Epsilon, the world's largest email marketer, sends more than 40 billion emails annually for some 2,500 corporate clients. On April 1, Epsilon announced a massive hack of its databases, including email addresses and/or names, leaving million of consumers open to phishing attacks.Scammers use phishing emails to trick consumers into revealing sensitive personal and financial information, such as passwords, logins, bank account and credit card numbers. Phishing emails usually masquerade as official notices from major companies and are sent anonymously to millions of consumers at a time. But more targeted attacks, which may include your name and address, are known as "spearphishing."
The example cited by the BBB was supposedly sent by Chase, one of the companies whose clients' data was siphoned from Epsilon's servers. The email warns the recipient that their "Chase Online" and "Bill Pay" services will be deactivated unless they log into Chase.com and enter their user ID and password. If they do log into the Chase.com link, victims are taken to a phony site where their user ID and password will be stolen.
Here's what the phishing email from Chase looks like:
"These hackers are looking for you to respond with vital information that can ultimately lead to identity theft," Stephen A. Cox, President and CEO of the Council of Better Business Bureaus, said in a statement. "Consumers need to know the red flags in order to keep their identity protected."
A Chase spokesman, however, said the sheer volume of phishing emails ostensibly sent by Chase makes it difficult to confirm whether the email in question was actually related to the Epsilon data breach. Chase offers examples of fraudulent emails targeting Chase customers on its Security Center.
"It would be hard to determine whether the phishing email the BBB references -- or any phishing emails -- are related to Epsilon because such emails show up all the time," said Chase spokesman Tom Kelly.
The BBB warns consumers that this is only the first of many phishing emails to come as a result of the Epsilon data breach, and reminds them to do the following:
- Never reply to the email. If the message includes a link within it, never click on it. Scammers use these links to take you to a fraudulent site or infect your computer.
- Never volunteer personal or financial information to anyone who contacts you via email. Your bank, credit card company, the IRS or law enforcement will never ask you for sensitive information via email.
- Spread the word. Discuss phishing scams with all the members of your family with an email address. Young people are very computer savvy, but may not be scam savvy, while older adults are often targeted by scammers because they tend to be very trusting.
- Only send information via secure sites. When sending personal information like addresses, credit card numbers and Social Security numbers over the Internet, make sure the website is fully encrypted and the network is secure. Look for https (the "s" stands for secure) at the beginning of the URL to confirm its security.
- Look for red flags. Emails with poor grammar or misspelled words are a dead giveaway of a scam.
- Never wire money. Once you wire someone money, it's gone for good, which is why wire transfer is the preferred method of rip-off for scammers. Never, ever wire money in response to an email, or to anyone you don't know.
- Protect your computer. Keep your anti-virus software up to date and run it regularly.