 |
Email this Document! |
Jonathan Rusch Special Counsel for Fraud Prevention Fraud Section of the Criminal DivisionBy all accounts, the United States leads the world in using the Internet for commerce and communication, and in spending on electronic commerce. There are growing indications that along with the expansion of legitimate Internet use, the United States is experiencing a rising tide of fraud that exploits the Internet.
The Internet Fraud Complaint Center (IFCC) -- a joint project of the FBI and the National White Collar Crime Center -- reported that in its first six months of operation, May-November 2000, it had recorded more than 37.5 million hits on its Website and had received more than 20,000 complaints from the public. Of those complaints 5,273 were Internet fraud-related complaints that it referred to law enforcement for possible investigation. See Internet Fraud Complaint Center, Six Month Trends Report: May -November 3 (2000) available at http://www.ifccfbi.gov/strategy/6monthreport.pdf.
Moreover, more than 90 percent of all complainants whose complaints were referred for possible investigation, and more than 90 percent of all alleged perpetrators named in complaints referred for possible investigation, were located in the United States. It should be noted that because the IFCC has been in operation for less than a year, these statistics may be affected by several variables (e.g., the extent of public recognition of Internet fraud as a crime, the manner in which the public is being solicited to file complaints, and the extent to which the public identifies IFCC as an appropriate contact for complaints) and may not be fully representative of the number and frequency of various types of Internet fraud. More recently, the 2001 Computer Crime and Security Survey, a joint project of the Computer Security Institute and the FBI, reported that in 2000, financial fraud was the second-leading category of financial losses due to computer use -- second only to theft of proprietary information -- and accounted for nearly $93 million in losses. See Press Release, Computer Security Institute, Financial Losses Due to Internet Intrusions, Trade Secret Theft, and Other Cyber Crimes Soar (May 12, 2001) available at http://www.gocsi.com. prelea _000321.htm.
Other countries are also seeing a substantial increase in various categories of Internet fraud. In December 2000, the International Chamber of Commerce's Commercial Crime Services (CCS) Division reported that Internet fraud in 2000 was "rising dramatically," accounting for more than two-thirds (2,776) of the 4,139 cases that its business partners referred -- more than twice as many as in 1999. See Press Release, International Chamber of Commerce, Dramatic Rise in Web-Based Fraud Reported (Dec. 2000) available at http://www.iccwbo.org/home/news_archives/2000/due_dilegence_for_web.asp.
In a February 2001 report, the European Commission (EC) stated that credit card fraud in the European Union had risen by 50 percent in 2000 to $553 million in illegal transactions, and that the increase was greatest for "card-not-present" transactions (i.e., mail-order, telephone, and Internet sales), especially on the Internet.
These substantial worldwide increases may be attributable to significant increases in worldwide Internet access. Between March and October 2000, Internet access in European Union households grew 55 percent (from 18 to 28 percent of all households), according to EC data released March 13, 2001. The EC also noted that Europe now has about as many Internet users as the United States.
The emerging data suggests that the problem of Internet fraud is becoming uniquely global in scope and impact, as criminals can plan and execute fraudulent schemes from anywhere in the world and victims may be located anywhere in the world. It is noteworthy that in the IFCC's first six months of operation last year, it received complaints from persons in 106 different countries.
Fraud Involving Online Auctions
Data from the IFCC, the Federal Trade Commission, and Internet Fraud Watch (a project of the non-profit National Consumers League) show that fraud involving the use of online auctions is by far the most frequently reported type of Internet fraud. The IFCC, for example, reports that more than 64 percent of all referred complaints involved online auctions.
Online auction fraud typically involves several recurring approaches. The most common approach appears to be the offering of some valuable item, such as computers, high-priced watches, or collectible items, through a known online auction site. The individuals who are informed that they are successful bidders send their money to the seller, but never receive the promised merchandise. In a variation of this approach, the criminals send counterfeit merchandise in place of the promised merchandise. A third approach involves the criminal contacting losing bidders in a particular online auction, informing them that additional units of the item on which they bid have become available, and taking the bidders' money without delivering the items.
Two additional aspects that are unique to online auctions are "shill bidding" and "shill feedback." "Shills" are bidders who have no genuine interest in the merchandise on which they are bidding, but have been hired to place bids in order to create an appearance of interest and prompt genuine bidders to bid higher than they might have otherwise. In online auctions, criminals can take advantage of multiple e-mail addresses and false identities to place shill bids.
