Redwood City, CA – April 20, 2004 – Tumbleweed® Communications Corp. (Nasdaq:TMWD - News) and the Anti-Phishing Working Group today released the “Phishing Attack Trends Report” for March 2004, an analysis of phishing scam attacks submitted to www.antiphishing.org, the Internet’s most comprehensive archive of email fraud and phishing attacks. This analysis identifies that email fraud and phishing attacks grew by more than 43% in March, with an average of 13 new, unique attacks sent out to millions of consumers each day. A copy of the report may be downloaded free of charge at http://www.antiphishing.org/APWG_Phishing_Attack_Report-Mar2004.pdf.

Phishing attacks use 'spoofed' emails and fraudulent websites to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc. By hijacking the trusted brands of well-known banks, online retailers, ISPs and credit card companies, phishers are able to convince up to 5% of recipients to respond to them. The result of these scams is that consumers suffer credit card fraud, identity theft, and financial loss.

In March, there were 402 unique phishing attacks reported to the Anti-Phishing Working Group. This was a 43% increase over the number of attacks reported in February 2004, and represents a monthly growth rate of over 50% per month since December. While the average number of phishing attacks per day in March was 13, analyzing this information on a weekly basis shows an increasing trend with a peak of 14.9 attacks per day in the third week of March. Further, this marks the first time that we’ve seen more than 100 unique attacks in a week – occurring twice in March.

• The company most-targeted by phishing attacks in March was, once again, eBay with 110 unique attacks.
• The most-targeted industry sector was Financial Services with 256 unique attacks
• The Financial Services sector averaged 8.3 phishing attacks per company in March.
• In March, an alarming new phishing technique was identified that replaces a browser’s Web Address bar with a fake, disguising the fact that the user is on a fraudulent website

For more information and analysis, please download a copy of the “Phishing Attack Trends Report” for March 2004 free of charge at http://www.antiphishing.org/APWG_Phishing_Attack_Report-Mar2004.pdf.

"The growing number of phishing attacks and their increased sophistication has serious security implications for both consumers and companies doing business online,” said Dave Jevans, Chairman of the Anti-Phishing Working Group and a Senior Vice President at Tumbleweed Communications. “Consumers need to apply the same level of privacy and security about giving out their personal financial information on the Internet as they would in the real world. And banks, e-commerce companies, and ISPs need to help their customers identify valid communications more effectively, and avoid fraudulent offers. New anti-fraud toolbars being introduced by eBay and Earthlink are excellent first steps in this process, but much more needs to be done to raise the bar and make it harder for phishers to make money at these scams.”

About the Anti-Phishing Working Group

The Anti-Phishing Working Group (APWG) is focused on eliminating the problem of phishing and email spoofing attacks, by developing and sharing information about the problem, and promoting the visibility and adoption of industry solutions. Membership in the group is open to qualified financial institutions, corporations, law enforcement agencies, public policy groups and solution vendors.

The Web site of the Anti-Phishing Working Group is www.antiphishing.org. It serves as a public and industry resource for information about the problem of phishing and email fraud, including identification and promotion of pragmatic technical solutions that can provide immediate protection and benefits against phishing attacks. The analysis, forensics, and archival of phishing attacks to the Web site are currently powered by Tumbleweed Communications' Message Protection Lab™.

About Tumbleweed Communications Corp.

Tumbleweed is a leading provider of secure Internet messaging software and appliances for enterprises and government agencies. By making Internet communications secure, reliable and automated, Tumbleweed's anti-spam email firewall, secure file transfer, secure email, and identity validation solutions help customers significantly reduce the cost of doing business. Tumbleweed products are used to communicate with millions of end-users and tens of thousands of corporations. Tumbleweed has more than 600 enterprise customers, including ABN Amro, Bank of America Securities, Catholic Healthcare West, JP Morgan Chase & Co., The Regence Group (Blue Cross/Blue Shield), St. Luke's Episcopal Healthcare System, the US Food and Drug Administration, and the US Navy and Marine Corps. Tumbleweed Communications was founded in 1993 and is headquartered in Redwood City, California. For additional information about Tumbleweed go to www.tumbleweed.com or call 650-216-2000.

SAFE HARBOR STATEMENT
Tumbleweed cautions that forward-looking statements contained in this press release are based on current plans and expectations, and that a number of factors could cause the actual results to differ materially from the guidance given at this time. These factors are described in the Safe Harbor statement below.

Except for the historical information contained herein, the matters discussed in this press release may constitute forward-looking statements that involve risks and uncertainties that could cause actual results to differ materially from those projected, particularly with respect to the requirements associated with digital certificate validation. In some cases, forward-looking statements can be identified by terminology such as "may," "will," "should," "potential," "continue," "expects," "anticipates," "intends," "plans," "believes," "estimates," and similar expressions. For further cautions about the risks of investing in Tumbleweed, we refer you to the documents Tumbleweed files from time to time with the Securities and Exchange Commission, particularly Tumbleweed's Form 10-K filed March 15, 2004.

Tumbleweed assumes no obligation to update information contained in this press release, including for example its guidance regarding its future performance, which represents the Company's expectations only as of the date of this release and should not be viewed as a statement about the Company's expectations after such date. Although this release may remain available on the Company's website or elsewhere, its continued availability does not indicate that the Company is reaffirming or confirming any of the information contained herein.

Contact:

Atomic PR
James Hannon, 415-703-9454
james@atomicpr.com

Source: Tumbleweed Communications Corp.