By Carl Laron on April 7, 2011 in
Sometime this past Sunday, I got the first email alerting me to the fact that a security breach had exposed my name and email address to a hacker. Great, I thought, but I wasn't overly concerned since the email said that no account details had been compromised. A little while later, another email from a different company arrived in my inbox. Then another, and another, and by Monday morning every other email -- or so it seemed -- was spreading the same news. Of course, we now know what happened: A very successful email marketing firm (at least it was up to now) had its pocket picked, losing information entrusted to it by as many as 50 companies, many of them household names. The good news, experts say, is that the breach doesn't pose a direct threat to these companies' customers' most sensitive information, at least for now. The bad news is that the leaked information could give rise to all sorts of toil and trouble down the line via phishing expeditions that could increase in both frequency and sophistication. Which means that this is a great time to go over some email safety basics to help keep this little annoyance from turning into a big pain in the ...
Who the heck is Epsilon?
The list of companies that reached out to me was a who's who of financial institutions and retailers. Other than having me or a member of my family as a customer, they had one thing in common: they had outsourced their email marketing to Epsilon, a heretofore little-known company (at least to most people) that handles those tasks for hundreds of clients. When you check that box that permits a retailer, bank or other company to share your contact information with a third party, Epsilon or one of its email-marketing competitors, is almost certainly among those.
Kashmir Hill's blog over at Forbes.com has some background on how email marketing companies like Epsilon work, and how they target consumers for specific pitches. One interesting tidbit is that opting for HTML mail rather than plain text lets email marketers learn lots more about you and your habits. "A company like Epsilon can determine whether their client’s email is going to your junk folder, or whether you opened it (and when), and what you clicked on when reading the email," Hill writes.
Should you be worried?
There's no immediate threat to consumers, experts say, but exercising some extra care with incoming emails is definitely a good idea. The big fear with Epsilon's security breach isn't the data that it disclosed. Account numbers, passwords, Social Security numbers and similar information weren't part of the cyber-criminals' haul. However, arming these ne'er-do-wells with even the most basic info -- email addresses, the names associated with those, and what companies you do business with -- makes future phishing attacks much more likely to succeed.
As The New York Times explains, a normal phishing attack is a pretty blunt instrument. Criminals send out an email blast asking recipients to do something like update their account information at a specific company or institution without actually knowing if their targets are actually customers.Those that blithely follow the "helpfully" included link wind up at a site that mimics the one they expected to go to, except that it only exists to collect the account details entered there by unwitting visitors.
The danger in the Epsilon breach is that adding a name and other customized elements to the email, and going after victims who are actually customers of the named business, could give rise to a sharper attack, called "spear phishing," and one that's much more likely to be both convincing and successful. The Times quotes information security expert Mark Seiden as saying, "Something that is that customized and has the right graphical elements, people will fall for it.”
One piece of good news, later reports say, is that while email addresses were stolen in all cases, not all companies had their customers' names exposed as well.
What to do
Phishing attacks are one of the most common techniques Internet thieves use to capture personal information, including bank and credit card account numbers and passwords. However, protecting yourself against email phishing attacks -- including spear phishing -- requires not much more than exercising basic caution and common sense. Here are some tips:
- Don't share sensitive information -- such as account numbers, passwords or user IDs -- via email.
- Don't click on email links. Instead, go to your browser and type in the URL.
- If out of convenience you do click on a link, watch the URL in the browser address bar like a hawk. If anything looks even slightly out of whack -- even an "innocent" looking typo -- get out of there, fast. And never, ever, enter personal information at a site you reached following an email link.
- Don't use your email ID as your log in ID or user name. For the best security, use a combination of upper- and lower-case characters, numerals, and, if the site allows it, punctuation for your user name.
- Mix up your passwords in a similar fashion, and make sure that they are very different from your log-on ID or user name.
- Buy and install a good security suite. Norton Internet Security 2011, which earns a recommendation as a top choice in our report on Internet security suites, gets great grades for its anti-phishing detection from reviewers, including PCMag.com.