Jeffrey Brett Goodin has been sent a strong message by a California jury: phishing does not pay. Goodin has the dubious distinction of being the first person convicted under 2003’s CAN-SPAM Act for operating a sophisticated "phishing" scheme designed to mislead Internet users into turning over personal details and account information.
Goodin, age 45, was arrested last year for preying on AOL users. His scheme involved sending AOL customers fraudulent email messages claiming to be from AOL’s billing department. Users were urged to "update" their account and billing information—including their credit card details—or risk losing service. The messages directed victims to enter their personal information and account details on Web pages Goodin controlled; Goodin and others later used the account details to make unauthorized charges on AOL user’s accounts. Goodin sent his phishing messages via compromised Earthlink accounts.
Goodin was also convicted on ten other counts, including abetting the unauthorized use of an access device (a credit card), wire fraud, possession of more than 15 unauthorized access devices, attempted to harass a witness, failure to appear in court, and—this one has got to sting—misuse of the AOL trademark.
The result? Goodin now faces up to 101 years in federal prison. He’s scheduled to be sentenced on June 11.
The CAN-SPAM act has been widely criticized as an ineffective mechanism for combatting spam and other online criminal activity—after all, the volume of spam and phishing schemes on the Internet has increased radically since the statute was passed in 2003. Goodin’s conviction—and the sheer magnitude of the sentence he may receive—could give the law some more teeth in the United States.
