June 22, 2004

More than a dozen top brands in the banking, retail, telecommunications and computing technology fields joined forces Wednesday to form a group dedicated to putting the kibosh on phishing.

Dubbed the Trusted Electronic Communications Forum (TECF, pronounced "tech-eff"), the consortium is composed of 17 member companies, including IBM, AT&T Wireless, E*Trade, National City Bank, Best Buy and Charles Schwab.

The TECF joins the same space as the Anti-Phishing Working Group (APWG), which was founded in 2003 and counts more than 250 companies on its roster.

TECF wants to put an end to phishing attacks -- as well as spoofing and other online identity theft threats, said its chairman, Shawn Eldridge. In his day job, Eldridge is an executive with message security firm PostX, one of the founding companies in the group.

"Phishing has evolved and grown so much in the past several months that it's not only eroding the value of e-mail and impacting e-commerce, but it's destroying enterprise brands and their reputations, which are worth billions," said Eldridge.

In the short term, the TECF will create guidelines for enterprise anti-phishing best practices and help establish a system for businesses and consumers to report phishing scams. In the long run, however, the TECF has loftier goals.

"We're going to focus on producing or helping ratify technology standards for industry-wide phishing and spoofing solutions," said Eldridge, "and assist in the prosecution of phishers."

The syndicate will sport four working groups, including ones dedicated to standards, best practices, social engineering and government affairs.

"We're going to be a think tank, so to speak," on phishing and spoofing issues and solutions," added Eldridge. "Our smaller size, just 17 members -- and we won't be accepting new members immediately -- gives us a huge advantage to combat phishing. We can be more nimble, and with a smaller group, everyone's able to freely voice opinions. That's hard to do in larger associations."

The TECF isn't the first organization to concentrate on phishing and spoofing. But Eldridge doesn't see the TECF butting heads with the APWG.

"I see us as complementary to APWG. They've been focusing on the policy side, and establishing the qualitative and quantitative aspects of the problem. We're going to solely focus on the technology standard and government affairs side."

Avivah Litan, a vice president and research director at Gartner who tracks phishing, spoofing and spyware issues, isn't so sure.

"You wonder why there has to be two groups if they're both after the same thing in the end: standards," she said. "But maybe it's a good thing. You usually get better ideas in a competitive market."

Dave Jevans, the chairman of the APWG, also reacted to the news of TECF's formation. "There might be some duplication of efforts and goals," he said, "but we're happy to work with other groups, something we already do with, for instance, the FSTC [Financial Services Technology Consortium] and ITAA [Information Technology Association of America]."

"But if TECF will be proposing more standards, I think that will be counter-productive," he added. "We've seen all kinds of movement on coming to agreement on e-mail authentication standards in the last six months. It's been real positive. And standards, after all, are more the concern of members of any group, not the group itself," Jevans argued.

What everyone agrees on, however, is that phishing and spoofing can't be solved by one company, and that by banding together, maybe something can be done.

"If you think about it, nothing you can do as a single enterprise is going to solve this. How can one company control phishing when they don't have access to the desktop or the browser?" asked Litan. "There needs to be a global, or at least a national, solution to this."

"Although phishing attacks started by targeting banks or financial service companies," added Eldridge, "now it's a problem for virtually every industry. That was the genesis of the idea that no one company can solve this, that no one vertical market is positioned to deal with it."

Litan's not optimistic about a quick fix.

"To tell you the truth, I am discouraged," Litan said. "Something has to be done about all this unwanted communication. It just won't go away on its own. But no one seems to want to do anything."

As an example of this do-nothing attitude, she cited the Federal Trade Commission's decision Tuesday to pass on assembling a Do Not Spam list under the CAN-SPAM Act.

"I'm not expecting the government to come riding in on a white horse on spam or phishing or spoofing," Litan said.

But at least companies are getting together to discuss the problem.

"It's a good thing to get people to talk about phishing, share information, [and it] maybe even lead to sharing some sort of front-end solution," she said.

"In the end, though, it's going to take an Internet-level solution -- authentication technologies applied across the entire Net -- to stop phishing. And I don't know if that will happen any time soon," Litan said. "Instead, what's likely is that there will eventually be companies producing better anti-phishing defenses, and corporations and consumers will go out and buy them."