and Hong Kong is now under way at "a much higher" priority.
Why can't the police act on phishing scams before someone becomes a victim? Barry Gardiner, the MP for Brent North, recently asked in the House of Commons for clarification of the laws surrounding phishing. Caroline Flint MP, the parliamentary undersecretary for reducing organised and international crime, replied that phishing scams were an offence in the UK under the Theft Acts 1968 and 1978 or under the common law of "conspiracy to defraud".
So if it was illegal, why weren't the police acting? Charlotte Walker-Osborn, a lawyer at Eversheds and an adviser to the British Computer Society, said that it was not quite as cut and dried as this answer implied. "The Theft Act covers fraud," she says. "But it talks about obtaining a 'monetary advantage' by deception. So it's probably the most applicable law in this case but you could rely on it only when the criminals make money from their scam."
But that is no good helping the police prevent the fraud in the first place. What about the common law "conspiracy to defraud"? In theory, this law could be applied. But because it talks only about "conspiracy", there is a problem. "The difficulty with this legal action," continues Walker-Osborn, "is that more than one person will have had to be involved."
And so, assuming the perpetrator(s) are in the UK, which is unlikely in itself, for the police to have a chance of a successful prosecution they need either a victim, or to prove that several phishers are acting in cahoots. With so many provisos, it is easy to see why the police, who are judged by successful prosecutions, might feel this one is not worth chasing. The Parliamentary Industry Group, Eurim, has been looking at the laws concerning identity theft. Its director, Philip Virgo, says: "We flagged this as a potential problem some years ago. Now it's a real problem. But it's one thing identifying the problem; what do you do about it?"
One solution may be to look at the American model. In 1998 the US introduced an Act that specifically outlawed trafficking in credit card details "with an intent to defraud". It does not matter whether the fraud occurs or not. But there is no industry-led push for similar legislation in the UK.
Back at Portland, Clements has given up waiting for anything official to happen. The free CGI services that the phishers were using to store card numbers have been turned off and the phishers have gone for good. Unfortunately, several thousand legitimate users have also lost the service. It is merely a technical fix for a wider problem and it will be months, or even years, before any amendments are made to our laws. But with 70,000 Britons suffering identity theft each year, anything is worth a try.