Report Phishing
Vendor Solutions
Consumer Advice
APWG Home
APWG Premium Members:     click here for a full listing
 
 - Home
 - Report Phishing
 - APWG Events
 - Resources
 - eCrime & Phishing News
 - Phishing Education
 - Crimeware Map
 - JOIN THE APWG
 - APWG Member Site
 - Contact Us
 
 

APWG Global
Research Partners
:

 click here for a full listing

APWG Sponsoring Members:
  click here for a full listing


 
 

 
Anti-Phishing Resources

Consumer Advice
Educating Your Customers on ID Theft, Phishing and eCrime
Technical Whitepapers and Briefings from APWG Sponsors
APWG Phishing Trends Report
APWG Whitepapers and Reports
Notable Articles and Government Briefings
Anti-Fraud Organizations and Links
Corporate Anti-Fraud Policies
Where Does the Word 'Phishing' Come From?

 
Technical Whitepapers and Briefings from APWG Sponsors


Click Here to read Kaspersky's white paper on anti-phishing technology and avoiding getting caught in the phishing net.
 

Click Here to read DigiCert's white paper on taking steps beyond PCI compliance and the use of end-to-end encryption (including Extended Validation EV SSL certificates) to reduce online fraud.

Click Here to read DigiCert's white paper on Phishing: A Primer on What Phishing is and How It Works. This white paper goes in-depth on phishing and how Identity Vetting and Extended Validation EV SSL Certificates add an extra layer of protection.

Click Here for Cyveillance's paper on "The Cost of Phishing: Understanding the True Cost Dynamics Behind Phishing Attacks"
trendMicro

Click Here for TrendMicros's paper on "Botnet Threats and Solutions: Phishing".
 



Click here to view the GeoTrust white paper, "Vulnerability of First-Generation Digital Certificates and Potential for Phishing Attacks and Consumer Fraud". In this white paper, the author describes how traditional, paper-based manual vetting process, or organizational assurance vetting, still employed by some certificate authorities can be spoofed.
 

Between June and July 2011, Latin American users of online banking and e-commerce were interviewed to determine their views on topics like electronic fraud, trust in the transactional channels, security methods and educational campaigns. The results of this study are a guide for the banks and financial institutions to set their electronic security strategies and educational campaigns, based on the user's habits, perceptions and expectations. (Click Here For Full Report)

The EasySolutions white paper “Key IT Anti-Fraud Challenges for Banking & Financial Institutions in Latin America” is a reference point for Latin American financial institutions regarding security and fraud prevention in electronic channels such as online, mobile, automatic teller machines (ATMs) and interactive voice response systems (IVRs).
(Click Here for Spanish / Click here for English)

Click here to view this EasySolutions whitepaper that provide a general view of phishing and pharming as electronic fraud techniques and shows how Easy Solutions approaches this problem providing a solution oriented to end-users who want to access transactional and confidential websites safely.

http://www.easysol.net/newweb/Industry-News/Research-Report
 


Click here to download a copy of McAfee's white paper "Anti-Phishing: Best Practices for Institutions and Consumers" in which the authors delineate phishing's many attack surfaces and assess different approaches and solutions to remediate them.
 

Click here to download report detailing the findings of the 6th Annual Online Consumer Survey sponsored by RSA, the Security Division of EMC. Learn what your customers are saying about their opinions and attitudes on online security risks they face, their level of awareness concerning the latest threats, and what online service providers should do to protect them.

Click here to download this special online fraud report from RSA, the Security Division of EMC, for information about the latest online fraud trends and what to expect and prepare for in the future. As cybercriminals continue to improve their technology, launch increasingly sophisticated attacks, and use advanced social engineering techniques to dupe online users into falling for scams, knowledge is the first line of defense against online fraud!
 



Link out to VASCO's Phising website, with information and documents and a range of authentication solutions including EMV smart cards.

 


Click here to view the Symantec white paper, "Mitigating Online Fraud: Customer Confidence, Brand Protection, and Loss Minimization."
 
 
APWG Whitepapers and Other Reports


APWG Web Vulnerabilities Survey
This briefing memorandum discusses the initial analysis of a wide-ranging survey of enterprises whose websites had been hacked. It's organizing motive is to understand the web site operating environments that are abused by cybercrime gangs, the nature of the attacks, and actions the victim took in response to obtain a clearer understanding of attacker methodologies and target preferences.


Global Phishing Survey: Domain Name Use and Trends in 1H2012
Published April 26 2012, this study is a comprehensive analysis of the phishing that took place in the second half of 2011 (2H2011). Highlights include:

  • Average uptimes of all phishing attacks dropped notably
  • Phishers used subdomain registration services more than regular domain registrations
  • Phishing surged in China, and Taobao.com became the world’s #1 phishing target

Global Phishing Survey: Domain Name Use and Trends in 2H2011
Global Phishing Survey: Domain Name Use and Trends in 1H2011
Global Phishing Survey: Domain Name Use and Trends in 2H2010
Global Phishing Survey: Domain Name Use and Trends in 1H2010
Global Phishing Survey: Domain Name Use and Trends in 2H2009
Global Phishing Survey: Domain Name Use and Trends in 1H2009
Global Phishing Survey: Domain Name Use and Trends in 2H2008
Global Phishing Survey: Domain Name Use and Trends in 1H2008
Previous Phishing Survey Release: Trends in 2007
 

Anti-Phishing Best Practices Recommendations for Registrars
The purpose of this document is to provide a set of recommendations to the domain registrar community that can substantially reduce the risk and impact of phishing on consumers and business worldwide. The recommendations focus on 3 areas where registrars can be of assistance: Evidence Preservation for Investigative Purposes, Proactive Fraud Screening and Phishing Domain Takedown.

What to do if your Web site has been Hacked
This document is a reference guide for any web site owner or operator who suspects, discovers, or receives notification that it's web site is being used to host a phishing site. The document explains important incident response measures to take in the areas of identification, notification, containments, recovery, restoration and follow-up when an attack is suspected or confirmed.

Measures to Protect Domain Registration Services Against Exploitation or Misuse
In this report, ICANN's SSAC calls attention to certain high profile incidents involving attacks against domain name registration. The report examines the incidents in sufficient detail to identify how accounts were compromised, the actions attackers performed once they had gained control of the account, and the consequences. The report identifies practices registrars can share with customers so registrar and customer can jointly protect domain registrations against exploitation or misuse, and discusses methods of raising security awareness among registrants of the risks relating to even a temporary loss of control over domain names and associated DNS configurations. This report seeks to encourage additional registrars and resellers to consider whether opportunities exist to provide stronger levels of protection from attacks against domain registration accounts. In particular, the report seeks to encourage registrars to consider emphasize registration security measures as a way to differentiate their service in a highly competitive market.

A Registrant's Guide to Protecting Domain Name Registration Accounts
This report attempts to catalog measures that registrants should consider to protect their domain name registration accounts and the domain names managed through these accounts. The report describes the threat landscape for domain names, and identifies a set of measures for organizations to consider. The report also considers risk management in the context of domain names so that an organization can assess its own risk and choose appropriate measures. The report explains that an organization can implement these measures using its own staff (³in house²), contracted third parties, or a registrar or registry. It discusses the merits of implementing certain measures versus outsourcing these to contracted third parties or registrars and identifies circumstances where redundant measures are worth consideration. Lastly, the report provides lists of questions organizations should ask registrars and registries concerning their registration processes and protection mechanisms. The list can be used to obtain valuable and important information about registrar processes so that organizations can make informed decisions when choosing a registrar(s).  

Making Waves in the Phisher’ Safest Harbors: Exposing the Dark Side of Subdomain Registries
This advisory discusses how phishers now use what we call subdomain registries to provide safe harbors for malicious and criminal activities. The advisory also discusses measures individuals and organizations can consider if they opt to make these harbors less attractive and effective to phishers.

The Relationship of Phishing and Tasting
The Domain Name System Policy Working Group performed a study on the use of domain tasting by phishers. The study shows that while it does not appear that domain tasting is utilized by phishers, the increase in infrastructure anti-phishing companies must have to monitor for new phishing domain registrations has negatively impacted the anti-phishing community.

Memorandum on Domain Take-Downs and WhoIs Data
The APWG, as an observer to the ICANN Whois Privacy WG, prepared a memorandum on how anti-phishing fighters use the DNS Whois data to disable phishing sites. ICANN is contemplating removing most of the address data from the gTLD (.com, .net, .org) DNS Whois servers and the APWG is concerned about retaining access to this data to support our phish fight.

Best Practices for ISPs and Mail Box Providers
Joint working document release from APWG and MAAWG. Consolidates a selection of "Best Practices" for companies providing ISP or Mail Box services.

Online Identity Theft: Technology, Chokepoints and Countermeasures
DHS Counter-Phishing Strategies Whitepaper from the members of the Identity Theft Technology Council .

DOJ & PSEPC Joint Report on Phishing
The US Justice Department and the Ministry on Public Safety and Emergency Preparedness Canada jointly produced report on phishing.

Crimeware Landscape Report
The APWG in coordination with the US Department of Homeland Security produced this Crimeware Landscape Report. This document tries to help executives grasp just what crimeware is, how it works, and how prevalent it is.

Proposed Solutions to Address the Threat of Email Spoofing Scams
Anti-Phishing Working Group - Released Dec 12, 2003

National and State Trends in Fraud & Identity Theft, January - December 2003
Federal Trade Commission - Released Jan 22, 2004
 

Consumer Advice


How to Avoid Phishing Scams

What To Do If You've Given Out Your Personal Financial Information

FBI's Common Fraud Schems information page

Bank Safe Online from our research partners APACS in the UK

Federal Trade Commission "Avoid ID Theft: Deter, Detect, Defend", a campaign to advise consumers on techniques to neutralize identity thef

Site Jabber Blog, a consumer protection service which helps people avoid fraudulent websites and find ones they will love.

