Educating Your Customers on ID Theft, Phishing and eCrime
Technical Whitepapers and Briefings from APWG Sponsors
APWG Phishing Trends Report
APWG Whitepapers and Reports
Notable Articles and Government Briefings
Anti-Fraud Organizations and Links
Corporate Anti-Fraud Policies
Where Does the Word 'Phishing' Come From?
|Technical Whitepapers and Briefings
from APWG Sponsors
Click Here to read Kaspersky's white paper on anti-phishing technology and avoiding getting caught in the phishing net.
Click Here to read DigiCert's white paper on taking steps beyond PCI compliance and the use of end-to-end encryption (including Extended Validation EV SSL certificates) to reduce online fraud.
Click Here to read DigiCert's white paper on Phishing: A Primer on What Phishing is and How It Works. This white paper goes in-depth on phishing and how Identity Vetting and Extended Validation EV SSL Certificates add an extra layer of protection.
||Click Here for Cyveillance's paper on "The Cost of Phishing: Understanding the True Cost Dynamics Behind Phishing Attacks"
Click Here for TrendMicros's paper on "Botnet Threats and Solutions: Phishing".
here to view the GeoTrust white paper, "Vulnerability of First-Generation Digital Certificates and Potential for Phishing Attacks and Consumer Fraud". In this white paper, the author describes how traditional, paper-based manual vetting process, or organizational assurance vetting, still employed by some certificate authorities can be spoofed.
Between June and July 2011, Latin American users of online banking and e-commerce were interviewed to determine their views on
topics like electronic fraud, trust in the transactional channels, security methods and educational campaigns. The results of this study are a guide for the banks
and financial institutions to set their electronic security strategies and educational campaigns, based on the user's habits, perceptions and expectations. (Click Here For Full Report)
The EasySolutions white paper “Key IT Anti-Fraud Challenges for Banking & Financial Institutions in Latin America” is a reference point for Latin American financial institutions regarding security and fraud prevention in electronic channels such as online, mobile, automatic teller machines (ATMs) and interactive voice response systems (IVRs).
(Click Here for Spanish / Click here for English)
Click here to view this EasySolutions whitepaper that provide a general view of phishing and pharming as electronic fraud techniques and shows how Easy Solutions approaches this problem providing a solution oriented to end-users who want to access transactional and confidential websites safely.
||Click here to download a copy of McAfee's white paper "Anti-Phishing: Best Practices for Institutions and Consumers" in which the authors delineate phishing's many attack surfaces and assess different approaches and solutions to remediate them.
to download report detailing the findings of the 6th Annual
Online Consumer Survey sponsored by RSA, the Security Division of EMC.
Learn what your customers are saying about their opinions and attitudes
on online security risks they face, their level of awareness concerning
the latest threats, and what online service providers should do to
to download this special online fraud report from RSA, the Security
Division of EMC, for information about the latest online fraud trends
and what to expect and prepare for in the future. As cybercriminals
continue to improve their technology, launch increasingly sophisticated
attacks, and use advanced social engineering techniques to dupe online
users into falling for scams, knowledge is the first line of defense
against online fraud!
out to VASCO's Phising website, with information and documents
and a range of authentication solutions including EMV
here to view the Symantec white paper, "Mitigating Online
Fraud: Customer Confidence, Brand Protection, and Loss
|APWG Whitepapers and Other Reports
APWG Web Vulnerabilities Survey
This briefing memorandum discusses the initial analysis of a wide-ranging survey of enterprises whose websites had been hacked. It's organizing motive is to understand the web
site operating environments that are abused by cybercrime gangs, the nature of the attacks, and actions the victim took in response to obtain a clearer understanding of
attacker methodologies and target preferences.
Global Phishing Survey: Domain Name Use and Trends in 1H2012
Published April 26 2012, this study is a comprehensive analysis of the phishing that took place in the second half of 2011 (2H2011). Highlights include:
- Average uptimes of all phishing attacks dropped notably
- Phishers used subdomain registration services more than regular domain registrations
- Phishing surged in China, and Taobao.com became the world’s #1 phishing target
Global Phishing Survey: Domain Name Use and Trends in 2H2011
Anti-Phishing Best Practices Recommendations for Registrars
Global Phishing Survey: Domain Name Use and Trends in 1H2011
Global Phishing Survey: Domain Name Use and Trends in 2H2010
Global Phishing Survey: Domain Name Use and Trends in 1H2010
Global Phishing Survey: Domain Name Use and Trends in 2H2009
Global Phishing Survey: Domain Name Use and Trends in 1H2009
Global Phishing Survey: Domain Name Use and Trends in 2H2008
Global Phishing Survey: Domain Name Use and Trends in 1H2008
Previous Phishing Survey Release: Trends in 2007
The purpose of this document is to provide a set of recommendations to the domain registrar community that can substantially reduce the risk and impact of phishing on consumers and business worldwide. The recommendations focus on 3 areas where registrars can be of assistance: Evidence Preservation for Investigative Purposes, Proactive Fraud Screening and Phishing Domain Takedown.
