Consumer Advice
Educating Your Customers on ID Theft, Phishing and eCrime
Technical Whitepapers and Briefings from APWG Sponsors
APWG Phishing Trends Report
APWG Whitepapers and Reports
Notable Articles and Government Briefings
Anti-Fraud Organizations and Links
Corporate Anti-Fraud Policies
Where Does the Word 'Phishing' Come From?

APWG Web Vulnerabilities Survey
This briefing memorandum discusses the initial analysis of a wide-ranging survey of enterprises whose websites had been hacked. It's organizing motive is to understand the web site operating environments that are abused by cybercrime gangs, the nature of the attacks, and actions the victim took in response to obtain a clearer understanding of attacker methodologies and target preferences.

Global Phishing Survey: Domain Name Use and Trends in 2H2011
Published April 26 2012, this study is a comprehensive analysis of the phishing that took place in the second half of 2011 (2H2011). Highlights include:

• Average uptimes of all phishing attacks dropped notably
• Phishers used subdomain registration services more than regular domain registrations
• Phishing surged in China, and Taobao.com became the world’s #1 phishing target

Global Phishing Survey: Domain Name Use and Trends in 1H2011
Global Phishing Survey: Domain Name Use and Trends in 2H2010
Global Phishing Survey: Domain Name Use and Trends in 1H2010
Global Phishing Survey: Domain Name Use and Trends in 2H2009
Global Phishing Survey: Domain Name Use and Trends in 1H2009
Global Phishing Survey: Domain Name Use and Trends in 2H2008
Global Phishing Survey: Domain Name Use and Trends in 1H2008
Previous Phishing Survey Release: Trends in 2007
 

What to do if your Web site has been Hacked
This document is a reference guide for any web site owner or operator who suspects, discovers, or receives notification that it's web site is being used to host a phishing site. The document explains important incident response measures to take in the areas of identification, notification, containments, recovery, restoration and follow-up when an attack is suspected or confirmed.

Measures to Protect Domain Registration Services Against Exploitation or Misuse
In this report, ICANN's SSAC calls attention to certain high profile incidents involving attacks against domain name registration. The report examines the incidents in sufficient detail to identify how accounts were compromised, the actions attackers performed once they had gained control of the account, and the consequences. The report identifies practices registrars can share with customers so registrar and customer can jointly protect domain registrations against exploitation or misuse, and discusses methods of raising security awareness among registrants of the risks relating to even a temporary loss of control over domain names and associated DNS configurations. This report seeks to encourage additional registrars and resellers to consider whether opportunities exist to provide stronger levels of protection from attacks against domain registration accounts. In particular, the report seeks to encourage registrars to consider emphasize registration security measures as a way to differentiate their service in a highly competitive market.

A Registrant's Guide to Protecting Domain Name Registration Accounts
This report attempts to catalog measures that registrants should consider to protect their domain name registration accounts and the domain names managed through these accounts. The report describes the threat landscape for domain names, and identifies a set of measures for organizations to consider. The report also considers risk management in the context of domain names so that an organization can assess its own risk and choose appropriate measures. The report explains that an organization can implement these measures using its own staff (³in house²), contracted third parties, or a registrar or registry. It discusses the merits of implementing certain measures versus outsourcing these to contracted third parties or registrars and identifies circumstances where redundant measures are worth consideration. Lastly, the report provides lists of questions organizations should ask registrars and registries concerning their registration processes and protection mechanisms. The list can be used to obtain valuable and important information about registrar processes so that organizations can make informed decisions when choosing a registrar(s).  

Making Waves in the Phisher’ Safest Harbors: Exposing the Dark Side of Subdomain Registries
This advisory discusses how phishers now use what we call subdomain registries to provide safe harbors for malicious and criminal activities. The advisory also discusses measures individuals and organizations can consider if they opt to make these harbors less attractive and effective to phishers.

The Relationship of Phishing and Tasting
The Domain Name System Policy Working Group performed a study on the use of domain tasting by phishers. The study shows that while it does not appear that domain tasting is utilized by phishers, the increase in infrastructure anti-phishing companies must have to monitor for new phishing domain registrations has negatively impacted the anti-phishing community.

Memorandum on Domain Take-Downs and WhoIs Data
The APWG, as an observer to the ICANN Whois Privacy WG, prepared a memorandum on how anti-phishing fighters use the DNS Whois data to disable phishing sites. ICANN is contemplating removing most of the address data from the gTLD (.com, .net, .org) DNS Whois servers and the APWG is concerned about retaining access to this data to support our phish fight.

Best Practices for ISPs and Mail Box Providers
Joint working document release from APWG and MAAWG. Consolidates a selection of "Best Practices" for companies providing ISP or Mail Box services.

Online Identity Theft: Technology, Chokepoints and Countermeasures
DHS Counter-Phishing Strategies Whitepaper from the members of the Identity Theft Technology Council .

DOJ & PSEPC Joint Report on Phishing
The US Justice Department and the Ministry on Public Safety and Emergency Preparedness Canada jointly produced report on phishing.

Crimeware Landscape Report
The APWG in coordination with the US Department of Homeland Security produced this Crimeware Landscape Report. This document tries to help executives grasp just what crimeware is, how it works, and how prevalent it is.

