The first post-Epsilon phishing emails have been spotted. In this case, cyber-crooks are targeting bank customers with a phony warning and a malicious link.
An email purporting to be from Chase Bank that tells users that their account will be deleted unless prompt action is taken is currently making the rounds, the Better Business Bureau warned on April 6. Users are encouraged to click on the link provided to get to the "profile page" to update their information.
"Although the email sounds urgent since it appears to be from your bank, do not click on the link and input your bank account number or Social Security number," BBB president Tom Bartholomy said in a statement.
JPMorgan Chase was one of the companies affected by the recent Epsilon data breach. Epsilon, a large email marketing services company, disclosed April 1 that attackers had stolen customer email addresses belonging to some of its clients.
About 50 affected companies have been identified so far, Josh Shaul, CTO of Application Security told eWEEK. Verizon Wireless was the latest company named, but it has yet to be determined if there are more. "This has the potential to get very ugly, very fast," he said.
If the "Chase Bank" phish is really related to the Epsilon breach, and not just one of the many fake Chase emails seen in the past, it proves the attack on Epsilon was a well-thought-out attack, said Shaul. The attackers knew precisely who to go after and what the payoff would be.
"Based on the BBB warning, they now appear to be acting very swiftly to carry out their specific phishing attempts," said Shaul.
The BBB reminded users to be careful about clicking on links or downloading attachments to their computer, as it could be malicious. Regardless of who the sender claimed to be, whether it's the bank, the Internal Revenue Service or law enforcement, users should never share personal or financial information via email. If there are grammatical mistakes or spelling errors, that is a red flag that it is probably a scam.
The emails and the Websites the links point to may look legitimate, with official-looking logos and color palettes, the BBB said, so customers need to be ever-vigilant. Scammers also employ URLs that look similar to official sites to trick users.
Even if the user has spam filtering in place, the chances are these phishing emails will make it past the filters and land in the Inbox, because messages from Epsilon had been approved as being legitimate in the past, several security experts warned.
Epsilon's parent company, Alliance Data, issued an official apology on April 6. "We fully recognize the impact this has had on our clients and their customers, and on behalf of the entire Alliance Data organization, we sincerely apologize," Ed Heffernan, Alliance Data CEO, said in the statement.
Alliance Data officially acknowledged that Epsilon is working with federal authorities and outside forensics experts to investigate the breach. The company also promised that necessary security safeguards would be promptly implemented. Security protocols controlling access to Epsilon systems have already undergone a rigorous review, and access has been "further restricted," the company said.
Alliance Data has restarted marketing campaigns for Epsilon clients, and the company does not expect email volumes to be significantly affected. Epsilon sends 40 billion emails annually for its 2,500 clients. It was unclear how long the campaigns had been suspended, nor was it clear whether emails for affected companies will be sent at this time.
If they are, that may be a little confusing for jittery consumers trying to be vigilant about potential scams.
"I'd bet that each of the breached companies would recommend deleting any emails" purporting to be from them in the immediate future, Shaul said.