A week after Epsilon confirmed that it had detected an unauthorised entry into its email system, the ripple effect is starting to be felt here in the UK. In fact, this breach is shaping up to be one of the biggest this year, and possibly to date as more victims come out of the shallows!
Unsurprising as the online marketer has some of the biggest US and UK companies on its client list, across different vertical sectors, including Citigroup, JPMorgan, and Target in the US. So far, here in the UK, we’ve learnt that Marks & Spencer and Mothercare customers’ email records have been compromised but it’s still relatively early days.
As Epsilon sends out more than 40 billion email ads annually, there is a strong possibility that you may have received an email similar to this one recently:
There are some that have questioned that, as only the names and email addresses were compromised, what can a hacker actually do with such information?
Correlating the information in the different lists opens up the opportunity for ‘spear-phishing’ campaigns – emails that target specific individuals. To fool the recipient into believing they’re legitimate, they will contain personal details that only an individual familiar, or conducting business, with the victim should know.
Theoretically a Mothercare customer, who regularly shops at M&S, could be attacked by the hacker. Having cross referenced the two lists, the hacker can target them with an email, purporting to come from M&S, offering promotions on its baby-care items if the customer signs up for the service. The customer is deceived, clicks on the link to register and, as part of the process, is asked to provide additional information such as a credit card number. Hey presto – the hacker now has more than just an email address!
On Tuesday (April 5), Intuit – the makers of a US tax refund preparation software – warned its customers about similar phishing campaigns following the Epsilon hack. Interestingly, Intuit is not even an Epsilon client! However, due to the timing of the Epsilon hack, Intuit believes that hackers will initially use these lists to aim at US citizens scurrying to meet the April 15th tax rebate deadline.
Here in the UK, phishing emails purporting to be from HMRC are often circulating and, in fact, our research labs have shown that tax scams this year are on the rise. How do these tax scammers operate?