Since Epsilon began notifying it’s customers that thousands of email addresses, and some names, had been compromised in a security breach last week, experts have been warning people to be especially vigilant against Phishing attacks.
Epsilon contracts it’s commercial emailing service out to dozens of companies. Epsilon has not released a comprehensive list of impacted clients, but various news agencies and other sources have reported the following companies which have apparently been affected:
- Target
- Kroger
- TiVo
- Charter Communications
- US Bank
- JPMorgan
- Chase
- Capital One
- TIAA-CREF
- Scott Trade
- Citi
- Home Shopping Network
- Ameriprise Financial
- LL Bean Visa Card
- McKinsey & Company
- Ritz-Carlton Rewards
- Marriott Rewards
- New York & Company
- Brookstone
- Walgreens
- The College Board
- Disney Destinations
- Best Buy
Most of these companies have been notifying their own customers about the breach, along with reassurances that no private data was compromised, such as SSNs, User IDs, or passwords. Reportedly, the breach consisted of email addresses and (in some cases) first and last names.
Should You be Worried about the Epsilon Breach?
While Epsilon and their clients have been quick to point out that no confidential information was leaked, there are still dangers in having email addresses and names fall into the hands of fraud perpetrators. First of all, it allows the creation of targeted, personalized Spam. A recipient is more likely to take seriously an email from someone that actually knows his name. So instead of getting a Phishing email that just says “Dear Sir, we want you to take possession of $10 million of unclaimed Nigerian money,” it will likely address the person by name, possibly with a bogus introduction as to where they got it, like “you came highly recommended from our friends in the Commerce department.” In the past, Phishing attacks took a scatter-shot approach, sending you emails purportedly from a particular bank or institution, just hoping that you were a client of theirs. Now they can tailor the attacks to use a company name with which you actually do business.
Second, scammers can use your email address and name to contact companies with which you do business via email, by spoofing the address to make it look like it came from you. Banks and financial institutions aren’t likely to take any action on your account based on an email, but as it happens, some companies have fallen prey to this so-called “Spear Phishing” attack. In a recent case, a publishing company received emails from someone posing as it’s regular printer, asking that future checks be sent to a new address. They started to fall for it, but fortunately discovered the ruse in time to freeze the payments, which would have amounted to around $8 million. The bottom line here is that not only do you have to be more vigilant than ever, but so do the banks, airlines, and other companies you use.
Protect Yourself and Fight Back
Technically, you should not have to do anything new, since you already should be smart enough not to fall victim to Phishing scams. Long before the Epsilon breach, the dangers of Phishing and other types of email scams were so prevalent, that these guidelines should be just a re-inforcement of good security practices, but for review, here they are:
- Never open email attachments from anyone unless you are sure of the sender. Check by phone if necessary, don’t just take it at face value that your friend is sending you a video that you have to open and run to view.
- Never provide confidential information such as passwords, account numbers, etc. in response to an email request.
- Don’t follow links embedded in an email asking for authentication information, even if the email is threatening to suspend your account if you don’t. No legitimate company does this.
- Keep your anti-virus / anti-malware protection running and up to date.
In order to combat Phishing and other email-based scams, forward them to phishing-report@us-cert.gov. Various institutions have their own addresses for reporting Phishing emails involving their names. For example, the Bank of America wants any fraudulent email using their name to be forwarded to abuse@bankofamerica.com. See Where To Report Phishing Scams for more ways and places to report Phishing and other Internet fraud.
Sources:
http://www.cbsnews.com/stories/2011/04/05/tech/cnettechnews/main20050831.shtml
http://www.darkreading.com/security/vulnerabilities/229401102/experts-expand-warnings-of-spear-phishing-following-epsilon-breach.html