Chances are that if you receive emails from a credit card company, a hotel rewards program or an online merchant, you will be the target of an email scam resulting from the Epsilon records heist, which could turn out to be the largest data breach in U.S. history.
On March 30, cybercriminals stole millions of records from Epsilon, a marketing firm that handles email campaigns for America's biggest brands. The company estimated that around 50 of its clients were compromised, including JPMorgan Chase, Target, Verizon and Kroger.
Two weeks later, former Epsilon clients joined the list of affected firms. To date, more than 100 companies have sent warnings to their customers.
Epsilon officials said that only names and associated email addresses were stolen, but pharmaceuticals giant GlaxoSmithKline, a former Epsilon client, informed its customers that along with email addresses, first names and last names, the product websites tied to their registration records were also stolen.
Names, email addresses and even drug information make it much easier for criminals to craft persuasive, personalized emails that could prompt consumers to supply their coveted credit card numbers, turning ordinary phishing into spear phishing.
Spear phishing refers to a targeted attack, one that uses names and other personal data. No surprise that spear phishing has a better "success" rate than anonymous phishing campaigns.
Don't be fooled. Here's what to look for, what to do if you find an Epsilon-related scam, and how to set up a better protective system in the future.
Only seven days elapsed until the Better Business Bureau reported the first spear phishing attack resulting from the Epsilon breach. Fake "Chase Bank" emails warned that "your account" would be deactivated or deleted if you did not update your profile immediately, according to a BBB statement issued on April 7. The email instructed account holders to update their accounts by clicking on the link provided.
Expect similar phishing emails to land in your inbox. When you spot an email from a merchant, you may open it, but do not reply to the email and do not click on a link contained in it. If you have questions, go to the merchant's website and send a query or call the customer service number from that site.
Beware of fake Epsilon webpages. On April 14, a fake Epsilon page was discovered. The website claimed to have an update from Epsilon, which was a downloadable file called "Epsilon Secure Connect Tool."
The file named EpsilonSecureConnect.exe contained malicious code that could search for and steal sensitive information from computers without the users' knowledge.
The only legitimate website for Epsilon is epsilon.com. Avoid searching for this term.
Report, protect, trap
First, report spear phishing emails to the government's Computer Readiness Emergency Team, part of the Department of Homeland Security: email@example.com.
Second, take this opportunity to strengthen your email account password and any online accounts associated with companies that could have been compromised. Use a combination of upper and lower case letters, numbers and special characters. Use separate passwords for email and banking or other financial accounts.
Third, set a trap for spammers.
Gmail, Hotmail and Yahoo Mail allow you to easily create separate email addresses each time you subscribe to a newsletter, opt-in for coupons or other online merchandising programs.
The technique is called plus addressing. The trick is to create an alias email with an identifying string between the real email address and the @ sign and domain. For instance, if your Gmail address is AlbuquerqueTech@gmail.com and you want to sign up for a Best Buy rewards program, create a new email, AlbuquerqueTechfirstname.lastname@example.org, and use it when you register for the program.
Go to My Account in Gmail and select "Edit" under Email accounts. Go to the section with the heading "Add an alternate email address to your account," type in the new address and click "Save." Gmail will automatically send email from these new accounts to your primary Gmail account.
If you receive an email from that address with anything other than what you asked for, you'll know the company's been compromised or is selling your e-mail address to spammers. Immediately create a filter that will delete all emails addressed to AlbuquerqueTechemail@example.com. Check the box next to the offending email, open the "More actions" drop-down menu, select "Filter messages like these." "Next step," choose "Delete it" and "Create Filter." You'll never see one again.
Hotmail and Yahoo Mail work in a similar way. AOL does not offer alias addresses.
In the event that you actually want email -- just not spam -- from this sender, register again with a different alias email and resubscribe.
Ogden-based TopTenREVIEWS.com guides consumers by comparing products in the world of technology, including electronics, software and Web services. Have a question for TopTenREVIEWS? E-mail Leslie Meredith at firstname.lastname@example.org.