Washington State

Office of the Attorney General

Attorney General

Bob Ferguson

The recent theft of millions of email addresses from online marketing firm Epsilon means many of us will likely receive targeted phishing e-mails. Before you panic, here’s my take on it: Your risk of becoming an identity theft victim is low – provided you apply an extra dose of caution and know how to recognize fraudulent e-mails.

The email addresses were obtained by hackers – not simply lost. That’s bad. But, the good news is that the hackers reportedly didn’t obtain passwords or financial information. (Blogger Brian Krebs has compiled a list of companies that have acknowledged losing customer contact data as a result of the Epsilon breach.)

In order to steal from your bank account, open a new account in your name or use your email address to spam people, crooks need additional information. And they’re going to try to get it.

Most likely, the thieves will use a tactic known as “spear phishing.” A spear-phishing email can include a person’s name and is sent only to those who are known to be customers of a particular business, thereby increasing the chance the targets will be fooled. This New York Times article describes spear phishing in greater detail.

The hackers may even capitalize on their own breach by sending messages that appear to come from security personnel and ask you to verify your identity. The message will probably include a hyperlink that takes you to a website that resembles the business’ real site. The thief’s hope is that you will log on to the lookalike site, thereby providing your login credentials – and possibly more. Or you may be asked to call a phone number and verify your identity that way. Of course, the phone number was set up by the con.

Other spear-phishing emails may be disguised as promotions. (A coworker once fell for one that appeared to be a message from her bank offering her a free copy of her credit report.)

Even businesses can fall prey to spear phishing. Conde Nast wired $8 million to a scammer – and all it took was one email.

Here’s how you can protect yourself:

  1. NEVER click on links in emails from businesses.
  2. NEVER call phone numbers sent to you in emails from businesses.
  3. NEVER open attachments in emails from businesses.
  4. IF YOU THINK THERE MAY BE A REAL PROBLEM WITH YOUR ACCOUNT, contact the business directly by using a phone number found on the back of your credit card, bank statement, etc. If you need to log onto an account, enter the company’s website URL directly in your browser and be sure it’s an encrypted site.
  5. PROTECT YOUR COMPUTER with security software and download the latest updates.
  6. OPTIONAL: If you really want to be safe, change your email address. Or at least, don't use your email address as your account login or password.

No doubt businesses and marketing reps will likely have some concerns about my advice. Email is a standard marketing tool and they want you to click through to buy products and sign up for services, etc. But the way I see it, it’s better to be overly cautious. And if you really want an advertised deal, it takes a few extra seconds to visit a company’s site the safe way – by typing the URL into your browser and double-checking that the site is legit.

Reporting phishing schemes:

Generally, I simply delete phishing emails. But if you want to complain to someone, here’s where to go:

Anti-Phishing Working Group: File a report at http://www.antiphishing.org/report_phishing.html

Federal Trade Commission: Forward illegal spam to spam@uce.gov.

Internal Revenue Service: For phishing and other scams related to tax returns, forward the message or Web site URL to phishing@irs.gov.



Recent Posts

Blogroll & Consumer News

Product Recalls