Proposed Solutions to Address the Threat of Email Spoofing Scams
Anti-Phishing Working Group - Released Dec 12, 2003

National and State Trends in Fraud & Identity Theft, January - December 2003
Federal Trade Commission - Released Jan 22, 2004
 

How to Avoid Phishing Scams

What To Do If You've Given Out Your Personal Financial Information

FBI's Common Fraud Schems information page

Bank Safe Online from our research partners APACS in the UK

Federal Trade Commission "Avoid ID Theft: Deter, Detect, Defend", a campaign to advise consumers on techniques to neutralize identity thef

Site Jabber Blog, a consumer protection service which helps people avoid fraudulent websites and find ones they will love.

Good collection of articlase on "Identity Theft & Data Breaches" hosted by the Privacy Rights Clearinghouse.

Our research partners at Wombat Security Technologies have developed this cute little game to help customers recognize phishing attacks. Play the first round of AntiPhishing Phil and see how knowledgeable you are.

Another effort to educate users is SecurityCartoon.com. SecurityCartoon.com describes common threats and what to do to avoid them. This is done in a language that is accessible to typical Internet users.
 

General Resources:

• Carnegie Mellons' PhishGuru
• OnGuardOnline Phishing education
• PayPal education page
• Microsoft phishing education page
• DimeNOC education page
• UK's APAC consumer education site
• Australia phishing education page

Quizzes and Games:

• Carnegie Mellon's educational game
• PayPal quiz
   

APWG Public Education Initiative (PEI): The PEI identifies and organizes the most broadly useful counter-ecrime educational programs and forges the essential logistics to deliver them to the largest victimized cohort possible, in every language in which phishing, directed at consumer and enterprise desktops and communications devices, has become a problem.

APWG/CMU CUPS Phishing Education Landing Page Program: This document describes the combidend APWG/CMU CUPS program to educate users who have been successfully phished and followed a link to an identifed phishing site.
 

The Federal Trade Commission and the APWG have colaborated on these "Hot To Guides". We want to extend our thanks to the FTC for supporting this project.
 

Fighting Back Against Identity Theft: The easy to reproduce brochure outlines essential steps to deter, detect and defend against identity theft. The brochure is available online in print ready, PDF format.
 

Talking About Identity Theft: A How-To Guide: A comprehensive guide with educational strategies and materials for professionals, associations and community groups to effectively communicate and educate about identity theft. Available online in print ready, PDF format.
 

The following citations are are for trade and academic journal articles and government briefings on phishing.

October 2010: Economic Incentives for Internet Security through Reputation and Insurance
This position paper from John S. Quarterman, InternetPerils, & Andrew B. Whinston, University of Texas, prepared for the first APWG and IEEE-SA Roadmapping Session Toward a Global Public Health Initiative Model for eCrime Response

May 2008 - SSAC Advisory on Registrar Impersonation Phishing Attacks (26 May 2008)
http://icann.org/committees/security/sac028.pdf

May 2008 - Behind Phishing: An Examination of Phisher Modi Operandi
D. Kevin McGrath, Minaxi Gupta
Computer Science Department, Indiana University, Bloomington, IN, U.S.A.

March 2006 - National Consumer League
A Call for Action: Report from the National Consumer League Anti-Phishing Retreat

November 2005 - DHS Report
DHS Counter-Phishing Strategies Whitepaper: Online Identity Theft: Technology, Chokepoints and Countermeasures

February 2005 - APWG Response to the FDIC
APWG FDIC Response

January 2005 - Tod Beardsley Whitepaper
Evolution of Phishing Attacks

January 2005 - APWG/USSS
Anti-Phishing Technology

December 2004 - FDIC Report
Putting an End to Account-Hijacking Identity Theft by the FDIC

The Anti-Phishing Working Group
The Anti-Phishing Working Group (APWG)is an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing. The organization provides a forum to discuss phishing issues, define the scope of the phishing problem in terms of hard and soft costs, and share information and best practices for eliminating the problem.

FBI - Internet Fraud Complaint Center
The Internet Fraud Complaint Center (IFCC) is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C). IFCC's mission is to address fraud committed over the Internet.

The Coalition on Online Identity Theft
Information Technology Association of America (ITAA)
Some of the biggest names in e-commerce, including Amazon.com, eBay and Microsoft, have formed a coalition to curb online identity theft.

SCAMwatch
SCAMwatch is a website run by the Australian Competition & Consumer Commission (ACCC). The aim of SCAMwatch is to provide information to consumers and small business about how to recognise, avoid and report scams. Scams that are reported to SCAMwatch will be analysed by the ACCC.

The United States Federal Trade Commission
The FTC works for the consumer to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them.

Secure Florida's mission is to protect the citizens and economy of Florida by safeguarding information systems, reducing vulnerability to cyber attacks, and increasing responsiveness to any threat.

The Privacy Rights Clearinghouse
The Privacy Rights Clearinghouse is a nonprofit consumer education, research, and advocacy program. Our publications empower you to take action to control your personal information by providing practical tips on privacy protection.

Nigeria - The 419 Coalition Website
We Fight the Nigerian Scam with Education. Its a US$5 Billion (as of 1996, much more now) worldwide Scam which has run since the early 1980's under Successive Governments of Nigeria. It is also referred to as "Advance Fee Fraud", "419 Fraud" (Four-One-Nine) after the relevant section of the Criminal Code of Nigeria.

US Bank

Wells Fargo Bank

NatWest Bank

eBay and PayPal

Citibank

Lloyds

APACS UK

Origins of the Word "Phishing"
True history of where the phrase came from.