Navigation Top
AGO Logo Graphic
AGO Header Image
File a Complaint
Contact the AGO
All Consuming
Return to main blog
Phishing attacks likely to follow Epsilon breach

Phishing attacks likely to follow Epsilon breach

(Internet Safety, Scams) Permanent link

The recent theft of millions of email addresses from online marketing firm Epsilon means many of us will likely receive targeted phishing e-mails. Before you panic, here’s my take on it: Your risk of becoming an identity theft victim is low – provided you apply an extra dose of caution and know how to recognize fraudulent e-mails.

The email addresses were obtained by hackers – not simply lost. That’s bad. But, the good news is that the hackers reportedly didn’t obtain passwords or financial information. (Blogger Brian Krebs has compiled a list of companies that have acknowledged losing customer contact data as a result of the Epsilon breach.)

In order to steal from your bank account, open a new account in your name or use your email address to spam people, crooks need additional information. And they’re going to try to get it.

Most likely, the thieves will use a tactic known as “spear phishing.” A spear-phishing email can include a person’s name and is sent only to those who are known to be customers of a particular business, thereby increasing the chance the targets will be fooled. This New York Times article describes spear phishing in greater detail.

The hackers may even capitalize on their own breach by sending messages that appear to come from security personnel and ask you to verify your identity. The message will probably include a hyperlink that takes you to a website that resembles the business’ real site. The thief’s hope is that you will log on to the lookalike site, thereby providing your login credentials – and possibly more. Or you may be asked to call a phone number and verify your identity that way. Of course, the phone number was set up by the con.

Other spear-phishing emails may be disguised as promotions. (A coworker once fell for one that appeared to be a message from her bank offering her a free copy of her credit report.)

Even businesses can fall prey to spear phishing. Conde Nast wired $8 million to a scammer – and all it took was one email.

Here’s how you can protect yourself:

  1. NEVER click on links in emails from businesses.
  2. NEVER call phone numbers sent to you in emails from businesses.
  3. NEVER open attachments in emails from businesses.
  4. IF YOU THINK THERE MAY BE A REAL PROBLEM WITH YOUR ACCOUNT, contact the business directly by using a phone number found on the back of your credit card, bank statement, etc. If you need to log onto an account, enter the company’s website URL directly in your browser and be sure it’s an encrypted site.
  5. PROTECT YOUR COMPUTER with security software and download the latest updates.
  6. OPTIONAL: If you really want to be safe, change your email address. Or at least, don't use your email address as your account login or password.

No doubt businesses and marketing reps will likely have some concerns about my advice. Email is a standard marketing tool and they want you to click through to buy products and sign up for services, etc. But the way I see it, it’s better to be overly cautious. And if you really want an advertised deal, it takes a few extra seconds to visit a company’s site the safe way – by typing the URL into your browser and double-checking that the site is legit.

Reporting phishing schemes:

Generally, I simply delete phishing emails. But if you want to complain to someone, here’s where to go:

Anti-Phishing Working Group: File a report at

Federal Trade Commission: Forward illegal spam to

Internal Revenue Service: For phishing and other scams related to tax returns, forward the message or Web site URL to


Posted by Kristin Alexander All Consuming Blog Moderator at 04/05/2011 04:33:04 PM | 

I have apparently been a victim of the Epsilon hacking last week. All afternoon I have been fielding calls from friends who were notifying me of an email they received from my email address stating my husband and I were in London, or Wales, and needed money ($2,950.00 was one amount requested). I immediately checked my Earthlink account online and found that all my contacts had disappeared. I assume they managed to get my password to carry that one off. This is my first experience with any hacking incidents. With the economy so bad, it will probably just get more pervasive. [ALL
Posted by: Karen Fountain ( Email ) at 4/13/2011 4:25 PM

Karen, I’m sorry that happened to you. But it doesn’t sound like it is related to Epsilon because the hackers needed your email address to do that. Please change your email address and scan your computer for viruses and spyware. See our related Jan. 18 blog post and consumer alert on this scam:
Posted by: KRISTIN ALEXANDER, ALL CONSUMING MODERATOR ( Email | Visit ) at 4/18/2011 11:24 AM

Leave a comment
Name *
Email *

All comments are reviewed to ensure compliance with our Blog Comment and Use Policy. Comments are generally posted within two business days. Send Feedback
Content Bottom Graphic
AGO Logo