Global Best Practices to Fight Online ''Phishing'' Crime Jointly Approved by APWG & MAAWG

Recommendations More than Engineering ''Reality Check'' LOS ALTOS, Calif. & SAN FRANCISCO--(AllPayNews)--July 25, 2006--To protect Internet users from online fraudsters and defend the Internet against scammers commandeering network resources, the two most influential global trade associations combating Internet crime have jointly released an explicit new set of Best Practices to combat "phishing," a major cause of online identify theft and fraud. The recommendations will help Internet Service Providers (ISPs) and mailbox providers better police their own infrastructures and filter traffic traversing their networks. The Anti-Phishing Working Group (APWG) and the Messaging Anti-Abuse Group (MAAWG) jointly developed the recommendations outlined in "Anti-Phishing Best Practices for ISPs and Mailbox Providers." The paper provides technical and business practices to help ISPs and mailbox providers thwart phishing attacks and other malevolent network abuses and also includes practices to respond constructively when these attacks occur. "Phishing" employs deceptive technology such as spoofing and social engineering to steal consumers' personal identity and financial account data, and has become a major concern. APWG Chairman David Jevans said, "The APWG and MAAWG have worked together for many, many months on defining these best practice recommendations for ISPs to help prevent phishing attacks. This important work is the result of a collaboration between ISPs, security companies and government agencies. This kind of ongoing collaboration is crucial, as phishing and crimeware are a constantly evolving security threat." The joint efforts between the two groups and their respective technical and governance committees began in the fall of 2005. The final document was reviewed and approved at a co-located June meeting of the APWG and MAAWG in Brussels, and the main editor in developing the work was Vipul Ved Prakash, chief scientist and co-founder of Cloudmark. Specific Technical and Business Recommendations Daniel Dreymann, co-chair of the MAAWG Anti-Phishing Special Interest Group and a co-founder of Goodmail Systems, Inc. said, "ISPs and mailbox providers have a lead role in combating email borne security threats like phishing, the risk here being an erosion of consumer trust in commercial email. MAAWG and APWG have done the industry an enormous service with this guide, having compiled the best anti-phishing practices worldwide." The Best Practices outline technology and business methods that will help ISPs maintain cleaner communications channels for their customers and protect their infrastructures from interlopers seeking to commandeer the network. In addressing the deployment of security technologies, the paper encourages piloting and field trials of technologies and comparative analysis of multiple solutions. Among the recommendations: -- Two way filtering of communications flows to stop inbound phishing email from reaching consumers and to tip off ISPs and mailbox providers when their servers are being used for sending outbound phishing emails -- Internet Protocol (IP) blacklists to temporarily render servers co-opted for phishing attacks unreachable by consumers caught up in a scam; using URL-based filters to help ISPs filter their customer traffic outbound to IP addresses, domains or URLs where known phishing Web pages are hosted -- Filtering or rejecting email if it can be unequivocally determined to be forged; disabling images and hyperlinks in email from untrusted sources -- Employing visual cues or tags within the email client interface that can characterize the authenticity and trustworthiness of email for the users -- Blocking access to known phishing sites during attacks and distributing client tools that users can employ to deflect their Web browser from accessing phishing sites The recommendations are more than a "reality check" of technical issues from the engineering department, however. They also incorporate consumer education and the law enforcement measures necessary to counter criminal abuses such as phishing. For example, the Best Practices include educating consumers to check for Web site certificate authenticity before submitting personal information, directing users who believe they have been scammed to the Federal Trade Commission and other anti-fraud organizations, and alerting financial institutions when they are the target of phishing campaigns. The groups are working through diplomatic channels to cultivate support for the new Best Practices. They both have abiding relations with the national CERTs (Computer Emergency Response Teams) worldwide and maintain open dialogues with industrial and government bodies in Europe, East Asia and Australasia. MAAWG is the largest global trade association focusing on email abuse and the anti-phishing recommendations are part of its voluntary Code of Conduct. For the APWG, the global thought-leader in electronic fraud, the Best Practices are part of an ongoing campaign to articulate the electronic fraud experience and engender shared understanding among its members, industry, government and the public worldwide and to promote appropriate solutions. The entire "Anti-Phishing Best Practices for ISPs and Mailbox Providers" document is available at or directly at the following link, About the Anti-Phishing Working Group (APWG) The Anti-Phishing Working Group (APWG) is an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing and the spread of crimeware that automatically mines consumers' personal data from their PCs. Membership is open to qualified financial institutions, online retailers, ISPs, the law enforcement community, and solutions providers. There are currently over 1500 organizations participating in the APWG and more than 2400 members worldwide. The APWG is a 501c6 tax-exempted organization and maintains the public website ( for its members and for the general public. About the Messaging Anti-Abuse Working Group (MAAWG) The Messaging Anti-Abuse Working Group (MAAWG) is where the messaging industry comes together to work against spam, viruses, denial-of-service attacks and other online exploitation. MAAWG ( is the only organization addressing messaging abuse holistically by systematically engaging all aspects of the problem, including technology, industry collaboration and public policy. It leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services. Headquartered in San Francisco, Calif., MAAWG is an open forum driven by market needs and supported by major network operators and messaging providers. Contacts APWG Peter Cassidy, +1 617 669 1123 or MAAWG Astra Communications: Linda Marcus, 714-974-6356