Friday, April 8, 2011

GONE PHISHIN’

The latest headlines from far and wide concern the story of a recent hack job done on an email marketing firm called Epsilon. Evil nerds evidently broke into the company’s servers and made off with millions of email addresses which were tied to various financial and retail institutions. No “critical” personal data was stolen such as credit card numbers or account numbers but many criminals out there now have your email address, your real name and the name of the companies you do business with.

For those unfamiliar with Epsilon -- which certainly includes me -- they call themselves “the world’s largest permission-based email marketing provider.” They report sending out about 40 billion email messages on behalf of over 2500 clients. Those clients include Kroger, TiVo, US Bank, Chase, Capital One, Citi, Home Shopping Network, LL Bean Visa, Marriott Rewards, Brookstone, Walgreens, Disney Destinations, Best Buy and many others. If your email was compromised, these companies have probably already emailed a sheepish apology. You may have also received a fake phishing request for personal information.

For those that don’t know, phishing is defined as an email designed to trick you into giving up personal information such as your username and password to an online account. Most of us have received a phish or three and many of us are wise enough to ignore them. Some of us in the Shoals area have even received this kind of email from people claiming to be from Listerhill Credit Union. In these cases, the criminals don’t actually know that you are a Listerhill client; they simply sent our millions of emails assuming that some of them would go to actual Listerhill customers who are foolish enough to give up their bank account information. This kind of phishing attack is akin to using a large net to catch a fish or two.

The justified fear here is that since the Epsilon hackers know you, your real name and who you do business with, they can write a more targeted phishing email (called “spear phishing”), addressing you by your real name and claiming to represent the people you actually do business with. Because they are able to address you by name, their scam appears a little more convincing thus more likely to get you to let your guard down and reveal personal information.

As with many sensational news stories, the actual threat here is a bit minimal unless you let your guard down. If you want to take an extreme measure, dump your old email address and sign up for a new one. Most internet service providers make this easy. However, the best advice is to simply be vigilant. Don’t ever, ever, ever respond to an email asking you to verify your account information, passwords or credit card numbers. Don’t open up attachments from people you don’t know. Keep your antivirus and operating system updated and, most importantly, be skeptical. If you suspect you might have been suckered, simply call the institution, confess your sins and ask forgiveness.

No comments: