Spam and Security: What the Epsilon breach means for you

This article was originally published as part of the Pobox blog. Pobox was acquired by Fastmail in 2015.

Last week, I started getting notices from websites I use (Tivo, Target, one of my credit card providers) saying, “Our email provider has been compromised. Your email address may have been stolen.” Epsilon, one of the largest providers of online marketing services, including email marketing, had been hacked. See a list of more affected brands.

All the emails were quick to say, “No account information has been stolen! They don’t have your password!” So, you might be inclined to just delete them without a second thought. But this should actually give you a reason to worry – about spear phishing. Some of the tips we generally give you about avoiding phishers, like look for personalized information, is exactly what has been compromised. So, if you get an email “from” your bank, that looks just like all their other messages, and addresses you by name – it still might not be safe.

So, what should you do? The best advice I can give you comes from the X-Files: Trust no one.

The information you want to be most cautious about protecting, your passwords, is something you might not even think about giving out. For many of us, it’s second nature to click on a link in email, then fill in our username and password at the page it takes us to. That’s exactly what scammers count on.

What will protect you?

Typing in the URL of the website in your web browser. (Yes, you can use a bookmark, too.) In fact, if you always do this… I won’t guarantee that you never give up your private information, but you’ve gone a long, long way towards avoiding it. The way phishing works is by tricking you with visuals – making the email and the web page they direct you to look like one you trust, when it’s actually one the scammers control. If you don’t click the links in their emails, you’re off the hook!

Can you ever click a link in an email safely? Maybe. There are lots of links that direct you to pages (help pages, product pages) that aren’t asking you for login information. But, remember, target.com, target2.com and target3.com could have totally different owners, so just because the URL of the page you’re at looks almost right doesn’t mean it’s legitimate. And once you’ve visited a page or two, if they ask you for login information, you may not think about how you’ve gotten there.

Never email your account password, credit card or bank information. That’s right. Never. No legitimate organization should ever ask you for your password. If they need to ask you about your credit card or bank information, the most they should ever do is provide card type and last 4 digits, and ask you to confirm it. If you need to make a payment, type in the URL of the site, and go to their pay page. They don’t have a pay page? They should be able to accept a payment via PayPal. Still no? Then you’re not dealing with a legitimate business.

What doesn’t help?

Pages that know your username/email address. This is the big fallout from this security breach! Now, the parties who hacked the Epsilon database know that you are a customer of TD Ameritrade, Chase Bank, Citibank, [insert your financial institution here] AND they know what email address you use to log in. So, just because some piece of uniquely identifiable information is in the page doesn’t mean that it’s legitimate.

Looking for the “lock” icon in your browser. A lock icon on your web browser just indicates that the page is sending its information securely. Scammers can use encrypted traffic just as easily as a legitimate site, and a lock in NO way indicates that you’re dealing with a legitimate business.

Pages that “look right”. Scammers can, and do, replicate every element of a web page trying to fool you into thinking you’re on a legitimate site. Logos, graphics, banners, fave icons… none of these are indicators that the page you’re on is associated with the business you’re looking for.