On April Fools’ Day, early reports circulated that Epsilon, the large email service company, had lost email addresses of many of its prominent customers. This turns out NOT to be an April Fools’ joke – the names and email addresses used by Epsilon’s customers had, in fact, been compromised. Reuters reports that email lists used by CitiBank, Walgreens and Best Buy had all been compromised. In fact, as reported by SecurityWeek, dozens of brands were impacted, including JPMorgan Chase, US Bank, Target, Home Shopping Network, The College Board, and Marriott Rewards.
How could this happen? Epsilon was the victim of a spear-phishing attack. A spear-phishing attack occurs when bad guys send a carefully crafted email to a small number of people in order to entice the recipient to take a desired action. In this case, the bad guys sent emails to a small number of Epsilon employees over the course of two days. The subject of the emails was “2011 Recruitment Plan.” When the employee opened the attached spreadsheet, malware in the attachment gave access to the employees’ PCs. As a result of this breach, the email lists were stolen.
What’s the likely impact of this breach? Most of the impacted companies have sent notices to their customers explaining the issue and warning them to be extra vigilant regarding email messages. The crooks can use the email addresses and associated company relationship to specifically target these customers with strongly crafted calls to action. Learn more by listening to this American Public Media story:
So what can you as a consumer do? Yes, you should be alert to potential scams. And of course you should use the latest versions of a reputable security product and install all the security patches for your operating system and applications. But you need to do more. You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard. Unless you have the right tool. Can you find the real email from the Best Buy?
Know Who. No Doubt. Use eMail ID.