Thousands of St. Louis US Bank customers received an email over the weekend with a subject matter of Important Email Security Information that read:
We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.
The email continued by assuring customers that no financial information was provided and to be aware that customers may be receiving future emails that appear as though they are coming from US Bank but are, instead, a phishing email that attempts to collect secure information such as bank passwords, pin numbers, account numbers, social security numbers, Banking ID, etc. The US Bank email continued by reminding customers:
Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time.
The company referred to in this US Bank email, Epsilon, is a marketing firm that handles online marketing for big name businesses. US Bank is not the only St. Louis area company affected by this email breach. Epsilon also services email marketing for over 2,500 business clients such as Citi Bank, Capital One, JPMorgan Chase, Best Buy, Ethan Allen, Kroger, Walgreens, Hilton and Marriott hotels, The college Board and more. They send over 40 Billion emails each year on behalf of the companies they represent.
Epsilon has assured customers that email addresses were stolen but no other personal information was included. But, the concern has to do with the hackers’ ability to create sophisticated phishing emails since they have access to not only an email but a company known to be associated with the person who owns that particular email. Here’s how phishing emails work:
- You receive an email that looks as though it originated from your bank or a store with whom you did business, or your student loan holder, etc.
- The email alerts you that there is a problem with your account and you need to log on immediately or your account will be canceled. Or, it may be as simple as asking you to update your account profile for something that seems innocuous. The intent of the email is to create panic or concern to take action by clicking on a provided link.
- A link is provided within the email.
- Believing the email to legitimately be from their bank or other trusted business, the receiver clicks on the link and types in their ID and/or Password or other requested information.
It’s that easy! Now, the phisher, or sender of the email who was not your bank as you thought, has your log on or account information they need to access otherwise secure information including having access to your money and your identity.
It sounds like a scam that no one in their right mind would fall for because these emails quite often come from obvious scam artists in emails that may even get filtered through email spam filters. But, when the sender has information that you own a US Bank account, for instance, they can intricately devise an email and phony Website that looks as though the email is legitimate. The concern is that the hacked information is now available for a sophisticated phishing extravaganza that may fool hundreds of thousands of unsuspecting recipients who click on a link inside of an email that has been carefully crafted to look as though it came from a trusted institution, only to hand over their secure information to a thief. These emails have a much better chance at getting through spam filters as well since they are personalized and copy otherwise legitimate businesses.
As for those who have had their email information stolen. Be on your guard. Never divulge personal information through a link in an email. Always go directly to a Website, typing it in your browser. Then, double check before logging onto personal information that the beginning portion of the Web address reads: https as opposed to http.
Every company has a slightly different way of making it possible for customers to report spam or phishing email. If you suspect an email is phony, report it to the company in question following their specific reporting guidelines. Typically, you will receive an email back from the company within a day or so reassuring you that the email was indeed fake and what actions can be taken or assuring you that it was real. Of course, make sure when you report a suspicious email that you are reporting it to the legitimate business and not the phony sender. In the case of US Bank or other local businesses in question, you can always visit your local bank branch in person before releasing any information requested in an email. Do not let down your guard because the emails sent using this recently stolen information will probably not be sent immediately, giving the recipients time to forget about the email breach and to let down their vigilant guard.