Consumers interested in a particular auction sometimes want to learn if other buyers have had favorable experiences with the purported seller in that auction. Major auction sites like eBay and Amazon.com allow legitimate customers to provide feedback on their experiences with particular sellers. Criminals, however, can also use false e-mail identities to provide "shill feedback" -- false favorable information about themselves -- to make it appear that they are satisfied customers and to give consumers a false sense of security about that auction.
In a recent prosecution, United States v. Denlinger, No. 00CR573IEG (S.D. Cal. filed Feb. 28, 2000), the defendant used online auction sites to offer Beanie Babies for sale, but failed to deliver the products after receiving the victim's money. He used various "screen names" (or aliases) in sending e-mails to prospective victims, and provided them with screen names and e-mail addresses of persons he falsely described as "references." In fact, those screen names were assigned to the defendant, so that when victims e-mailed the "references," the defendant responded with messages that gave victims false and favorable information about his own reliability and trustworthiness as a seller. The defendant also used two techniques to prevent victims from contacting him directly: he gave victims a pager number and falsely told them it was his home telephone number; and he asked them to send their payments to various commercial mail receiving agencies, which he falsely told them was his home address. His scheme defrauded more than 200 victims of nearly $50,000. (The defendant, after pleading guilty to mail and wire fraud, was sentenced to twelve months imprisonment and $46,701 in restitution.)
Fraud Involving Online Retail Sales
One category of fraud that overlaps with auction fraud is fraud in online retail sales of goods and services. The IFCC reports that so-called "nondeliverable" merchandise accounts for 22 percent of all referred complaints. One approach to retail fraud has involved placing banner advertisements on an auction site that offers the same types of goods being auctioned. Prospective buyers who click on the banner advertisement are taken to a different Website that is not part of the auction site, and that offers none of the protections that leading auction Websites have adopted for their members. Another approach involves using unsolicited commercial e-mail ("spam") to lure prospective victims to a Website which purports to sell items of the same type that are available through well-known online auction sites.
In retail sales of services, some criminals have taken advantage of the complexities of the Internet's operations to compel or mislead consumers into visiting their Websites. In United States v. Kashpureff, 98CR0218 (E.D.N.Y. filed March 19, 1998), the defendant operated a Website, AlterNIC, that competed with the InterNIC Website for domain name registration. He wrote and placed software on that Internet that caused persons who wanted to visit the InterNIC Website to be involuntarily redirected to his Website. Ultimately, he pleaded guilty to a violation of the computer fraud statute, 18 U.S.C. § 1030.
In United States v. Lee, No. 99-00560 SOM (D. Haw. filed Dec. 9, 1999), the defendant knew that the Hawaii Marathon Association operated a Website with the Uniform Resource Locator (URL) "www.hawaiimarathon.org" to provide information about the Marathon and enable runners to register online. Although he had no affiliation with the real Hawaii Marathon, he copied the authorized Marathon Website, and created his own Website with the confusingly similar name, "www.hawaiimarathon.com." Runners who came to his Website thinking that it was the real Hawaii Marathon site were charged a $165 registration fee -- $100 more than the real site charged for entry. The defendant also operated another Website where he sold Viagra over the Internet without a prescription. (The defendant later pleaded guilty to wire fraud and unlawful sale of Viagra, and in February 2001 was given a split sentence of ten months imprisonment.)
Investment Fraud
Another major category of online fraud is investment fraud. The Securities and Exchange Commission (SEC) has reported that it receives between 200 and 300 online complaints each day about possible securities fraud online. While the major types of online securities fraud generally parallel traditional securities fraud schemes, market manipulation schemes are a frequent focus of enforcement actions.
"Pump-and-Dump." The most widely publicized form of online market manipulation is the so-called "pump and dump" scheme. In a "pump and dump," criminals identify one or more companies whose stock is thinly traded or not traded at all, then adopt various means to persuade individual online investors to buy that company's stock. These means can include posting favorable, but false and misleading, representations on financial message boards or Websites, and making undisclosed payments to people who are ostensibly independent but who will recommend that stock. Once the price has increased sufficiently, the participants in the scheme -- who may be company insiders, outsiders, or both, sell their stock, and the stock price eventually declines sharply, leaving uninformed investors with substantial financial losses. While an outsider who merely expresses his opinions about the worth or likely increase or decrease of a particular stock may not be committing criminal fraud, outsiders or insiders whose conduct extends beyond mere advocacy to manipulation of markets for their personal profit by giving the public false and misleading information may violate securities fraud statutes and other criminal statutes.
In one pump-and-dump case, United States v. Aziz-Golshani, No. 00-007-GAF (C.D. Cal. filed Jan. 4, 2000), two defendants manipulated the stock of a bankrupt company, NEI Webworld, Inc. They posted messages on several financial message boards, falsely stating that NEI was going to be taken over by a California company, and, with the help of a third individual, bought 130,000 shares of NEI before their manipulations resulted in a dramatic price increase. In an attempt to conceal their identities, the two defendants and their confederates used computers at the UCLA Biomedical Library to post the false reports. An SEC amended complaint charged that the defendants and another individual had also engaged in similar manipulative conduct concerning the securities of eleven other issuers in 1999. (In January, 2001, both defendants were sentenced to fifteen months and ten months imprisonment, respectively).
"Cybersmear." The converse of the "pump and dump" is the "cybersmear." A "cybersmear" scheme is organized in the same basic manner as a "pump-and- dump," with one important difference: the object is to induce a decline in the stock's price, to permit the criminals to realize profits by short-selling. To accomplish a sufficiently rapid decline in the stock's price, the criminal must resort to blatant lies and misrepresentations likely to trigger a substantial sell off by other investors.
In United States v. Moldofsky, No. S100CR388 (RPP) (S.D.N.Y. convicted March 8, 2001), the defendant, a day trader, on the evening of March 22, 2000, and the morning of the next day, posted a message nearly twenty times what was designed to look like a Lucent press release announcing that Lucent would not meet its quarterly earnings projections. For most of those postings, he used an alias designed to resemble a screen name used by a frequent commentator on the Lucent message board who had historically expressed positive views of Lucent stock. He also posted additional messages, using other screen names that commented on the release or on the message poster's conduct. On March 23, Lucent's stock price dropped more than 3.7 percent before Lucent issued a statement disavowing the false press release, but rose by 8 percent within ten minutes of Lucent's disavowal.
In United States v. Jakob, No. CR-00-1002-DT (C.D. Cal. indictment filed Sept. 28, 2000; pleaded guilty Dec. 29, 2000), the defendant engaged in even more elaborate fraudulent conduct to effect a "cybersmear." After he tried to short-sell stock in Emulex, but found that the market was bidding up the price, he wrote a press release falsely reporting that Emulex was under investigation by the SEC, that Emulex's Chief Executive Officer was resigning, and that Emulex was reporting a loss in its latest earnings report. He then caused his former employer, a company that distributed online press releases, to send it to major news organizations, which reported the false statements as fact. When Emulex stock rapidly declined, the defendant covered his short-sale position by buying Emulex stock and realizing nearly $55,000 in profits. He also bought more Emulex stock at lower prices, and sold when the stock had recovered most of its value.
One notable feature of online market manipulation schemes is the speed with which the scheme's participants can induce dramatic, though short-term, fluctuations in stock prices, and can realize substantial profits by correctly timing their purchases and sales. In Aziz-Golshani, during the week of November 9, 1999, the defendants bought their NEI stock at prices ranging from 9 cents to 13 cents per share. On November 15, 1999, NEI stock opened at 9:00 a.m. Eastern time at $8 per share, and within 45 minutes had risen to $15 5/16 per share. Less than a half-hour later, NEI stock had dropped to approximately 25 cents per share. By selling when the stock price was still high, the defendants realized profits of more than $360,000. In Jakob, once the false press release was distributed, Emulex's stock price dropped in less than one hour from more than $110 per share to approximately $43 per share, and the trading volume of Emulex stock increased significantly as individual traders sold off the stock at notably lower prices. The defendant realized nearly $55,000 in profits from his short sale, and additional profits of nearly $187,000 as the stock price rebounded.
Payment Card Fraud
One of the fastest-growing categories of Internet fraud is payment card (i.e., credit card and debit card) fraud. One Internet research firm, Meridien Research, predicted in January 2001 that online payment-card fraud worldwide will increase from $1.6 billion in 2000 to $15.5 billion by 2005.
Online credit card fraud causes substantial problems for online merchants. Initially, many online merchants were defrauded when people, using others' credit card numbers, ordered merchandise and had it shipped to foreign locations that were clearly different from the addresses of the true credit card holders. Under the policies that major credit card issuers established, merchants must bear the losses for online purchases, which qualify as "card- not-present" transactions. As a number of merchants took defensive measures, such as installing software designed to flag possibly fraudulent online transactions, some criminals changed their methods to request shipment of the goods they ordered with others' credit card numbers to United States addresses. Confederates then sell or ship those goods to another location.
