The Epsilon E-mail Event

Chances are you've gotten at least one e-mail notification about in the past few days about a security breach at Epsilon (I've gotten three). PC World provides an explanation that I thought you might want to hear:

Names and e-mail addresses fell into the wrong hands last week, whenEpsilon suffered a data breach affecting at least 19 of its client companies. It may sound scary, but don't panic. Here's what you need to know about the Epsilon e-mail hack:

What is Epsilon?

Epsilon is the world's largest permission-based e-mail marketer. Other companies, such as Best Buy, use Epsilon to send promotions or other e-mails to their customers. Naturally, the company has access to a lot of e-mail addresses.

What happened?

On March 30, an unauthorized party gained entry into Epsilon's system and accessed e-mails and customer names for a subset of Epsilon clients. If you're a customer of one of these clients, there's a chance that some hacker now knows your name and e-mail address.

Who is affected?

Epsilon won't specify which of its 2,500 clients were affected, or how many customers' e-mails were stolen, but SecurityWeek has put together the following list: Kroger, TiVo, US Bank, JPMorgan Chase, Capital One, Citi, Home Shopping Network, Ameriprise Financial, LL Bean Visa Card, McKinsey & Company, Ritz-Carlton Rewards, Marriott Rewards, New York & Company, Brookstone, Walgreens, The College Board, Disney Destinations, Best Buy, and Robert Half Technologies.

What's the risk for people who use any of these services?

You may notice an increase in e-mail spam and phishing attacks, which aim to gather passwords and other sensitive information from their targets. Due to the nature of the Epsilon breach, these attacks may address their targets by name, making them more convincing.

Was any other information exposed? Should users change all their passwords and cancel their credit cards?

No. According to Epsilon, no other personal information was exposed besides e-mails and names. Law enforcement and individual companies are doing their own investigations, but unless you've got a really stupid password, your money should be safe.

What can customers do?

An extreme measure would be to get a new e-mail address, but it's probably better to just be vigilant about phishing attacks. Check out PCWorld's picture guide to spotting e-mail scams, avoid e-mail attachments from people you don't know, and never, ever, ever respond to an e-mail that asks you to verify passwords, credit card numbers,or other financial information.

So there you have it. No worries.

This does, however, bring up the topic of how to detect e-mail scams, so let's address it briefly. Here are some general rules of thumb when it comes to detecting phishing or other e-mail scams:

1. If you've won something, it's a scam (especially if you didn't enter in the first place).

2. If you see the word Nigeria, it's a scam (especially Nigerian royalty; it amazes me that scammers still use this one, but they do...apparently, there are a lot of people who still believe Nigerian royalty need cash to buy a plane ticket home and will be very grateful to anyone who helps them out).

3. If it talks about a currency that isn't U.S. dollars, it's a scam.

4. If they want you to click a link in that e-mail, it's a scam.

5. If it's too good to be true, it's a scam.

If you get something that looks official and entirely plausible, there are a couple things you can do to ensure safety. First, hover your mouse -- BUT DON'T CLICK -- over any links that the e-mail wants you to click. You should be able to see the full URL somewhere (depending on your browser, it may pop up in a floating bubble, it may appear on the bottom of the browser window, etc.). If it is not identical -- and I mean IDENTICAL -- to the real website that you use when you do business with that company, it's probably a scam. Anytime you see an IP address (123.45.678.910) rather than a domain name (www.businessname.com), that's a good indicator that the link will re-direct you to someplace that has nothing to do with the company. And of course, it goes without saying that you should never, ever, EVER open an attachment on an e-mail like this.

Finally, just contact the company outside the context of the e-mail. Open a new window or tab and go to the company's website, and login as you normally would. See if you can find anything on the website about the contents of the questionable e-mail. Call or e-mail customer service and describe the e-mail you received; they'll tell you if it's an official notification or not. Official company e-mail notifications (especially things like changing your passwords or other personal information) should never suggest you follow links in that e-mail; they should always tell you to use your normal method of contacting the company, not that particular e-mail.

Scammers have gotten pretty tricky, and can mock up some seriously authentic-looking stuff. Just be aware, use your common sense, and keep these general guidelines in mind. It'll make life easier for you and everyone in your address book, too.