If you haven’t already heard about the recent database breach that involved the theft of millions of email addresses, you probably will soon — in the form of spam and phishing scams.
Marketing and communications company Epsilon has not revealed which of its 2,500 clients were affected by the theft last week. But more than 30 companies have contacted their customers to warn them their email addresses were compromised.
As of Wednesday morning (April 6), those companies included Ameriprise Financial, Barclays Bank of Delaware, Bebe, Best Buy, Brookstone, Capital One Bank, Citi, City Market, The College Board, Dillons, Disney Destinations, Eddie Bauer, Ethan Allen, Food 4 Less, Fred Meyer, Fry’s, Hilton Hotels, Home Shopping Network, JPMorgan Chase, King Soopers, Kroger, Lacoste, LL Bean Visa Card, British retailer Marks and Spencer, Marriott Rewards, McKinsey & Co., Moneygram, New York & Company, Ralphs, Red Roof Inns, Ritz-Carlton Rewards, Target, TD Ameritrade, TiVo, U.S. Bank, Verizon and Walgreens.
Unconfirmed reports also named Scottrade, TIAA-CREF and Viking River Cruises.
Also named was World Financial Network National Bank, which issues many retail-branded credit cards, including the Victoria's Secret card. (Epsilon and World Financial Network National Bank are both divisions of Alliance Data Systems, headquartered in Plano, Texas.)
Many of the affected companies reassured customers that only email addresses were at risk, not any financial or other personal data.
However, it didn’t take long for security experts to warn that the email breach could lead to an increase in spear phishing — phishing scams that are specifically targeted to individual recipients.
“Hackers could send fake emails pretending to be your bank, pharmacy, hotel or any business that was a customer of Epsilon,” said Amol Sarwate, vulnerabilities research lab manager at Redwoord Shores, Calif., security firm Qualys, in a press release.
“The email could look real and be convincing as attackers have the customer names and the company information that they did business with,” Sarwate said. “The email could ask unsuspecting users to click on a link which can ask for credit-card numbers, run malware, install spyware or carry out other attacks.”
Before you open an unsolicited email, Sarwate suggested asking yourself the following questions:
1. Does my institution usually send me an email? If customers get only monthly statement reminders via email, they should be cautious about any “out-of-band” email.
2. Does my institution ask me to click on links in an email? It is dangerous to click on links received in emails. A safer approach to visit your institution’s website would be to type in the URL manually, or to save the website among your favorites.
3. Is my institution asking me for personal information such as my Social Security number or credit-card numbers? If a web page that was opened as a result of an email link is asking for this kind of information, it is most probably a fraud.
4. Does this email really come from my institution? Because of how email works, it is not possible for everyday users to distinguish between emails sent by their institution and those sent by hackers.
Users should not trust unexpected emails, even if they have official logos or match the color scheme and other “look-and-feel” elements of their institution.
After all, it just takes one click for a compromise, as Sarwate pointed out.
It’s important to note that the Epsilon breach is not an isolated incident.
“This is the second breach of an email marketing partner in the past six months,” said Alex Rothacker, director of security research for New York-based Application Security, Inc.’s TeamSHATTER. “The first was Silverpop, [which] compromised millions of records of major retailers back in December.”
So is there anything that consumers can do to better protect themselves from being affected by similar breaches in the future?
Yes, Rothacker said.
“It would be a good start to make sure to have a strong password on your email account, and any other sites that you use the same email [address] for,” Rothacker said.
“In general, it might be a good practice to use specific email accounts that you only use to register for a certain group of websites,” he said. “Depending on how secure you want to be, you could create several email addresses — one specific one for online banking, one for online shopping, and so on.”