To commit online payment-card fraud, criminals need access to valid payment-card numbers. One means of acquiring them is the unlawful accessing of e-commerce Websites. Within the past year, several computer intrusions that made possible the downloading of tens of thousands, if not millions, of credit card numbers -- such as the exposure of more than 3 million credit cards at Egghead.com -- have received worldwide attention in the media.
A number of Internet credit card schemes involve computer hacking as the means of accessing the numbers. For example, in United States v. Bosanac, No. 99CR3387IEG (S.D. Cal. filed Dec. 7, 1999), the defendant was involved in a computer hacking scheme that used home computers for electronic access to several of the largest United States telephone systems and for downloading thousands of calling card numbers (access codes). The defendant, who pleaded guilty to possession of unauthorized access devices and computer fraud, used his personal computer to access a telephone system computer and to download and transfer thousands of access codes relating to company calling card numbers. In taking these codes, the defendant used a computer program he had created to automate the downloading, and instructed his coconspirators on how to use the program. The defendant admitted that the loss suffered by the company as a result of his criminal conduct was $955,965. He was sentenced to eighteen months' imprisonment and $10,000 in restitution.
Computer intrusions, however, are by no means the only way for criminals to obtain payment-card numbers for online fraud. In addition to traditional methods such as "dumpster diving" (i.e., sorting through trash to find credit card bills or receipts), they can go to Websites where others have posted credit card numbers, and even use credit card generator programs such as Credit Master, Credit Wizard, and Credit Probe. These programs can generate batches of potentially valid credit card numbers based on the algorithm that credit card issuers use to validate their account numbers. In some instances, criminals have engaged in identity theft by using publicly available identifying data of others to obtain credit card numbers in the victims' names (see below).
Identity Theft and Fraud
Online payment-card fraud is closely related to the problem of identity theft and fraud. The Federal Trade Commission (FTC) reports that its Consumer Sentinel Website, which provides law enforcement with access to more than 300,000 complaints about all types of consumer fraud, has received more complaints about identity theft and fraud than any other category of consumer fraud. (See www.consumer.gov/sentinel/trends.htm.) While identity theft can be committed in furtherance of many types of crime, a number of recent federal prosecutions have combined identity theft and Internet fraud.
In United States v. Christian, No. 00-03-SLR (D. Del. filed Aug. 3, 2000), two defendants obtained the names and Social Security numbers of 325 high-ranking United States military officers from a public Website, then used those names and identities to apply for instant credit at a leading computer company and to obtain credit cards through two banks. They fenced the items they bought under the victims' names, and accepted orders from others for additional merchandise. The two defendants, after pleading guilty to conspiracy to commit bank fraud were sentenced to thirty-three and forty-one months imprisonment and restitution of more than $100,000 each.
Similarly, in United States v. Wahl, No. CR00-285P (W.D. Wash. sentenced Oct. 16, 2000), the defendant obtained the date of birth and Social Security number of the victim (who shared the defendant's first and last name and middle initial). He then used the victim's identifying information to apply online for credit cards with three companies and to apply online for a $15,000 automobile loan. He actually used the proceeds of the automobile loan to invest in his own business. (The defendant, after pleading guilty to identity theft, was sentenced to seven months' imprisonment and nearly $27,000 in restitution).
Business Opportunity Fraud
Business opportunity or "work-at-home" schemes are also making their way onto the Internet. In United States v. Shklowskiy (C.D. Cal. sentenced June 9, 2000), the defendants used the Internet to harvest e-mail addresses and send more than 50 million unsolicited e-mails ("spam") to offer people a "work-at-home" opportunity that promised tremendous returns in exchange for a $35 "processing fee." Approximately 12,405 individual victims sent money to what they thought were various businesses, but in fact, were postal mailboxes. As part of the scheme, the defendants forged the e-mail headers in their "spam" to make it appear that the e-mails were coming from an Internet service provider, BigBear.Net. As a result of the header forgery, when approximately 100,000 recipients of the spam responded with complaints by e-mail, the unexpected large volume of e-mails caused BigBear.Net's computer file servers to crash or cause disruptions in their service to customers. BigBear.Net had to hire three temporary workers for nearly six months to respond to the large numbers of complaints. (Ultimately, two defendants, after pleading guilty to conspiracy to commit mail and wire fraud, were sentenced to twenty seven months' imprisonment and restitution of $104,000 to fraud victims, including BigBear.Net).