Good collection of articlase on "Identity Theft & Data Breaches" hosted by the Privacy Rights Clearinghouse.

Our research partners at Wombat Security Technologies have developed this cute little game to help customers recognize phishing attacks. Play the first round of AntiPhishing Phil and see how knowledgeable you are.

Another effort to educate users is SecurityCartoon.com. SecurityCartoon.com describes common threats and what to do to avoid them. This is done in a language that is accessible to typical Internet users.
 

Educating Your Customers on ID Theft, Phishing and eCrime


General Resources:

Quizzes and Games:

APWG Public Education Initiative (PEI): The PEI identifies and organizes the most broadly useful counter-ecrime educational programs and forges the essential logistics to deliver them to the largest victimized cohort possible, in every language in which phishing, directed at consumer and enterprise desktops and communications devices, has become a problem.

APWG/CMU CUPS Phishing Education Landing Page Program: This document describes the combidend APWG/CMU CUPS program to educate users who have been successfully phished and followed a link to an identifed phishing site.
 

The Federal Trade Commission and the APWG have colaborated on these "Hot To Guides". We want to extend our thanks to the FTC for supporting this project.
 

Fighting Back Against Identity Theft: The easy to reproduce brochure outlines essential steps to deter, detect and defend against identity theft. The brochure is available online in print ready, PDF format.
 

Talking About Identity Theft: A How-To Guide: A comprehensive guide with educational strategies and materials for professionals, associations and community groups to effectively communicate and educate about identity theft. Available online in print ready, PDF format.
 

Notable Articles and Briefings

The following citations are are for trade and academic journal articles and government briefings on phishing.

October 2010: Economic Incentives for Internet Security through Reputation and Insurance
This position paper from John S. Quarterman, InternetPerils, & Andrew B. Whinston, University of Texas, prepared for the first APWG and IEEE-SA Roadmapping Session Toward a Global Public Health Initiative Model for eCrime Response

May 2008 - SSAC Advisory on Registrar Impersonation Phishing Attacks (26 May 2008)
http://icann.org/committees/security/sac028.pdf

May 2008 - Behind Phishing: An Examination of Phisher Modi Operandi
D. Kevin McGrath, Minaxi Gupta
Computer Science Department, Indiana University, Bloomington, IN, U.S.A.

March 2006 - National Consumer League
A Call for Action: Report from the National Consumer League Anti-Phishing Retreat

November 2005 - DHS Report
DHS Counter-Phishing Strategies Whitepaper: Online Identity Theft: Technology, Chokepoints and Countermeasures

February 2005 - APWG Response to the FDIC
APWG FDIC Response

January 2005 - Tod Beardsley Whitepaper
Evolution of Phishing Attacks

January 2005 - APWG/USSS
Anti-Phishing Technology

December 2004 - FDIC Report
Putting an End to Account-Hijacking Identity Theft by the FDIC

Anti-Fraud Organizations

The following organizations are involved in identifying, tracking, or stopping phishing attacks:

The Anti-Phishing Working Group
The Anti-Phishing Working Group (APWG)is an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing. The organization provides a forum to discuss phishing issues, define the scope of the phishing problem in terms of hard and soft costs, and share information and best practices for eliminating the problem.

FBI - Internet Fraud Complaint Center
The Internet Fraud Complaint Center (IFCC) is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C). IFCC's mission is to address fraud committed over the Internet.

The Coalition on Online Identity Theft
Information Technology Association of America (ITAA)
Some of the biggest names in e-commerce, including Amazon.com, eBay and Microsoft, have formed a coalition to curb online identity theft.

SCAMwatch
SCAMwatch is a website run by the Australian Competition & Consumer Commission (ACCC). The aim of SCAMwatch is to provide information to consumers and small business about how to recognise, avoid and report scams. Scams that are reported to SCAMwatch will be analysed by the ACCC.

The United States Federal Trade Commission
The FTC works for the consumer to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them.

secureFlorida
Secure Florida's mission is to protect the citizens and economy of Florida by safeguarding information systems, reducing vulnerability to cyber attacks, and increasing responsiveness to any threat.

The Privacy Rights Clearinghouse
The Privacy Rights Clearinghouse is a nonprofit consumer education, research, and advocacy program. Our publications empower you to take action to control your personal information by providing practical tips on privacy protection.

Nigeria - The 419 Coalition Website
We Fight the Nigerian Scam with Education. Its a US$5 Billion (as of 1996, much more now) worldwide Scam which has run since the early 1980's under Successive Governments of Nigeria. It is also referred to as "Advance Fee Fraud", "419 Fraud" (Four-One-Nine) after the relevant section of the Criminal Code of Nigeria.

Corporate Anti-Fraud Policies

Below is a sample of companies or other organizations that have published policies relating to email fraud and phishing attacks:

US Bank

Wells Fargo Bank

NatWest Bank

eBay and PayPal

Citibank

Lloyds

APACS UK

Where Does the Word 'Phishing' Come From?

The Word Spy

Where did the word "phishing" come from?

Origins of the Word "Phishing"
True history of where the phrase came from.