New laws yet to slow down ‘phishing’


Staff Writer

It’s been six months since Gov. Schwarzenegger signed the state’s anti-phishing law, but it doesn’t seem to be working.

Oliver Friedrichs, director of emerging technologies for Symantec Security Response, reports he currently tracks 7.9 million phishing emails a day, an increase of 39 percent from 2005. Symantec Security is a unit of Symantec Corp. (SYMC), seller of the popular Norton security software.

Phishing is a form of fictitious solicitation, typically in e-mail, with the intent of getting people to divulge sensitive information, commonly personal and financial. Most phishing e-mails are made to look like they come from an official institution, directing users to a Web site that is designed to steal user names and passwords. The term phishing was coined by crackers, people who engage in illegal system or software cracking, referring to fishing for information.

The Anti-Phishing Act allows victims to sue for the amount of damages incurred or $500,000, whichever is greater. The problem, according to Craig Cardon, a partner specializing in intellectual property and advertising with the law firm Sheppard, Mullin, Richter & Hampton LLP in San Francisco, is that phishers operate too far underground.

“It’s rare that you’ll find the person who sent you the phishing e-mail or they won’t have the money to pay damages and if they do, they’re set up offshore,” he said. “The anti-phishing law is really symbolic.”

“It’s outright theft,” Friedrichs agrees. “When you compare it to spam, spam is trying to entice you to buy a legitimate service. Phishing would be more like breaking into your house and actually stealing jewelry as opposed to knocking on your door and trying to sell you something.”

Most phishing attempts come from Asia and Eastern Europe, which makes them that much harder to prosecute. Experts worry that phishers are constantly one step ahead of the security industry. At the RSA Conference 2006, Microsoft Corp. (MSFT) Chairman Bill Gates addressed this cat-and-mouse chase: “For every improvement we make, they look for our vulnerabilities,” he said.

The two most commonly phished sites are PayPal and its parent, eBay Inc. (EBAY), the online auction house. Amanda Pires, a PayPal representative, said it’s due to the high volume of customers with financial information on their accounts.

“We have a dedicated team that focuses on this problem,” she said. “Often if the fake Web site is in the U.S., we can get it pulled down in two hours.”

Phishers, whoever they are, are culturally keen people. Experts warn of IRS scams now that taxes have been filed, and Hiep Dang, director of threat research and engineering with Aluria Software, recently discovered a scam involving the popular social Web site, MySpace.

“It sends users to a fake MySpace account and they take their password, hoping that most people use the same username and password for other accounts and try them to get information about banking, credit cards, etc.,” Dang explained.

It is suggested users create various usernames for various accounts and change passwords frequently. It may be arduous to remember so much information but it is more arduous to regain your financial identity if you fall victim to these scams.

Henry Isaacs, an agent with Geek Squad, a computer support company, had a customer in Pacific Heights who had a keystroke-logging system unknowingly installed onto her computer. The system recorded all of her keystrokes and sent them to phishers, who were able to ascertain her username and password to an ING Direct bank account.

“She called ING and someone had closed her accounts,” Isaacs said. “She had almost $2 million in investments in there but luckily ING holds payments for a week or two and they stopped the check.”

Isaacs said users should never follow a link from an e-mail and pretty much never expect to receive an e-mail asking for information from any credible institution.

Just as with online pornography, there are organizations such asthe Anti Phishing Working Group that work to prevent, find and prosecute phishing. One popular technique is creating a “honeypot.”

“A honeypot is when you set up a site that you hope phishers come to and you collect information about who they are to shut them down,” explained Marc Barach with Ingenio, San Francisco, which links Internet customers with businesses via telephone. “Some people also call that a sting.”

ndelconte@examiner.combusinessBusiness & Real Estate

If you find our journalism valuable and relevant, please consider joining our Examiner membership program.
Find out more at

Just Posted

Former Stockton Mayor Michael Tubbs spoke to San Francisco’s new Guaranteed Income Advisory Group on April 16. (Courtesy SFGOV)
City launches task force to explore Universal Basic Income programs

San Francisco on Friday launched a guaranteed income task force that could… Continue reading

Muni’s K-Ingleside line will return six months earlier than previously announced. <ins>(Kevin N. Hume/S.F. Examiner)</ins>
K-Ingleside train to return on May 15

Announcement comes on the heels of pressure from Supervisor Myrna Melgar

Demonstrators march from Mission High School towards the San Francisco Police station on Valencia Street. (Jordi Molina/ Special to the S.F. Examiner)
Vigil, march honors those killed by police

Deaths of Daunte Wright, Roger Allen and others prompt renewed calls for defunding

A Recology employee stands at the comapany’s recycling facility on Pier 96 in 2016. (Jessica Christian/2016 S.F. Examiner)
Nuru scandal: Feds charge second former Recology executive with bribery

A second former Recology executive is facing charges for allegedly bribing ex-Public… Continue reading

Skier Andy Padlo crosses a frozen Spicer Reservoir. (Courtesy photo)
Stormy weather tests skiers’ mettle on Dardanelle traverse

Overcoming challenges makes outings more rewarding

Most Read