The BBB is warning users about a phishing message purporting to be from "Chase Bank." This email is likely the first of many scams expected following the Epsilon breach.
The first post-Epsilon
phishing emails have been spotted. In this case, cyber-crooks are targeting
bank customers with a phony warning and a malicious link.
An email purporting to be from
Chase Bank that tells users that their account will be deleted unless prompt
action is taken is currently making the rounds, the Better Business Bureau
warned on April 6. Users are encouraged to click on the link provided to get to
the "profile page" to update their information.
"Although the email sounds
urgent since it appears to be from your bank, do not click on the link and
input your bank account number or Social Security number," BBB president Tom
Bartholomy said in a statement.
JPMorgan Chase was one of
the companies affected by the recent Epsilon
. Epsilon, a large email marketing services company, disclosed
April 1 that attackers had stolen customer email addresses belonging to some of
About 50 affected companies
have been identified so far, Josh Shaul, CTO of Application Security told
eWEEK. Verizon Wireless was the latest company named, but it has yet to be
determined if there are more. "This has the potential to get very ugly, very
fast," he said.
If the "Chase Bank" phish is
really related to the Epsilon breach, and not just one of the many fake Chase
emails seen in the past, it proves the attack on Epsilon was a well-thought-out
attack, said Shaul. The attackers knew precisely who to go after and what the
payoff would be.
"Based on the BBB warning,
they now appear to be acting very swiftly to carry out their specific phishing
attempts," said Shaul.
The BBB reminded users to be
careful about clicking on links or downloading attachments to their computer,
as it could be malicious. Regardless of who the sender claimed to be, whether
it's the bank, the Internal Revenue Service or law enforcement, users should
never share personal or financial information via email. If there are
grammatical mistakes or spelling errors, that is a red flag that it is probably
The emails and the Websites
the links point to may look legitimate, with official-looking logos and color
palettes, the BBB said, so customers need to be ever-vigilant. Scammers also
employ URLs that look similar to official sites to trick users.
Even if the user has spam
filtering in place, the chances are these phishing emails will make it past the
filters and land in the Inbox, because messages from Epsilon had been approved
as being legitimate in the past, several security experts warned.
Epsilon's parent company,
Alliance Data, issued an official
on April 6. "We fully recognize the impact this has had on our
clients and their customers, and on behalf of the entire Alliance Data
organization, we sincerely apologize," Ed Heffernan, Alliance Data CEO,
said in the statement.
Alliance Data officially
acknowledged that Epsilon is working with federal authorities and outside
forensics experts to investigate the breach. The company also promised that necessary
security safeguards would be promptly implemented. Security protocols
controlling access to Epsilon systems have already undergone a rigorous review,
and access has been "further restricted," the company said.
Alliance Data has restarted
marketing campaigns for Epsilon clients, and the company does not expect email
volumes to be significantly affected. Epsilon sends 40 billion emails annually
for its 2,500 clients. It was unclear how long the campaigns had been
suspended, nor was it clear whether emails for affected companies will be sent
at this time.
If they are, that may be a
little confusing for jittery consumers trying to be vigilant about potential
"I'd bet that each of the
breached companies would recommend deleting any emails" purporting to be from
them in the immediate future, Shaul said.