By Quentin Fottrell
The massive data breach at Epsilon – where an unknown third-party accessed the marketing company’s list of customer emails – has likely compromised thousands of consumers. The Dallas-based firm first alerted the public last week, but the list of companies impacted keeps on growing.
The breach was limited to customer emails only and, in other cases emails and names, but that’s still enough to leave thousands of customers vulnerable to a larger attack. Emails are only virtual addresses that provide scammers with an opportunity to contact you. The key is to recognize them if they come calling.
An Epsilon spokeswoman says the company can’t itself confirm what companies were impacted due to an ongoing investigation. But banks and hotel chains have been sending out their own warnings by Twitter and email about the breach and caution customers to be on their guard, and other news sources are providing a growing list of company email addresses allegedly compromised.
Among them, Citibank tweeted: “Please be careful of phishing scams via email.” JPMorgan Chase also warned that some Chase customer emails were compromised. Tivo tweeted an apology to those customers impacted by the breach.
However, thousands of worried consumers are now asking themselves: what can I do to protect scammers from stealing my credit card information, passwords or points balance on my rewards cards? And – more to the point – can they actually steal this information?
The answer: it’s highly unlikely, especially if you do nothing. As their name suggests, “phishing scammers” only work by gleaning more information from you than they already have. The email is the hook. You, the consumers, are the fish.
“Now the bad guys know who you do business with,” says Chester Wisniewski, senior security adviser at online security firm Sophos. “The likely outcome as far as fraud is concerned will be people impersonating the institutions they’ve compromised. If they contact you it will likely come in the form of a phishing attack [an email, or phone call if your number is listed, asking you for more information] or try to lure you online to a malicious link.”
Here’s what security companies advise:
When to do nothing: Don’t reply to emails that ask for personal information such as passwords, bank account or credit card details – even if the email mentions Epsilon and tried to scare you by saying your account is compromised. No legitimate company would ask you to do this. If you receive a suspicious phone call from your bank, hang up and call the bank yourself. Don’t let curiosity get the better of you either: don’t open email attachments or follow links by email, Twitter or Facebook, even if they have been “forwarded” to you by a friend.
When to take action: If you already use your email as a password for an online account, change it. If you use your name, or an easy variation of your name as a password like JohnDoe123, change it. But do this on the company’s own website. Never do this if asked to by email.
What to do in the future: Use secondary, less important email addresses when registering online accounts. Keep one for this and others for businesses, friends and family. If a secondary account starts receiving spam, it will be easier to shut it down without too much inconvenience.
Wisniewski says, “Raising our level of caution when interacting with Facebook or the Internet is only going to improve our security overall. If you get an email from a company asking you to follow a link to get a dollar off a carton of milk, don’t follow it.”
Have you ever been targeted by a phishing scam?