APWG Lends Expertise to IRS Offline Phishing
Global Counter-eCrime Group Expands Real-Time Public Education Utilities to Cover ‘Offline’ eCrime
July 26, 2010 05:33 AM Eastern Daylight Time
CAMBRIDGE, Mass.--(EON: Enhanced Online News)--The Anti-phishing Working Group (APWG) has
contributed its expertise in online fraud to the Internal Revenue Service (IRS) with the creation of a new consumer
fax education initiative to assist victims of ‘offline phishing’ and launched its new APWG Fax Back Phishing
Education Program this month.
The collaborative effort comes as a response to a growing public threat by offline phishers who conduct various
scams via fax. While traditional phishing occurs exclusively online (e.g., phishing websites), offline phishing involves
sending emails with attachments - or direct faxes to individuals or businesses. Recipients are warned to complete the
fake documents and fax them back or be subject to some fictitious penalty.
The average losses of offline phishing scams ranges from a few thousand to tens of thousands of dollars – losses that
victims don’t realize they have sustained until long after the crime is complete. The APWG’s Fax Back Phishing
Education Program provides telecommunications companies and Fax over Internet Protocol (FoIP) hosting firms
with educational instruments to educate consumers the moment they are scammed.
The IRS’s Online Fraud Detection and Prevention (OFDP) group, under the Office of Privacy Information
Protection & Data Security, began tracking and disabling offline phishing incidents in early 2009 and turned to the
APWG in 2010 to help with the development of a response utility to advise consumers who’ve fallen victim to offline
APWG worked with OFDP to create a fax coversheet available on the APWG’s education resources site that
carriers can download and use to notify any victim of offline phishing. The fax coversheet also provides a link to
other APWG resources, which will allow victims to submit a complaint to the appropriate clearinghouse,
http://www.ftccomplaintassistant.gov and http://www.econsumer.gov.
Both sites feed FTC Sentinel - a consumer complaint database maintained by the U.S. Federal Trade Commission
(FTC) - providing a valuable resource for certified government law enforcement and regulatory agencies from
International Consumer Protection and Enforcement Network (ICPEN) member countries. More victims reporting
to FTC Sentinel improves law enforcement’s ability to investigate and disrupt phishing operations.
OFDP identifies fax numbers from complaints sent to email@example.com. Before OFDP became involved in offline
phishing, these numbers would remain active for months. Working with telecommunications providers, OFDP
disables numbers in the majority of cases within 12 hours. This greatly reduces the potential window of opportunity
for these phishers to harvest credentials. Approximately 250 numbers have been disabled in less than 18 months.
Soon after disabling these numbers, OFDP sought a way to educate the individuals – not all victims were in the U.S.
– during the ‘teachable moment’ when they were about to fax in their information. OFDP worked with the Federal
Trade Commission (FTC) to record an IRS audio landing page. When individuals attempt to fax to a disabled
number, they will hear the IRS audio landing page - provided the carrier has chosen to participate in the program.
Upon realizing the audio landing page did not assist those that had already submitted their information and also not all
carriers wanted to use it, OFDP reached out to APWG. APWG drafted the consumer fax coversheet and online
content. APWG provided a well-known, well-respected brand that carriers would immediately recognize. Since the
fax coversheet is not branded specifically for the IRS, any agency or institution targeted by offline phishing can
benefit from its use.
”The APWG Internet Policy Committee commends the IRS for its role in protecting consumers against these fax-
phishing scams,” said Laura Mather, Ph.D., Co-Chair of APWG’s Internet Policy Committee. “The phishers
continue to find compelling mechanisms for contacting consumers and having the IRS work with us to create a
program for protecting people who have been contacted by this type of scam shows that the crime fighters
cooperate as well as the criminals.”
In June, OFDP spoke at the Communications Fraud Control Association (CFCA) conference in Baltimore, MD,
where their efforts and the consumer fax initiative were unveiled to communications professionals. In August, OFDP
is speaking at the Government Forum of Incident Response and Security Teams (GFIRST) conference in San
Antonio, to provide both their analysis and mitigation efforts to other government agencies that have also been
targeted. In October, OFDP will speak at the APWG General Members’ meeting in Dallas to the anti-phishing
community to report out on its experience in this new form of real-time counter-crime consumer education program.
APWG Fax Back Phishing Education Program Page:
ADVISORY COVERSHEET PAGE:
APWG 2010 DALLAS CONFERENCE AGENDA:
About the APWG:
The APWG, founded in 2003 as the Anti-Phishing Working Group, is a global industry, law enforcement, and
government coalition focused on eliminating the identity theft and fraud that result from the growing problem of
phishing, email spoofing, and crimeware. Membership is open to qualified financial institutions, online retailers, ISPs,
the law enforcement community and solutions providers. There are more than 1,800 companies, government
agencies and NGOs participating in the APWG and more than 3,300 members. The APWG's Web sites –
www.apwg.org and education.apwg.org - offer the public, industry and government agencies information about
phishing and email fraud, including identification and promotion of pragmatic technical solutions that provide
immediate protection. APWG's corporate sponsors are as follows:
AT&T(T), Able NV, Afilias Ltd., AhnLab, AVG Technologies, BillMeLater, BBN Technologies, Blue Coat,
BlueStreak, BrandMail, BrandProtect, Bsecure Technologies, Check Point Software Technologies, Cisco (CSCO),
Clear Search, Cloudmark, Cyveillance, DigiCert, DigitalEnvoy, DigitalResolve, Digital River, Easy Solutions,
eBay/PayPal (EBAY), Entrust (ENTU), eEye, ESET, Fortinet, FraudWatch International, FrontPorch, F-Secure,
Goodmail Systems, GeoTrust, GlobalSign, GoDaddy, Goodmail Systems, GuardID Systems, HomeAway, Huawei
Symantec, IronPort, HitachiJoHo, ING Bank, Iconix, Internet Identity, Internet Security Systems, Intuit, IOvation,
IronPort, IS3, IT Matrix, Kaspersky Labs, Kindsight, Lenos Software, LightSpeed Systems, MailFrontier,
MailShell, MarkMonitor, M86Security, McAfee (MFE), MasterCard, MessageLevel, Microsoft (MSFT),
MicroWorld, Mirapoint, MySpace (NWS), MyPW, MX Logic, NameProtect, National Australia Bank (ASX:
NAB) Netcraft, NetStar, Network Solutions, NeuStar, Nominum, Panda Software, Phoenix Technologies Inc.
(PTEC), Phishme.com, Phorm, Planty.net, Prevx, The Planet, SIDN, SalesForce, Radialpoint, RSA Security
(EMC), RuleSpace, SecureBrain, Secure Computing (SCUR), S21sec, Sigaba, SoftForum, SOPHOS,
SquareTrade, SurfControl, SunTrust, Symantec (SYMC), TDS Telecom, Telefonica (TEF), Trend Micro (TMIC),
Tricerion, TriCipher, TrustedID, Tumbleweed Communications (TMWD), Vasco (VDSI), VeriSign (VRSN), Visa,
Wal-Mart (WMT), Websense Inc. (WBSN) and Yahoo! (YHOO), ZYNGA.
Peter Cassidy, +1-617-669-1123