Your support means the world—subscribe to our YouTube Channel & grow with us.





Is email phishing illegal in the United States, and if so, under what federal laws or statutes is it prosecuted? Furthermore, are there varying levels of penalties depending on the severity of the phishing attempt (e.g., simple information gathering vs. attempts to steal substantial funds)? Finally, do state laws also play a role in prosecuting phishing crimes, and if so, how might they differ from federal laws in terms of scope or penalties?

Answer

Yes, email phishing is illegal in the United States under several federal laws. These laws aim to combat fraud, identity theft, and computer crimes. Here’s a breakdown of the relevant legislation:

1. Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030):

  • The CFAA prohibits unauthorized access to protected computers. Phishing often involves tricking individuals into providing their login credentials, thereby enabling unauthorized access.
  • Specifically, the CFAA can be violated through phishing if the phisher uses the obtained credentials to:
    • Obtain information from a protected computer without authorization.
    • Cause damage to a protected computer.
    • Obtain anything of value from a protected computer, such as money, data, or services.
  • Penalties for violating the CFAA can include fines and imprisonment, with the severity depending on the nature of the offense, the value of the information obtained, and any resulting damage.

2. Identity Theft and Assumption Deterrence Act (18 U.S.C. § 1028):

  • This law makes it a federal crime to knowingly transfer, possess, or use, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of federal law or that constitutes a felony under any applicable state or local law.
  • Phishing schemes frequently aim to steal personal information, such as Social Security numbers, bank account details, and credit card numbers. Using this information for fraudulent purposes, such as opening new accounts or making unauthorized purchases, directly violates this Act.
  • Penalties can include substantial fines and imprisonment for up to 15 years.

3. CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act) (15 U.S.C. § 7701 et seq.):

  • While not directly targeting phishing, the CAN-SPAM Act sets rules for commercial email. It requires senders to:
    • Avoid deceptive subject lines and header information.
    • Provide a clear and conspicuous opt-out mechanism.
    • Include a valid physical postal address.
    • Clearly identify the message as an advertisement.
  • Although CAN-SPAM focuses on commercial email, phishing emails often violate its provisions by using deceptive subject lines or falsifying sender information to trick recipients. While CAN-SPAM primarily addresses unsolicited commercial email, the deceptive practices often used in phishing also fall under its purview.
  • Violations can result in penalties of up to $50,120 per email.

4. Wire Fraud (18 U.S.C. § 1343):

  • This statute prohibits using wire communications (including email) to execute a scheme to defraud someone of money or property.
  • Phishing emails often involve misrepresentations intended to trick victims into providing money, financial information, or other valuable assets. If email is used as part of such a scheme, it can constitute wire fraud.
  • Penalties can include fines and imprisonment for up to 20 years.

5. FTC Act (Federal Trade Commission Act) (15 U.S.C. § 45):

  • Section 5 of the FTC Act prohibits unfair or deceptive acts or practices in commerce. The FTC can take action against individuals and companies engaging in phishing schemes because these schemes typically involve deceptive practices designed to trick consumers.
  • The FTC can seek injunctions to stop the illegal activity and can also seek monetary penalties.

State Laws:

In addition to federal laws, many states have their own laws addressing identity theft, computer crimes, and fraud. These state laws can provide additional avenues for prosecuting phishing schemes.

Enforcement:

Several federal agencies are involved in investigating and prosecuting phishing crimes, including:

  • Federal Bureau of Investigation (FBI)
  • Federal Trade Commission (FTC)
  • United States Secret Service
  • Department of Justice (DOJ)

International Aspects:

Phishing often involves perpetrators located outside the United States. In such cases, U.S. law enforcement agencies may work with international partners to investigate and prosecute these crimes.

In summary, email phishing is illegal in the United States and is subject to prosecution under a variety of federal and state laws. The specific laws that apply in a given case will depend on the nature of the phishing scheme, the information obtained, and any resulting harm.