The hacking of a Dallas-based marketing firm, which exposed millions of email addresses to potential misuse, has raised the concerns of various security experts who now think unwary consumers will fall for scams in their inboxes.
A relatively unknown company called Epsilon came forward last week and confessed that its email database had been hacked. But this was not just any database; this was one used by industry heavyweights like Disney Destinations, banks such as Citibank, Capital One and Chase, and stores like Walgreens and Kroger.
The red-faced company isn’t saying how many addresses were taken but their blue-chip clients were forced to start notifying consumers that their email addresses were compromised and to be on the lookout for “phishing” attempts in the coming days, weeks, months and years.
This is the danger of this kind of attack. My email address is well-known so I get tons of spam, perhaps thousands a week. But few people know where I do my personal banking. So when I get an e-mail from “XYZ Bank” asking me to change my online banking password I am easily convinced to delete it because I don’t have an account with XYZ Bank.
Now, however, millions of emails are now associated with their correct relationship. A spammer can craft an email saying your Citibank account is overdrawn and to “click here” to see an important, encrypted message about your account.
And bingo, you’re infected with a Trojan that steals all of your passwords and banking data from then on.
Or you have a prescription problem at Walgreens and click here to resolve it. Bingo, you’re infected. Or click here to enter your credit card info because your card was declined. Think you’re too smart to do that? You may be but tens of thousands of people do that every year in response to fake anti-virus pop-ups and other scams.
These “phishing” attempts (named for their goal of using bait to “fish” valid information out of you) are remarkably successful in many cases because the emails look official and use scary things to con an immediate response out of people before they can think more clearly. Oh gosh, my checking account is overdrawn? That can’t be! Click. Walgreens declined my debit card? Why? I have plenty of money in that account! Click.
And this is not limited to the companies I named. According to a press release, Epilson has more than 2,500 business clients and sends out — wait for it — 40 billion emails a year. This theft will take years to recover from and consumers need to be very careful not to respond to any requests for information in their inboxes. Your bank, a store … no one needs to ask you your password or any personal information. If they need it, they already have it because you gave it to them.
Your bank does not lose your password. (It may lose your email address … but not your password.)
(James Derk, a tech columnist, owns CyberDads, a computer repair firm in Evansville, Ind. E-mail him at jim(at)cyberdads.com. For other columns, go to scrippsnews.com.)