The Response to Internet Fraud
As the case examples above indicate, more and more United States Attorneys' Offices are pursuing significant cases of Internet fraud. The cases being prosecuted tend to show that the criminal statutes that apply to other types of white collar crime -- conspiracy, mail and wire fraud, credit card fraud, securities fraud, money laundering, and identity theft -- are equally applicable to various forms of Internet fraud. In addition, a variety of existing sentencing guidelines enable federal prosecutors to seek higher sentences in appropriate cases of Internet fraud. These include enhancements for mass-marketing (USSG § 2F1.1(b)(3)), identity theft (USSG § 2F1.1(b)(5)(C)), conducting a substantial part of a scheme from outside the United States (USSG § 2F1.1(b)(6)(B)), large numbers of vulnerable victims (USSG § 3A1.1(b)(2)(B)), and use of a special skill (USSG 3B1.3; compare United States v. Petersen, 98 F.3d 502, 506-08 (9th Cir. 1996), with United States v. Godman, 223 F.3d 320, 322 (6th Cir. 2000)).
Nonetheless, the Department has a strong interest in continuing to enhance its capabilities to combat Internet fraud. To that end, in February 1999, the Department established an Internet Fraud Initiative. This Initiative, which the Fraud Section of the Criminal Division oversees, has provided a vehicle for improving coordination and cooperation on Internet fraud enforcement at all levels of law enforcement, through such means as:
* Training. Since 1999, the National Advocacy Center (NAC) has conducted specialized seminars on Internet fraud for more than 180 federal, state, and local prosecutors (including Assistant United States Attorneys (AUSAs from fifty three districts), FBI agents, local police, and even foreign prosecutors from five foreign countries. In addition, the NAC has revised its basic Cybercrimes Seminar to include a specific track on Internet fraud, and the National Cybercrimes Training Partnership has included an Internet fraud training module in its cybercrimes training program.
* Advice and Litigation. The Fraud Section of the Department's Criminal Division, which oversees the Initiative, provides regular points of contact for federal prosecutors needing advice or information on Internet fraud cases, as well as a brief bank of relevant pleadings and materials. The Fraud Section also provides first-chair and second-chair prosecutors in particular Internet fraud cases.
* Analysis and Referrals. The IFCC now provides federal prosecutors with a national resource from which they can receive referrals of possible Internet fraud cases, or to which they can submit requests for queries and other assistance in identifying possible Internet fraud schemes. The IFCC's Website is located at www.ifccfbi.gov. In addition, as a result of continuing cooperation between the Department and the FTC, the FTC has substantially improved its Consumer Sentinel database, which contains more than 300,000 consumer complaints about Internet fraud and other consumer frauds that prosecutors can search for leads and witness information.
* Outreach and Prevention. The Department has posted a set of Webpages on Internet fraud, www.internetfraud.usdoj.gov, that contains information on the nature and types of fraud schemes, what the public should do to deal with Internet fraud, and how to report possible Internet fraud. In addition, as part of its response to identity theft the Department also has posted a set of informative Webpages on identity theft and fraud, www.usdoj.gov/criminal/fraud/idtheft.html. The Department also coordinates with other agencies to develop and support public education efforts directed at consumer protection matters relating to Internet fraud, such as identity theft.
* International Coordination. Through the work of the G-8's Senior Experts Group on Transnational Organized Crime (the "Lyon Group"), the G-8 Ministers of Justice issued a communique in October,1999, in which they declared their commitment to a comprehensive effort against Internet fraud that includes investigation, prosecution, and prevention. The Department continues to use the Lyon Group process to expand on existing investigative, prosecutive, and prevention efforts.
As the Internet continues to grow and adapt to changing circumstances, Internet fraud will also tend to grow and adapt, as criminals try to circumvent new fraud prevention measures and law enforcement capabilities for combating the problem. Law enforcement, at all levels of government, will need to continue devising and applying methods to investigate and prosecute Internet fraud criminals faster than criminals can adapt to those methods.þ
ABOUT THE AUTHOR
Jonathan Rusch is Special Counsel for Fraud Prevention in the Fraud Section of the Criminal Division. His responsibilities include coordination of the Internet Fraud Initiative, a Department-wide initiative established in 1999 to improve the Department's abilities to combat all forms of Internet fraud. He also serves as Chair of the interagency Telemarketing and Internet Fraud Working Group. Mr. Rusch is an Adjunct Professor of Law at Georgetown University Law Center, where he teaches courses on Global Cybercrime Law and International and Comparative Law of Cyberspace, and has written several law review articles on various aspects of cyberspace law. He received the Attorney General's Award for Distinguished Service in 1995.
Go to . . . CCIPS home page || Justice Department home page