• Home
  • ANTI-ABUSE-Dusseldorf

ANTI-ABUSE-Dusseldorf

Sponsored by: Abnormal AI

Anti-Abuse Working Group Agenda
 Location: Vodafone Campus, Dusseldorf, Germany, 20-21 November, 2025

Day 0 (19 November, 2025)

19:30 - Community Dinner (at own expense)
 Location: "Brauhaus Alter Bahnhof"
Maps link: https://maps.app.goo.gl/4XQa7f35nknsQmxQ8
(For those staying at "The Zipper" hotel, we meet at the lobby at 19:00 to go by foot)

Day 1 (20 November, 2025)

08:30 – 09:00

Registrations in the Lobby

09:00 – 09:25

Meeting Room: Sky Lounge 1

 

TLP: Green

Welcome session for both groups

Welcome speeches

  • Carlos Sanchez, Area Head Cyber Security, Vodafone Cyber Security Germany, 15'
  • Andrija Višić, Senior Community & Programme Manager, ETIS Central Office, 5'
  • Welcome by our sponsor, Abnormal AI, 5'

09:25 – 09:30

Groups separate and start their meetings

ANTI-ABUSE WORKING GROUP MEETING STARTS

IN THE SKY LOUNGE 2 CONFERENCE ROOM

09:30 – 11:00

Meeting Room: Sky Lounge 2

 

TLP: Amber

Session 1 (part I): Introduction and Roundtable + Company Updates

Introduction and Roundtable, 10'

 

Goal: Welcome speech and agenda overview, followed by a roundtable where all participants introduce themselves (only name, company, role).

 

Moderator: AAWG Chair

 

Company Updates, 40'

 

Goal: Each company is allocated 2 minutes to present recent challenges, threats, incidents, projects, and future plans. Also delivering expectations from this 2-day meeting. New members in the group receive a longer time slot, if requested.

 

A Power Point Template to fill in will be circulated to all members in advance of the meeting.

 

Update expected from:

  • BT Group
  • DT
  • KPN
  • Sunrise
  • Swisscom
  • TDC NET
  • Telenor Norway
  • Telia Company
  • Vodafone Germany

Session 1 (part II): Telco Threat Landscape 2026

"Phishing for Needles in Haystacks - Threat Landscape Risks & Challenges in the Age of AI"

Goal: Identify evolving abuse patterns—such as e-mail & SMS phishing, spam, smishing, and infrastructure exploitation—targeting telecom networks. By examining trends like the abuse of 5G-connected devices, compromised endpoints, and spoofed telecom identities, the discussion aims to enhance cross-sector collaboration on detection, response, and abuse reporting.

 

Presentation: Martin Rutkowski, Abnormal AI, 30' + Q&A

11:00 – 11:30

Coffee Break

11:30 – 12:30

Meeting Room: Sky Lounge 2

 

TLP: Amber

Session 2: "Best practices updates"

Theme: In every ETIS meeting, we look at the overview of best practices when it comes to implementation of:

  • Walled Garden
  • DMARC
  • P25
  • DNSSEC
  • DANE
  • BIMI
  • CAA
  • Antispam Layers
  • + etc.

Format: Every telco representative comments on the categories they filled in, in the excel template (please send the full file to av@etis.org by 18th November). Final Excel file is safely stored by ETIS, and not circulated. Only shown in in-person meetings of this group. 

 

Moderator: Chair and Vice-Chairs of the AAWG

 

Discussion: What has changed since the last update? Which companies would like to explain a certain way of doing things. All, 20’

12:30 – 13:30

Location - Vodafone Cantine

Lunch Break in the Vodafone Cantine

Area: EG B1 

13:30 – 15:30

Meeting Room: Sky Lounge 2

 

TLP: Amber

Session 3: "Fraud prevention intelligence - focus on fingerprinting of logins"

Goal: The goal of this session is to strengthen collaboration among telecom abuse and fraud experts across Europe by sharing intelligence and best practices on detecting and preventing fraud through advanced login fingerprinting techniques — improving our collective ability to identify anomalous access patterns, stop account takeovers, and reduce cross-operator fraud activity.