What to do if your Web site has been Hacked
This document is a reference guide for any web site owner or operator who suspects, discovers, or receives notification that it's web site is being used to host a phishing site. The document explains important incident response measures to take in the areas of identification, notification, containments, recovery, restoration and follow-up when an attack is suspected or confirmed.
Measures to Protect Domain Registration Services Against Exploitation or Misuse
In this report, ICANN's SSAC calls attention to certain high profile incidents involving attacks against domain name registration. The report examines the incidents in sufficient detail to identify how accounts were compromised, the actions attackers performed once they had gained control of the account, and the consequences. The report identifies practices registrars can share with customers so registrar and customer can jointly protect domain registrations against exploitation or misuse, and discusses methods of raising security awareness among registrants of the risks relating to even a temporary loss of control over domain names and associated DNS configurations. This report seeks to encourage additional registrars and resellers to consider whether opportunities exist to provide stronger levels of protection from attacks against domain registration accounts. In particular, the report seeks to encourage registrars to consider emphasize registration security measures as a way to differentiate their service in a highly competitive market.
A Registrant's Guide to Protecting Domain Name Registration Accounts
This report attempts to catalog measures that registrants should consider
to protect their domain name registration accounts and the domain names
managed through these accounts. The report describes the threat landscape
for domain names, and identifies a set of measures for organizations to
consider. The report also considers risk management in the context of domain
names so that an organization can assess its own risk and choose appropriate
measures. The report explains that an organization can implement these
measures using its own staff (³in house²), contracted third parties, or a
registrar or registry. It discusses the merits of implementing certain
measures versus outsourcing these to contracted third parties or registrars
and identifies circumstances where redundant measures are worth
consideration. Lastly, the report provides lists of questions organizations
should ask registrars and registries concerning their registration processes
and protection mechanisms. The list can be used to obtain valuable and
important information about registrar processes so that organizations can
make informed decisions when choosing a registrar(s).
Making Waves in the Phisher’ Safest Harbors: Exposing the Dark Side of Subdomain Registries
This advisory discusses how phishers now use what we call subdomain registries to
provide safe harbors for malicious and criminal activities. The advisory also
discusses measures individuals and organizations can consider if they opt to make
these harbors less attractive and effective to phishers.
The Relationship of Phishing and Tasting
The Domain Name System Policy Working Group performed a study on the use of domain tasting by phishers. The study shows that while it does not appear that domain tasting is utilized by phishers, the increase in infrastructure anti-phishing companies must have to monitor for new phishing domain registrations has negatively impacted the anti-phishing community.
Memorandum on Domain Take-Downs and WhoIs Data
The APWG, as an observer to the ICANN Whois Privacy WG, prepared a memorandum on how anti-phishing fighters use the DNS Whois data to disable phishing sites. ICANN is contemplating removing most of the address data
from the gTLD (.com, .net, .org) DNS Whois servers and the APWG is concerned about retaining access to this data to support our phish fight.
Best Practices for ISPs and Mail Box Providers
Joint working document release from APWG and MAAWG. Consolidates a selection of "Best Practices" for companies providing ISP or Mail Box services.
Identity Theft: Technology, Chokepoints and Countermeasures
DHS Counter-Phishing Strategies Whitepaper from the members of the Identity Theft Technology Council .
DOJ & PSEPC Joint Report on Phishing
The US Justice Department and the Ministry on Public Safety and Emergency Preparedness Canada jointly produced report on phishing.
Crimeware Landscape Report
The APWG in coordination with the US Department of Homeland Security produced this Crimeware Landscape Report. This document tries to help executives grasp just what crimeware is, how it works, and how prevalent it is.
to Address the Threat of Email Spoofing Scams
Anti-Phishing Working Group - Released Dec 12, 2003
National and State
Trends in Fraud & Identity Theft, January - December 2003
Federal Trade Commission - Released Jan 22, 2004
How to Avoid Phishing Scams
What To Do If You've Given Out Your
Personal Financial Information
FBI's Common Fraud Schems information page
Bank Safe Online from our research partners APACS in the UK
Federal Trade Commission "Avoid ID Theft: Deter, Detect, Defend", a campaign to advise consumers on techniques to neutralize identity thef
Site Jabber Blog, a consumer protection service which helps people avoid fraudulent websites and find ones they will love.
Good collection of articlase on "Identity Theft & Data Breaches" hosted by the Privacy Rights Clearinghouse.
Our research partners at Wombat Security Technologies have developed this cute little game to help customers recognize phishing attacks. Play the first round of AntiPhishing Phil and see how knowledgeable you are.
