New laws yet to slow down ‘phishing’


Staff Writer

It’s been six months since Gov. Schwarzenegger signed the state’s anti-phishing law, but it doesn’t seem to be working.

Oliver Friedrichs, director of emerging technologies for Symantec Security Response, reports he currently tracks 7.9 million phishing emails a day, an increase of 39 percent from 2005. Symantec Security is a unit of Symantec Corp. (SYMC), seller of the popular Norton security software.

Phishing is a form of fictitious solicitation, typically in e-mail, with the intent of getting people to divulge sensitive information, commonly personal and financial. Most phishing e-mails are made to look like they come from an official institution, directing users to a Web site that is designed to steal user names and passwords. The term phishing was coined by crackers, people who engage in illegal system or software cracking, referring to fishing for information.

The Anti-Phishing Act allows victims to sue for the amount of damages incurred or $500,000, whichever is greater. The problem, according to Craig Cardon, a partner specializing in intellectual property and advertising with the law firm Sheppard, Mullin, Richter & Hampton LLP in San Francisco, is that phishers operate too far underground.

“It’s rare that you’ll find the person who sent you the phishing e-mail or they won’t have the money to pay damages and if they do, they’re set up offshore,” he said. “The anti-phishing law is really symbolic.”

“It’s outright theft,” Friedrichs agrees. “When you compare it to spam, spam is trying to entice you to buy a legitimate service. Phishing would be more like breaking into your house and actually stealing jewelry as opposed to knocking on your door and trying to sell you something.”

Most phishing attempts come from Asia and Eastern Europe, which makes them that much harder to prosecute. Experts worry that phishers are constantly one step ahead of the security industry. At the RSA Conference 2006, Microsoft Corp. (MSFT) Chairman Bill Gates addressed this cat-and-mouse chase: “For every improvement we make, they look for our vulnerabilities,” he said.

The two most commonly phished sites are PayPal and its parent, eBay Inc. (EBAY), the online auction house. Amanda Pires, a PayPal representative, said it’s due to the high volume of customers with financial information on their accounts.

“We have a dedicated team that focuses on this problem,” she said. “Often if the fake Web site is in the U.S., we can get it pulled down in two hours.”

Phishers, whoever they are, are culturally keen people. Experts warn of IRS scams now that taxes have been filed, and Hiep Dang, director of threat research and engineering with Aluria Software, recently discovered a scam involving the popular social Web site, MySpace.

“It sends users to a fake MySpace account and they take their password, hoping that most people use the same username and password for other accounts and try them to get information about banking, credit cards, etc.,” Dang explained.

It is suggested users create various usernames for various accounts and change passwords frequently. It may be arduous to remember so much information but it is more arduous to regain your financial identity if you fall victim to these scams.

Henry Isaacs, an agent with Geek Squad, a computer support company, had a customer in Pacific Heights who had a keystroke-logging system unknowingly installed onto her computer. The system recorded all of her keystrokes and sent them to phishers, who were able to ascertain her username and password to an ING Direct bank account.

“She called ING and someone had closed her accounts,” Isaacs said. “She had almost $2 million in investments in there but luckily ING holds payments for a week or two and they stopped the check.”

Isaacs said users should never follow a link from an e-mail and pretty much never expect to receive an e-mail asking for information from any credible institution.

Just as with online pornography, there are organizations such asthe Anti Phishing Working Group that work to prevent, find and prosecute phishing. One popular technique is creating a “honeypot.”

“A honeypot is when you set up a site that you hope phishers come to and you collect information about who they are to shut them down,” explained Marc Barach with Ingenio, San Francisco, which links Internet customers with businesses via telephone. “Some people also call that a sting.”

ndelconte@examiner.combusinessBusiness & Real Estate

If you find our journalism valuable and relevant, please consider joining our Examiner membership program.
Find out more at

Just Posted

Giants second baseman Donovan Solano scores on a double in the seventh inning against the Dodgers at Oracle Park on July 29. (Chris Victorio/Special to The Examiner)
Will the Giants make the playoffs? Kris Bryant may be the answer

By Chris Haft Special to The Examiner You’d be hard-pressed to find… Continue reading

Tiffany Carter, owner of Boug Cali West Coast Creole Shack in San Francisco’s La Cocina Marketplace, was dismayed by gentrification she found when she returned to her hometown to start a business. (Kevin N. Hume/The Examiner)
SF Black Wallstreet: Helping residents build wealth, reclaim spaces they’ve had to leave

Tiffany Carter moved back to her hometown of San Francisco five years… Continue reading

A prescribed fire at Sequoia and Kings Canyon National Parks was conducted in June 2016 to reduce hazardous fuel loading, increase watershed health, and restore the natural fire cycle in the Redwood Canyon area ecosystem. (Photo courtesy Rebecca Paterson/National Park Service)
Experts, UC scientists discuss wildfires in the state’s riskiest regions

Wildfires are nothing new in California’s history, but the magnitude and frequencies… Continue reading

Fourth-grade students at Lucerne Valley Elementary School don masks and Western wear for a “Walk Through California” history day during in-person instruction. (Courtesy of Krystal Nelson)
Confusion over mask mandate for California schools sparks tension between districts and parents

By Diana Lambert EdSource Shifting rules around mask mandates at schools are… Continue reading

Steven Buss, left, and Sachin Agarwal co-founded Grow SF, which plans to produce election voter guides offering a moderate agenda. (Kevin N. Hume/The Examiner)
Grow SF: New tech group aims to promote moderate ideals to political newcomers

Sachin Agarwal has lived in San Francisco for 15 years. But the… Continue reading

Most Read