Why It Matters When Your Email Address Is Stolen: Spear Phishing and the Epsilon Breach

Last month, you probably got at least one email from a company you do business with telling you that your name and email address had been stolen. Epsilon, an email marketing firm that sends 40+ billion emails a year for client companies, had its databases hacked. Heavy hitters like Citigroup, Capitol One, American Express, Kroger, Best Buy, Verizon, The College Board (handles SATs) and 50 others were affected — it was a huge breach.

At first you may think: so what? But when you consider that your email address plus your relationship with that particular company represent a piece of your online identity, it takes on a decidedly “spear phishing” flavor.

Spear phishing is when cyber criminals try to get you to give up sensitive information. They might send you a spoofed (fake) email from a company you do business with that looks real and gives legitimate-sounding reasons to click on a link. Once you’re on their copy-cat website, you’re asked to provide personal information: account number, user ID, password, PIN or other data.

If they fool you, that’s when their fun begins. It can include all the usual scammer activities (installing malware on your computer, pilfering your accounts and/or stealing your identity) plus more sophisticated crimes, like gaining access to your company’s secrets and selling them.

Scammers can also send emails that look like they’re from you to gain people’s trust, including your connections on social networking sites like Facebook or LinkedIn. If it’s a work-related email, it gets even more complicated.

All from a stolen name and email address!

Here are five ways to stay one hop ahead of the bad guys:

1. Be on the lookout for spoofed (fake) email

2. Never, ever respond to email requests for personal information

3. Be extra vigilant when using your Web-enabled phone — people are three times more likely to fall for scams on their handhelds

4. If you get an email from a financial institution or an account like PayPal, verify it by checking your account’s inbox (it should be there, too)

5. If you think you may have fallen for a scam, change your password immediately and notify your bank or institution.