The US state of California has passed the country's first anti-phishing law, making this form of identity theft punishable by thousands of dollars in fines.

The Anti-Phishing Act of 2005 - proposed by state Senator Kevin Murray and signed into law on Friday - is the first such anti-phishing legislation to be introduced in the US.

"It's something that adds another tool in the quiver for consumers and businesses to reduce this kind of really bad behaviour," said Michael Wendy, spokesman for the Computing Technology Industry Association.

Phishing victims are typically sent fraudulent emails designed to trick them into revealing personal information such as bank account numbers, user names and passwords.

Under the Act, these victims may seek to recover either the cost of the damages they have suffered or $500,000 (about £285,000), whichever is greater; government prosecutors can also seek penalties of up to $2,500 (about £1,400) per phishing violation.

While it was previously possible to prosecute phishers under antifraud laws, the new legislation will make it easier for victims and government to go after phishers, Wendy said. It may also serve to inspire other legislation, perhaps even at the federal level. "You can't discourage the symbolic purpose of this," he added. "It's a statement to these guys that this is not acceptable behaviour."

According to Jordan Ritter, chief technology officer for Cloudmark, the law will have little effect on phishing in the short term - but if the law is held up in court and can serve to help victims recover damages, phishers may take note.

Ritter agreed that the Anti-Phishing Act also may serve a symbolic purpose. "Anything that raises people's awareness and improves people's education on the extent of the problem... is going to improve things," he said.

Phishing attacks have been on the rise. Research firm Gartner estimates that 73 million US internet users received phishing e-mails during the 12 months ending May 2005, up 28 percent from the previous year.