The U.S. Federal Trade Commission (FTC) has settled a civil action against a 17-year-old California boy who was allegedly tricking Internet users into giving him their credit card numbers and other personal information on a bogus Web site meant to look like America Online Inc.'s billing center.
The settlement, announced Monday, will bar the defendant from sending spam and force him to give up about US$3,500 in profits from his venture, which ran from July to December 2002, before the U.S. Federal Bureau of Investigation (FBI) confiscated his computer. A federal court in central California has to approve the settlement.
The case has also been forwarded to the Los Angeles District Attorney's Office for possible criminal charges, said Eric Wenger, an attorney with the FTC's Bureau of Consumer Protection.
The boy's scam allegedly worked like this: Posing as AOL, he sent customers e-mail saying there had been a problem with the billing of their AOL account. The e-mail warned AOL customers that if they did not update their billing information, they risked losing their AOL accounts, and it directed customers to click on a hyperlink to connect to the AOL Billing Center.
When customers liked on the link, they ended at the defendant's site, which included AOL's logo, type style, and links to real AOL Web pages. The defendant's AOL look-alike page directed consumers to enter the numbers from the credit card they had used to charge their AOL account, then asked consumers to enter numbers from a new card to correct the problem. The defendant's page also asked for consumers' names, mothers' maiden names, billing addresses, social security numbers, bank routing numbers, credit limits, personal identification numbers, and AOL screen names and passwords.
The defendant used the information to charge online purchases and open accounts with PayPal, and he used consumers' names and passwords to log on to AOL in their names and send more spam. He also recruited others to participate in the scheme by convincing them to receive fraudulently obtained merchandise he had ordered for himself.
Known as "phishing," the fake Web site scam victimized both AOL and its customers, noted Timothy J. Muris, chairman of the FTC, in a statement. The case represents the FTC's first law enforcement action targeting phishing, but it won't be the last, Muris promised.
"We're trying to draw attention to it, so customers recognize this type of scheme," Wenger added.
Although AOL was the target Internet service provider in this case, the scheme can be run on just about any Internet service provider or e-commerce provider, Wenger noted. AOL spokesman Nicholas Graham said such scams are agnostic to the type of connection Internet users have or the brand of Internet service provider they use.
"Scams are like the flus of the Internet -- anybody can and will catch them," Graham said.
AOL has been telling customers for years that they shouldn't trust e-mails that ask for personal information such as passwords or credit card numbers, he said. "We applaud the FTC for highlighting an issue that AOL has concentrated on for some time," Graham added.
Graham recommended that customers who recognize such schemes tell their Internet providers so the scam artists can be stopped before someone becomes a victim. "Before you hit the delete button, do a community good deed and always report scams," he said.
The FTC also has published a consumer alert, "How Not to Get Hooked by a 'Phishing' Scam," which warns consumers who receive e-mail that claims an account will be shut down unless they reconfirm their billing information not to reply or click on the link in the e-mail. Consumers should contact the company that supposedly sent the message using a telephone number or Web site address they know to be genuine. More tips to avoid phishing scams can be found at http://www.ftc.gov/opa/2003/07/phishing.htm.