Anti-Phishing Working Group: Reports of Email Fraud and Phishing Attacks Jump Over 400% During the Holidays

APWG PRESS RELEASE
23-December-2003

Reports of Email Fraud and Phishing Attacks Jump Over 400% During the Holidays

Analysis of Unique Phishing Attacks Submitted to Anti-Phishing.org for the November and December 2003 Shows Dramatic Growth in Email Spoofing and Fraud Activity

Redwood City, CA – December 23, 2003 — Tumbleweed® Communications Corp.(Nasdaq:TMWD - News) and the Anti-Phishing Working Group today released the results of analysis of phishing scam attacks submitted to www.anti-phishing.org, the Internet's most comprehensive archive of email fraud and phishing attacks. This analysis identifies over 90 unique email fraud and phishing attacks sent out to millions of consumers over the past 60 days, with a dramatic increase in the number of attacks over the past two weeks in particular.

Phishing attacks involve the mass distribution of "spoofed" email messages with return addresses, links, and branding which appear to come from banks, insurance agencies, retailers or credit card companies. These fraudulent messages are designed to fool the recipients into divulging personal data such as credit card numbers, bank account numbers and passwords, social security numbers, etc. Because these emails look "official," an average of 5% of recipients respond to them, resulting in financial losses, identity theft, and other fraudulent activity. In addition to the direct cost of fraud and the lingering effects of identity theft for consumers, this growing application of criminal spam threatens the integrity of companies that do business online.

The Anti-Phishing Working Group estimates that more than 60 million email fraud and phishing attacks have been sent out over the past two weeks, driven by scammers' desires to take advantage of the confusion of the holidays and the increased online transactions that take place during the gift giving season. There are a number of ingenious scams that play on the holiday theme. One example is a fake online Christmas card, designed to compromise AOL accounts. In this scam, the recipient receives a spoofed email from the "AOL Hallmark" team, and is asked to visit a website to pick up his/her card. In order to access the site (which is run by the scammer), the user is asked to log in to his or her AOL account, thereby divulging the account name and password. The compromised account can then be used to launch further phishing attacks, virus attacks, spam, or other nefarious activity.

In the last week, phishing attacks against the customers of major Internet Service Providers have been exploiting a recently unearthed vulnerability in the Microsoft Internet Explorer web browser. This vulnerability allows criminals to disguise a fraudulent Web address, making it appear exactly as if it were a legitimate Web site for a known brand that they trust. Phishers can now spoof the email address, Web site graphics, Web site address, and even the SSL-lock icon in the Web browser.

"Consumer phishing attacks are dangerous, and are quickly increasing both in number and in sophistication. To most Internet users, the emails and Web sites are indistinguishable from legitimate business communications. The spam epidemic has rapidly evolved from a nuisance to a real security threat with the shift from dubious advertising to financial crime and identity theft," said Dave Jevans, Chairman of the Anti-Phishing Working Group and a Senior Vice President at Tumbleweed Communications. "The Anti-Phishing Working Group was founded as an industry resource to address this critical challenge to individuals and companies on the Internet. At stake is our very trust that the Internet can be relied upon for safe and secure commerce and communications."

About the Anti-Phishing Working Group
The Anti-Phishing Working Group (APWG) is focused on eliminating the problem of phishing and email spoofing attacks, by developing and sharing information about the problem, and promoting the visibility and adoption of industry solutions. Membership in the group is open to qualified financial institutions, corporations, law enforcement agencies, public policy groups and solution vendors.

The Web site of the Anti-Phishing Working Group is www.anti-phishing.org. It serves as a public and industry resource for information about the problem of phishing and email fraud, including identification and promotion of pragmatic technical solutions that can provide immediate protection and benefits against phishing attacks. The analysis, forensics, and archival of phishing attacks to the Web site are currently powered by Tumbleweed Communications' Message Protection Lab.

About Tumbleweed Communications Corp.
Tumbleweed is a leading provider of mission-critical Internet communications software products for enterprises, financial services organizations and government. By making Internet communications secure, reliable and automated, Tumbleweed's email firewall, secure file transfer, secure email, and identity validation solutions help customers significantly reduce the cost of doing business. Tumbleweed products are used by millions of end-users and tens of thousands of corporations. Tumbleweed customers include ABN Amro, Bank of America Securities, Catholic Healthcare West, JP Morgan Chase & Co., The Regence Group (Blue Cross/Blue Shield), Society for Worldwide Interbank Financial Telecommunication (SWIFT), St. Luke's Episcopal Healthcare System, the US Food and Drug Administration, and the US Navy and Marine Corps. Tumbleweed Communications was founded in 1993 and is headquartered in Redwood City, Calif. For additional information about Tumbleweed go to www.tumbleweed.com or call 650-216-2000.

SAFE HARBOR STATEMENT
Except for the historical information contained herein, the matters discussed in this press release may constitute forward-looking statements that involve risks and uncertainties that could cause actual results to differ materially from those projected, particularly with respect to the features, advantages, and performance characteristics of the Tumbleweed’s MMS email firewall and Secure Redirect products. In some cases, forward-looking statements can be identified by terminology such as "may," "will," "should," "potential," "continue," "expects," "anticipates," "intends," "plans," "believes," "estimates," and similar expressions. For further cautions about the risks of investing in Tumbleweed, we refer you to the documents Tumbleweed files from time to time with the Securities and Exchange Commission, particularly Tumbleweed's Form 10-K filed June 4, 2003, Form 10-Q filed November 14, 2003, and Form S-3/A filed November 18, 2003.

Tumbleweed assumes no obligation to update information contained in this press release, including for example its guidance regarding its future performance, which represents the Company's expectations only as of the date of this release and should not be viewed as a statement about the Company's expectations after such date. Although this release may remain available on the Company's website or elsewhere, its continued availability does not indicate that the Company is reaffirming or confirming any of the information contained herein.

###
Contact:
Atomic PR
James Hannon
415/703-9454
james@atomicpr.com