 

Presentation 1: LexisNexis Risk Solutions presentation, by James Rushe, Senior Engagement Manager, Banking & Telco, 45' + Q&A

  • Why device fingerprinting is necessary to counter fraud
  • How ThreatMetrix identifies devices & why network intelligence matters
  • Case studies - account takeover/synthetic ID detection, reduction of friction
  • Swiss Telco Consortium success

Presentation 2: How DFP is used in Deutsche Telekom (basic concepts + Threat hunting), Maximilian Gutowski, DT, 20' + Q&A

 

Moderator: AAWG Core-Team

 

15:30 – 16:00

Coffee Break

16:00 – 17:00

Meeting Room: Sky Lounge 2

 

 

Session 4: "Socially Engineered Email Attacks Targeting Telco Staff and Customers" 

Part I - Format:

  • Abuse management process in Vodafone Germany, Felix Ern and Mario Gumprich, 20 minutes + Q&A

Q&A session

 

+

 

Part II - Format: Roundtable discussion

 

Goal: Discuss trends in Business Email Compromise and Vendor Email Compromise targeting telecoms. How AI is used to identify high-trust relationship abuse in email. Telecom-specific case insights (e.g., SMS-based spoofing starts from email vectors). 

 

Moderators will start by setting the scene for the discussion.

 

Moderator: AAWG Core-Team

18:30 – 19:30

50-60 min walk around Dusseldorf - visiting historical places
Tour stops: https://maps.app.goo.gl/8uDVgo8AS8pLbFLU8?g_st=ic

If you depart from the Zipper hotel, meet at the lobby at 18:15 and have transport ticket ready.
Tour starts at 18:30 from Tonhalle/Ehrenhof. 
Tour ends at the restaurant Wilma Wunder restaurant at 19:30.

19:30 – 22:30

Fully-sponsored Community Dinner at Wilma Wunder, starting at 19:30.

Maps link: https://maps.app.goo.gl/pMeXLkUc3LFenFdS6

Anti-Abuse Working Group Agenda
 Location: Vodafone Campus, Dusseldorf, Germany, 20-21 November, 2025

Day 2 (21 November 2025)

JOINT SESSION FOR BOTH WORKING GROUPS IN THE  SKY LOUNGE 1

09:00 – 11:00

Meeting Room: Sky Lounge 1

 

TLP: Green

Session 5 (joint): "From Cheap to Compromised: Telco Response to Device-Driven Threats"

Joint Session with the CERT-SOC Working Group

Theme: Telecom operators increasingly face abuse and fraud challenges when customers unknowingly connect malware-infected devices purchased from untrusted online marketplaces. This session explores how anti-abuse and cyber fraud teams detect, mitigate, and respond to such threats while balancing privacy, scale, and customer experience.

 

Moderator: Andrija Višić, ETIS Central Office

 

Presentation 1: Thomas Lademann, Swisscom, 10'

 

Presentation 2: Piotr Kijewski, Shadowserver CEO, 50+'

 

Q&A session: 5-10'

 

Presentation 3: Fabian Marquardt, Cyber Threat Intelligence Analyst, Deutsche Telekom, 15' + Q&A

  • Discovery and tracking of adversary infrastructure related to ORB and proxy networks
  • Blocking of ORB and Proxy network infrastructure to protect customers

 

Moderated discussion, 15'

 

Other presentations:

“ETIS as a European Telco ISAC – update”, Andrija Višić, ETIS CO, 5’

11:00 – 11:30

Coffee Break

GROUPS SEPARATE - SUPPLIERS CAN CHOOSE WHICH GROUP TO JOIN FOR SESSION 6

ANTI-ABUSE WORKING GROUP MEETING STARTS

IN THE SKY LOUNGE 2 CONFERENCE ROOM

11:30 – 12:30

Meeting Room: Sky Lounge 2

 

TLP: Amber

Session 6: ”Real-World Examples of AI used in Phishing Globally”

Part I - Format & Goal: Telecom operators and suppliers will have guided, problem-solving conversations during this session. 45'

 

Please come prepared to answer the following:

  • What types of email compromise do we see most often in telecom operations today, and how could behavioural AI help detect them earlier?
  • How should we define “normal” behaviour for internal teams, vendors, and automated systems?