Another effort to educate users is SecurityCartoon.com. SecurityCartoon.com describes common threats and what to do to avoid them. This is done in a language that is accessible to typical Internet users.
|Educating Your Customers on ID Theft, Phishing and eCrime
APWG Public Education Initiative (PEI): The PEI identifies and organizes the most broadly useful counter-ecrime educational programs and forges the essential logistics to deliver them to the largest victimized cohort possible, in every language in which phishing, directed at consumer and enterprise desktops and communications devices, has become a problem.
APWG/CMU CUPS Phishing Education Landing Page Program: This document describes the combidend APWG/CMU CUPS program to educate users who have been successfully phished and followed a link to an identifed phishing site.
The Federal Trade Commission and the APWG have colaborated on these "Hot To Guides". We want to extend our thanks to the FTC for supporting this project.
Fighting Back Against Identity Theft: The easy to reproduce brochure outlines essential steps to deter, detect and defend against identity theft. The brochure is available online in print ready, PDF format.
Talking About Identity Theft: A How-To Guide: A comprehensive
guide with educational strategies and materials for professionals,
associations and community groups to effectively communicate and educate
about identity theft. Available online in print ready, PDF format.
|Notable Articles and Briefings
The following citations are are for trade and academic journal articles
and government briefings on phishing.
October 2010: Economic Incentives for Internet Security through Reputation and Insurance
This position paper from John S. Quarterman, InternetPerils, & Andrew B. Whinston, University of Texas, prepared for the first APWG and IEEE-SA Roadmapping Session Toward a Global Public Health Initiative Model for eCrime Response
May 2008 - SSAC Advisory on Registrar Impersonation Phishing Attacks (26 May 2008)
May 2008 - Behind Phishing: An Examination of Phisher Modi Operandi
D. Kevin McGrath, Minaxi Gupta
Computer Science Department, Indiana University, Bloomington, IN, U.S.A.
March 2006 - National Consumer League
A Call for Action: Report from the National Consumer League Anti-Phishing Retreat
November 2005 - DHS Report
DHS Counter-Phishing Strategies Whitepaper: Online Identity Theft: Technology, Chokepoints and Countermeasures
February 2005 - APWG Response to the FDIC
APWG FDIC Response
January 2005 - Tod Beardsley Whitepaper
of Phishing Attacks
January 2005 - APWG/USSS
December 2004 - FDIC Report
an End to Account-Hijacking Identity Theft by the FDIC
The following organizations are involved in identifying, tracking,
or stopping phishing attacks:
The Anti-Phishing Working Group
The Anti-Phishing Working Group (APWG)is an industry association
focused on eliminating the identity theft and fraud that result
from the growing problem of phishing and email spoofing. The organization
provides a forum to discuss phishing issues, define the scope of
the phishing problem in terms of hard and soft costs, and share
information and best practices for eliminating the problem.
FBI - Internet
Fraud Complaint Center
The Internet Fraud Complaint Center (IFCC) is a partnership between
the Federal Bureau of Investigation (FBI) and the National White
Collar Crime Center (NW3C). IFCC's mission is to address fraud committed
over the Internet.
The Coalition on
Online Identity Theft
Information Technology Association of America (ITAA)
Some of the biggest names in e-commerce, including Amazon.com,
eBay and Microsoft, have formed a coalition to curb online identity
SCAMwatch is a website run by the Australian Competition & Consumer Commission (ACCC). The aim of SCAMwatch is to provide information to consumers and small business about how to recognise, avoid and report scams. Scams that are reported to SCAMwatch will be analysed by the ACCC.
The United States
Federal Trade Commission
The FTC works for the consumer to prevent fraudulent, deceptive
and unfair business practices in the marketplace and to provide
information to help consumers spot, stop and avoid them.
Secure Florida's mission is to protect the citizens and economy of Florida by safeguarding information systems, reducing vulnerability to cyber attacks, and increasing responsiveness to any threat.
The Privacy Rights
The Privacy Rights Clearinghouse is a nonprofit consumer education,
research, and advocacy program. Our publications empower you to
take action to control your personal information by providing practical
tips on privacy protection.
Nigeria - The 419 Coalition Website
We Fight the Nigerian Scam with Education. Its a US$5 Billion
(as of 1996, much more now) worldwide Scam which has run since the
early 1980's under Successive Governments of Nigeria. It is also
referred to as "Advance Fee Fraud", "419 Fraud"
(Four-One-Nine) after the relevant section of the Criminal Code
|Corporate Anti-Fraud Policies
Below is a sample of companies or other organizations that have published
policies relating to email fraud and phishing attacks:
eBay and PayPal
|Where Does the Word 'Phishing' Come From?
The Word Spy
Where did the word "phishing" come from?
Origins of the Word "Phishing"
True history of where the phrase came from.