APWG launches offline phishing education program

The Anti-phishing Working Group has contributed its expertise in online fraud to the Internal Revenue Service with the creation of a new consumer fax education initiative to assist victims of “offline phishing’ and launched its new APWG Fax Back Phishing Education Program this month.

The collaborative effort comes as a response to a growing public threat by offline phishers who conduct various scams via fax. While traditional phishing occurs exclusively online (e.g., phishing websites), offline phishing involves sending emails with attachments – or direct faxes to individuals or businesses. Recipients are warned to complete the fake documents and fax them back or be subject to some fictitious penalty.

The average losses of offline phishing scams ranges from a few thousand to tens of thousands of dollars – losses that victims don’t realize they have sustained until long after the crime is complete. The APWG’s Fax Back Phishing Education Program provides telecommunications companies and Fax over Internet Protocol (FoIP) hosting firms with educational instruments to educate consumers the moment they are scammed.

The IRS’s Online Fraud Detection and Prevention (OFDP) group, under the Office of Privacy Information Protection & Data Security, began tracking and disabling offline phishing incidents in early 2009 and turned to the APWG in 2010 to help with the development of a response utility to advise consumers who’ve fallen victim to offline phishing scams.

APWG worked with OFDP to create a fax coversheet available on the APWG’s education resources site that carriers can download and use to notify any victim of offline phishing. The fax coversheet also provides a link to other APWG resources, which will allow victims to submit a complaint to the appropriate clearinghouse, http://www.ftccomplaintassistant.gov and http://www.econsumer.gov.

Both sites feed FTC Sentinel – a consumer complaint database maintained by the U.S. Federal Trade Commission (FTC) – providing a valuable resource for certified government law enforcement and regulatory agencies from International Consumer Protection and Enforcement Network (ICPEN) member countries. More victims reporting to FTC Sentinel improves law enforcement’s ability to investigate and disrupt phishing operations.

OFDP identifies fax numbers from complaints sent to phishing@irs.gov. Before OFDP became involved in offline phishing, these numbers would remain active for months. Working with telecommunications providers, OFDP disables numbers in the majority of cases within 12 hours. This greatly reduces the potential window of opportunity for these phishers to harvest credentials. Approximately 250 numbers have been disabled in less than 18 months.

Soon after disabling these numbers, OFDP sought a way to educate the individuals – not all victims were in the U.S. – during the “teachable moment’ when they were about to fax in their information. OFDP worked with the Federal Trade Commission (FTC) to record an IRS audio landing page. When individuals attempt to fax to a disabled number, they will hear the IRS audio landing page – provided the carrier has chosen to participate in the program.

Upon realizing the audio landing page did not assist those that had already submitted their information and also not all carriers wanted to use it, OFDP reached out to APWG. APWG drafted the consumer fax coversheet and online content. APWG provided a well-known, well-respected brand that carriers would immediately recognize. Since the fax coversheet is not branded specifically for the IRS, any agency or institution targeted by offline phishing can benefit from its use.