The Epsilon Threat – How a Company You’ve Never Heard of Increased Your Risk of Personalized Phishing Scams

Chances are you’ve received an email alert in the last few days from a company you know that informs you of a data breach at Epsilon that allowed your name and email address to collected by crooks. This email isn’t a scam. If you’ve received a notice, read on…

Epsilon Data Management is an enormous email marketing service provider that claims to hold the email records of 250 million consumers worldwide (and a huge amount of additional information, but they claim that only email aliases and full names were hacked). They have these records because Epsilon manages many companies’ email lists, takes care of complaints, and sends out emails on behalf of clients. And their clients include Target, Best Buy, JPMorgan Chase, The College Board, Walgreens, Citibank, Marriott, Disney, Capitol One, Kroger, and more.

Collecting email aliases and user’s names is a bigger deal than you may realize. If crooks can associate names and aliases with businesses you use – banks, stores, schools, etc.  – they have the ability to create  very realistic scams. For example they could send victims an email that appears to be from one of these compromised companies complete with the right logo and graphics, personalize it to the recipient as if they knew them, and most users would fall for the exploit. If the crooks spend a little extra time to look up these individuals through government records, the scam emails could even include additional identifiers like recipients home addresses.

Two actions need to be taken

There is some explaining to be done. Epsilon not only has to explain this mess to their clients, they need to make some content management changes. Why the email addresses weren’t encrypted is a key question, as is how they allowed their security to be breached. The companies that you entrusted your information to, also have some explaining to do because blaming their vendor isn’t really sufficient. When companies make promises about the safe handling of their user’s information, that obligates them to ensure that any vendors will comply with those standards – yet it would appear that companies did not check the Epsilon security processes well enough (why didn’t the companies identify that email aliases weren’t encrypted?? What other security tests did they fail to run against this vendor?)

The second action is learning to identify scams, and this is one for consumers to undertake. Scams have rapidly evolved. Though your junk mail folder still sees the completely obvious and amazingly stupid scams, the ones that manage to fool the spam filters likely to also fool you.

The advanced scams appear to come from a legitimate source – a company you do business with or a friend. They may have all the right ‘packaging’ – logo, terms of use, graphics etc. They may appear to know you well – using information gleaned from social networking sites etc. They may look official.  In fact, they may be indistinguishable from real email in all but the smallest details – like where a supplied link might land you – so looks alone cannot guarantee your safety.

To really be safe you need to consistently follow the 14 Steps to Avoiding Scams:

Once you’ve reviewed these safety measures, get some extra training by using our spot the spam scam examples to stay ahead of the crooks. Though the examples are displayed as email scams, they apply no matter what the circumstance, or the method of delivery. You may want to return back a few times a year as periodic practice helps you stay up-to-date on the latest scam styles and refresh your defenses.

  1. Slow down; do not let a sense of urgency, or high-pressure sales tactics influence your careful review.
  2. Look for errors in spelling, grammar, layout, etc.
  3. Research the facts in a search engine or contact the company directly (see #6). If the offer is for an investment, have someone at your bank, a financial consultant, or trusted advisor review the deal.
  4. Delete any request for personal financial information – like bank account or bank routing information, credit card numbers
  5. Reject offers of help, or requests for help. If you did not specifically request assistance from the sender, consider any offer to help restore credit scores, refinance a home, etc. a scam. Similarly, requests for help like charity scams tug on heartstrings – especially after a disaster. Seek out reputable charitable organizations on your own to avoid falling for a scam.
  6. Drive, don’t be pulled. Never, ever, click on a link in an email – find the site yourself through a search engine to be sure you land where you intend to land. Hovering over links shows the actual URL at the bottom of the email, but a good fake can still steer you wrong. Never use phone numbers from the email, look it up.
  7. Downloads are dangerous – if you don’t know the sender personally AND expect a file from them, downloading is a mistake.
  8. Foreign offers are fake – like any foreign lotteries or sweepstakes, money from an unknown relative, or requests to transfer funds from a foreign country for a share of the money.
  9. Overpayments are obvious – no legitimate person, company or organization is going to send you a real check for more than the cost of the item you are selling. These are always counterfeit casher’s check or money order scams where you will be stuck with the bill.
  10. Check out the check or money order. You are responsible for any check you deposit — even if you don’t know they’re fake. This means any counterfeit check sent to you as ‘prize money’ from a lottery or sweepstakes, ‘payment’ for being a secret shopper, or payment for an item you sold, will leave you holding the debt. Always verify the check with the bank to be sure it is legitimate, and that the funds are covered, before depositing or cashing it, or sending whatever item was ‘purchased’.
  11. Emotions cloud judgment – scammers manipulate emotions, if you’re financially stressed, lonely, angry, sad, overly happy, frustrated, looking for romance, etc. you’re more likely to fall for fraud. Put emotions aside as you evaluate phone calls, mail, email,  online offers, or notices.
  12. Curiosity leads to careless clicking – if you don’t know what the email is about, clicking links or sharing information are poor choices.
  13. Free has a price tag – and it’s usually more than you bargained for.
  14. Chain letters choke servers and may steal your ID, corrupt your computer, or harm friends. Don’t pass it on.

Watch the ilookbothways website for a series of upcoming blogs highlighting the latest smart spam scams.

Linda

Advertisements

Comments are closed.

%d bloggers like this: