Each year, Epsilon sends out billions of commercial e-mails on behalf of other companies. But one day last week, something went wrong with its security, compromising the names and e-mail addresses of millions of consumers.
So far, I've been warned by Verizon, Best Buy, and Marriott about the security breach, albeit in reassuring tones: "Epsilon has assured us that the information exposed was limited to e-mail addresses, and that no other information about you or your account was exposed," Verizon's e-mail said.
Epsilon says that only about 2 percent of its 2,500 client companies were affected. Still, those 50 or so companies include some of the nation's largest and best-known, such as JPMorgan Chase, Citigroup, 1800Flowers, and Target.
Unlike earlier breaches, the Epsilon intruders apparently didn't gain access to obviously sensitive information, such as account numbers or passwords. But the combination they did obtain - customers' names coupled with their e-mail addresses - amounts to a gilded invitation to phishers.
Phishers' e-mails are the bait, designed to look like they come from familiar companies. The hook is some urgent appeal, perhaps that your account needs updating to avoid suspension.
You're caught when you do as instructed - typically by clicking on a link that takes you to a bogus website. In the most audacious versions, the phishers ask for all sorts of personal information - even for answers to security questions that legitimate sites rely on, such as your mother's maiden name. With their haul, phishers can then hijack your accounts, create new ones, or otherwise steal your identity.
Phishing works, in part, because of vulnerabilities in e-mail and Web-browsing software. It also works because of human factors, including the fact that many of us are especially gullible when busy or distracted - as we may be while staring at an overflowing in-box.
Unfortunately, the Epsilon breach is perfect for exploiting that second weakness, because it will enable more so-called spear phishing - phishing e-mails targeted to people known to have business relationships with the purported senders.
Here are five basic suggestions for protecting yourself from phishing, gleaned from interviews with security experts such as Marian Merritt, Internet safety advocate for Symantec's Norton division, and David M. Nicol, director of the University of Illinois' Information Trust Institute:
Never click on links in e-mails. This is the most basic advice, so drum it into your head. Unfortunately, it's continually undermined by businesses that persist in sending legitimate e-mails that include links to their own websites. "Reputable companies are still doing that. They should know better," Nicol says.
The problem is that HTML coding used for Web pages and some e-mails allows addresses to be hidden. So a visible link to www.somebank.com, for instance, might well take you to a phisher's Web page in Eastern Europe or Asia - or, in this case, to a government warning site.
Display e-mail in plain text format. Yes, it doesn't look as pretty, but you can set your e-mail preferences to display e-mail only as plain text, or at least to ask your permission before downloading embedded images. (In Microsoft Outlook, you can find these options in the Tools menu under "Trust Center.")
Viewing your e-mails as plain text protects you two ways. One is that you won't see images, which some hackers have turned into vehicles for delivering malware. The other is that, in some e-mail programs, you'll see the actual links in e-mails, not the "display as" versions that HTML allows. Those versions allow e-mail writers and page designers to hide long web addresses, but they also work perfectly for phishing.
Keep all your software updated. Microsoft, Apple, Mozilla, and other software makers invite you to keep your operating systems up to date. So do companies such as Norton that make anti-malware software. Take their advice.
Merritt says some phishers simply want you to click on a link that takes you to an infected website, where you'll be subjected to a "drive-by download" of malware - perhaps a "key logger" that can then steal your passwords as you enter them into other websites.
Fighting malware makers is a cat-and-mouse game. Software companies continually find and patch vulnerabilities that the bad guys have learned to exploit. You don't want to miss a single patch.
Type or paste Web addresses. Even if a trusted e-mail contains a link, get in the habit of going to your browser and typing it yourself. As an easy alternative, use cut-and-paste - but watch out for typos. Phishers sometimes use look-alike addresses, such as "Micosoft" instead of "Microsoft."
Use multiple e-mail addresses. Nicol has one for work, another for financial sites, another for e-commerce, another for personal e-mail. Doing so makes phishing more obvious. And the key to protecting yourself is staying alert.
Contact Jeff Gelles at 215-854-2776 or firstname.lastname@example.org.