Cyberfraud includes behaviors that occur with guile and deceit. An example of this behavior is identity theft that may lead to identity fraud. Hoar (2001) argues that identity theft is a criminal activity for the new millennium. Unfortunately, the definition of identity theft varies. For instance, one definition of identity theft is “the unlawful use of another’s personal identifying information” (Bellah, 2001, p. 222). Others have defined identity theft as “involv[ing] financial or other personal information stolen with intent of establishing another person’s identity as the thief ’s own” (Identity Theft, 2004). The Federal Trade Commission (FTC, 2006) sees identity theft as “occur[ring] when someone uses your personally identifying information, like your name, social security number, or credit card number without your permission, to commit fraud or other crimes.” The present article adopts the FTC’s definition of identity theft, although some may regard this definition as identity fraud. In one sense, identity fraud involves financial or other private information stolen, or totally invented, to make purchases or gain access to financial accounts (Higgins, Hughes, Ricketts, & Fell, 2005).
The FTC’s definition clarifies some of the potential forms of personal information that may be used in identity theft. Other forms of personal information include address, date of birth, alien registration number, and government passport. While these forms of personal information and the definition of identity theft provide some context, identity theft can be summed up as constituting the unauthorized use of someone else’s personal information for criminal activity.
The crime of identity theft has received substantial coverage from a wide variety of legal mechanisms. A substantial number of federal and state statutes relate to the criminality of identity theft and those who suffer its victimization. In the federal arena, the laws relating to identity theft are convoluted. They can, however, be divided into statutes that relate to criminality and penalties, and statutes that provide consumers with information or rights. The primary criminal statute in the federal system is the Identity Theft and Assumption Deterrence Act of 1998. Specifically, 18 U.S.C. § 1028 makes it a federal crime when anyone acts as follows:
Knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.
In 2004, the Identity Theft Penalty Enhancement Act was enacted.1 This act provides for enhanced punishments for identity thieves. For example, the act requires an additional 2 years of punishment for those violators using another’s identity in the commission of a crime and 5-year sentences for the use of a false identity in the commission of a terror offense.2 Sentencing discretion is also restricted in that sentences may not run concurrently for offenses, and probation is prohibited for those convicted under the statute.
Other federal statutes provide some aid for victims of identity theft.3 The Fair Credit Reporting Act establishes procedures for persons seeking to correct mistakes on their credit record and ensures that credit histories are only provided for legitimate business needs.4 The Fair and Accurate Credit Transactions Act allows consumers to obtain free copies of their credit reports as well as restricts what information can be placed on a sales receipt. Similarly, the Fair Credit Billing Act establishes procedures for resolving billing errors on credit card accounts and establishes limits on a consumer’s liability for fraudulent credit card charges.5 Finally, the Electronic Fund Transfer Act focuses upon transactions using debit cards or electronic means to debit or credit an account and limits the liability for unauthorized electronic fund transfers.6
Since the majority of all criminal prosecutions occur in state court systems, state legal schemes are critically important. All 30 states and the District of Columbia have criminal laws relating to identity theft (FTC, 2006). Thirty-one states have created freeze laws for persons fearing identity theft. These laws generally lock access to credit reports and credit scores.7 While these laws vary greatly, there is generally no charge for the creation, temporary lifting, or complete termination of a freeze (a so-called credit thaw) for the victim of identity theft. Others wishing to limit their risks may have to pay between $5 and $20 (see http://consumersunion.org/). While these freezes will not completely shield a consumer from victimization, they will stop the creation of any new victimization where the issuer relies upon a credit report to provide credit. A few states have credit information– blocking statutes that require the credit reporting agencies to block false information from consumer victims’ credit reports within a certain time frame or upon the receipt of a police report.
California was the first state to pass a mandatory disclosure law for persons whose information has been compromised. Currently, at least 35 states have some form of breach notification statute. These laws vary greatly by state (Krebs, 2007). The threshold for notification may be mandatory upon a security breach. For example, Massachusetts recently passed a mandatory notification law similar to California’s.8 Other states have a risk-based analysis requiring notification only in cases of substantial risk of harm. These laws are based on three rationales. First, with timely notice, consumers can take preventive measures to limit or reduce the potential for identity theft. Second, reporting provides an ability to accurately measure the true number of breaches and thus aids in research on identity theft. Finally, the social and pecuniary costs associated with notification provide substantial motivation to protect consumer information (Schneier, 2006). Notification laws differ from fraud alert protections. An alert requirement forces notification if a person’s credit file receives an inquiry. A breach notification law requires that a consumer be informed that his or her information has been compromised.
Identity theft or identity fraud is responsible for a large number of issues concerning the theft of information. Identity thieves commit fraudulent acts to obtain identities of other individuals. For instance, identity thieves may hack (i.e., break into network databases) via the Internet to obtain personal information. Another form of fraudulent activity is the use of phishing. Phishing is when an identity criminal goes online and poses as a corporation (e.g., Western Union, Amazon, eBay, or PayPal) or an individual in need and requests personal information. Phishing schemes include travel scams, stock frauds, financial transfers, nondelivery of merchandise, Internet auction fraud, credit card fraud, and so forth. An emerging form of identity theft is pharming, which is when a hacker redirects an individual from a legitimate site to a fraudulent site without the user’s knowledge.
These forms of identity theft over the Internet are costly to the economy and the victim. For instance, Allison, Shuck, and Lersch (2005) argue that the U.S. economy is particularly susceptible to identity theft. In the United States, identity theft has resulted in actual losses ranging from $442 million to $745 million over a span of 3 years (U.S. General Accounting Office, 2002, cited in Allison et al., 2005). Others have estimated that identity theft costs between $53 billion and $73.8 billion per year (Weingart, 2003). While this gives some perspective, the true extent of identity theft is unknown. Identity theft can also have profound individual costs. For instance, a victim can expect to pay up to $3,000 and spend a substantial amount of time restoring his or her identity (FTC, 2006). Therefore, cyberfraud is an important criminal activity that needs further exploration.
IV. Cybercrime Communities
The Internet provides a place for cybercriminal communities to exist and flourish. The communities may be seen as subcultures. Subcultures are cohesive cultural systems that vary in form and substance from the dominant culture. To be clear, a subculture maintains its own values, beliefs, and traditions that differ from the dominant culture. Thus, the individual performs behaviors that are consistent with those of his or her subculture, but that differ from the dominant culture. Some subcultures may be based on ethnic groups, delinquent gangs, or religious sects. Subcultures may take place through the Internet or the cyber environment.
For instance, subcultures harbor some of the individuals that seek to understand computer operating systems (i.e., hackers), individuals that seek to destroy or do harm within a computer system (i.e., crackers), or individuals that seek to steal telephone services (i.e., phreakers). Other deviants or criminals may also be part of an online subculture (e.g., pedophiles, depressives, anorectics, and bulimics). Cybercrime communities function as the venue where the criminal activity is reinforced and encouraged. The cybercrime communities provide an opportunity for transmittal of knowledge that make the criminal behavior more effective and legitimate. In short, the individual participating in these deviant subcultures learns new techniques for performing his or her behavior and how to handle potential issues (e.g., dealing with outsiders, securing legal or medical services). The cybercrime communities provide a place for the sharing of knowledge to take place on a level playing field. That is, in most other communities, individuals are alienated, rebuked, or ostracized based on age, race, sex, marital status, ethnicity, or socioeconomic status. However, in cybercrime communities, all that is required is a computer and an Internet connection and the individual is able to participate. The cybercrime communities provide an opportunity for individuals to be in touch with others from different geographical locations. Thus, someone in the United States can participate in a community in Australia.