Redwood City, CA – February 17, 2004 – Tumbleweed® Communications Corp. (NASDAQ:TMWD - News) and the Anti-Phishing Working Group today relreleased the "Phishing Attack Trends Report" for January 2004, an analysis of phishing scam attacks submitted to www.anti-phishing.org, the Internet's most comprehensive archive of email fraud and phishing attacks. This analysis identifies that email fraud and phishing attacks grew by more than 50% in January, with an average of 5.7 new, unique attacks sent out to millions of consumers each day. A copy of the report may be downloaded free of charge at http://www.antiphishing.org/APWG.Phishing.Attack.Report.Jan2004.pdf.

Phishing attacks involve the mass distribution of "spoofed" email messages with return addresses, links, and branding which appear to come from banks, insurance agencies, retailers or credit card companies. These fraudulent messages are designed to fool the recipients into divulging personal data such as credit card numbers, bank account numbers and passwords, social security numbers, etc. Because these emails look "official," up to 5% of recipients may respond to them, resulting in financial losses, identity theft, and other fraudulent activity. In addition to the direct cost of fraud and the lingering effects of identity theft for consumers, this growing application of criminal spam threatens the integrity of companies that do business online.

In January, there were 176 new, unique phishing attacks reported to the Anti-Phishing Working Group. This was a 52% increase over the number of attacks reported in December. While the average number of phishing attacks per day in January was 5.7, analyzing this information on a weekly basis shows an increasing trend with a peak of 7.1 attacks per day in the third week of January. Other interesting results from this analysis include the following:

• The company most-targeted by phishing attacks in January was, once again, eBay
• The most-targeted industry sector was Financial Services
• 8% of the reported phishing attacks took advantage of the recently patched Microsoft IE browser vulnerability that allows Web site addresses to be disguised
• Phishing attacks that fool recipients into downloading keyloggers and other Trojan programs represent an emerging threat, and illustrate the growing sophistication of phishing attacks

For more information and analysis, please download a copy of the "Phishing Attack Trends Report for January 2004" free of charge at http://www.antiphishing.org/APWG.Phishing.Attack.Report.Jan2004.pdf.

"Phishing attacks are quickly increasing both in number and in sophistication, and pose a serious threat to consumers and the companies they do business with online," said Dave Jevans, Chairman of the Anti-Phishing Working Group and a Senior Vice President at Tumbleweed Communications. "Even the most sophisticated user of the Internet will be hard-pressed to distinguish these fraudulent "phishing" emails and websites from legitimate business communications. The spam epidemic has evolved from a nuisance to a real security threat with this shift to financial crime and identity theft. The Anti-Phishing Working Group was founded as an industry resource to address this critical challenge to individuals and companies on the Internet. At stake is our very trust that the Internet can be relied upon for safe and secure commerce and communications."

About the Anti-Phishing Working Group

The Anti-Phishing Working Group (APWG) is focused on eliminating the problem of phishing and email spoofing attacks, by developing and sharing information about the problem, and promoting the visibility and adoption of industry solutions. Membership in the group is open to qualified financial institutions, corporations, law enforcement agencies, public policy groups and solution vendors.

The Web site of the Anti-Phishing Working Group is www.antiphishing.org. It serves as a public and industry resource for information about the problem of phishing and email fraud, including identification and promotion of pragmatic technical solutions that can provide immediate protection and benefits against phishing attacks. The analysis, forensics, and archival of phishing attacks to the Web site are currently powered by Tumbleweed Communications' Message Protection Lab(TM).

About Tumbleweed Communications Corp.

Tumbleweed is a leading provider of secure Internet messaging software products for enterprises, financial services organizations and government. By making Internet communications secure, reliable and automated, Tumbleweed's email firewall, secure file transfer, secure email, and identity validation solutions help customers significantly reduce the cost of doing business. Tumbleweed products are used by millions of end-users and tens of thousands of corporations. Tumbleweed customers include ABN Amro, Bank of America Securities, Catholic Healthcare West, JP Morgan Chase & Co., The Regence Group (Blue Cross/Blue Shield), Society for Worldwide Interbank Financial Telecommunication (SWIFT), St. Luke's Episcopal Healthcare System, the US Food and Drug Administration, and the US Navy and Marine Corps. Tumbleweed Communications was founded in 1993 and is headquartered in Redwood City, Calif. For additional information about Tumbleweed go to www.tumbleweed.com or call 650-216-2000.

SAFE HARBOR STATEMENT
Tumbleweed cautions that forward-looking statements contained in this press release are based on current plans and expectations, and that a number of factors could cause the actual results to differ materially from the guidance given at this time. These factors are described in the Safe Harbor statement below.

Except for the historical information contained herein, the matters discussed in this press release may constitute forward-looking statements that involve risks and uncertainties that could cause actual results to differ materially from those projected, particularly with respect to the impact of, and trends related to, email fraud and phishing activity. In some cases, forward-looking statements can be identified by terminology such as "may," "will," "should," "potential," "continue," "expects," "anticipates," "intends," "plans," "believes," "estimates," and similar expressions. For further cautions about the risks of investing in Tumbleweed, we refer you to the documents Tumbleweed files from time to time with the Securities and Exchange Commission, particularly Tumbleweed's Form 10-K filed June 4, 2003, Form 10-Q filed November 14, 2003, and Form S-3/A filed December 19, 2003.

Tumbleweed assumes no obligation to update information contained in this press release, which represents the company's expectations only as of the date of this release and should not be viewed as a statement about the company's expectations after such date. Although this release may remain available on either company's website or elsewhere, its continued availability does not indicate that the company is reaffirming or confirming any of the information contained herein.

Contact:

Atomic PR
James Hannon, 415-703-9454
james@atomicpr.com

Source: Tumbleweed Communications Corp.