  • Where do our current filters fail: novel spam patterns, language manipulation, evasion tactics?

     

  • How should AI models adapt in real time to emerging spam campaigns?

  • Which telecom data streams (SS7, DNS, signalling, messaging metadata, roaming, billing) could AI analyse for fraud anomalies?

     

  • How can AI improve identification of:

    • Wangiri callbacks

    • SIM swap fraud

    • International revenue-share fraud

    • Subscription and device financing fraud

  • What are the most common impersonation scenarios affecting our brand today?

     

  • How can AI monitor external channels (SMS, social media, web domains) for brand misuse?

  • Other? Email Andrija at av@etis.org 

 

Part II - Demo session:

  • Martin Rutkowski, Abnormal AI, 15'

 

Moderator: AAWG core-team

12:30 – 13:30

Location - Vodafone Cantine

Lunch Break in the Vodafone Cantine

Area: EG B3 - wooden benches

13:30 – 14:45

Meeting Room: Sky Lounge 2

 

TLP: Amber

Session 7: "Bridging CERT/SOC/CSIRT and Anti-Abuse Teams: Enhancing Telecom Cybersecurity Through Data Sharing"

Moderator: AAWG Chair

 

A subset of CERT-SOC group members would be invited to join for this discussion (experienced in data sharing)

 

Schedule:

  • Introduction, Frank Lindberg, Telia Company, 5'
  • Core-matter discussion, KPN colleagues + Thomas Lademann, Swisscom + Tobias Knecht, Abusix, 20'
  • WG members discussion, 20'

 

Theme & Goal: This technical session delves into real-world examples of how CERT, SOC, and CSIRT teams in telecom environments collaborate with anti-abuse and fraud departments to detect and mitigate complex threats. It highlights the exchange of enriched indicators of compromise (e.g., DNS sinkhole hits, command-and-control IPs, malware hashes), SIM swap detection signals, signaling abuse (SS7/Diameter/GTP) data, and customer behavior anomalies correlated with threat actor TTPs. Case studies include coordination on APT-attributed phishing campaigns targeting subscribers, large-scale smishing attacks, and insider fraud investigations. Participants will gain insights into the data pipelines, SIEM integrations, and API-based sharing models that make these collaborations effective, along with considerations around data sensitivity, retention, and regulatory compliance.

14:45 – 15:00

Meeting Room: Sky Lounge 2

 

TLP: Amber

Session 8: Various topics

Theme: TBC

 

Operators and suppliers to propose presentations or discussion topics, e.g.:

  • Walled Garden (updates from last time)
  • Outbound Email Monitoring & Botnet Detection (Presentations expected from telecom operators showing bast practices, and suppliers providing detection tools)
  • Other? Email Andrija at av@etis.org 

15:00 – 15:15

Meeting Room: Sky Lounge 2

 

TLP: Green

Closing Session

A short session dedicated to follow-ups and discussing topics that arose during the meeting’s discussions. Participants will brainstorm and compile a list of future topics for consideration in upcoming ETIS events.

Before leaving, participants are kindly requested to fill out the Feedback Form.

Event Context and Expectations

This meeting is a collaborative knowledge-sharing event, where success relies on active preparation and engagement from all participants.

  • Participants are invited to prepare presentation(s) relevant to one of the main sessions (ideally addressing one or more of the suggested topics within that session).
  • Topic selection confirmation with the organizer by early October and draft presentation submission by early November.
  • Meeting is held under Chatham House Rules + TLP rules, following ETIS confidentiality guidelines and anti-trust policy.

Event Sponsorship and Participation

This event is fully sponsored by ETIS and its partners and sponsors, covering all meals, coffee breaks, the guided tour, and the farewell reception. Participation is free of charge & is open to ETIS member companies. Sponsors and Guests will receive special invites.

Attendees are expected to actively contribute to discussions and presentations. 

Registration and Support

If you have not yet registered for the event, or if other colleagues from your organization wish to register, please visit the website: HERE

For any questions, requests, or support, please do not hesitate to reach out to the organizer.

 

ETIS Central Office contact:

Andrija Višić

av@etis.org / +324 95 26 25 26 (Signal)