Epsilon Attack Raises Awareness of Phishing

Last week, Epsilon — an email marketing company which sends 40 billion emails annually — announced that its system had experienced a security breach, potentially compromising massive amounts of corporate client information.

Walgreens, Best Buy, and Citigroup are among several prominent U.S.-based companies that work with Epsilon. Intuit is not an Epsilon customer.

Although the scope of the attack is massive, few specific details are known about exactly what happened. What is certain about the cyber attack is that millions of email addresses and names were wrongfully acquired during the breach.

“The information that was obtained was limited to email addresses and/or customer names only,” Epsilon has formally acknowledged. “A rigorous assessment determined that no other personal identifiable information associated with those names was at risk.”

Although the nature of information compromised doesn’t appear to be of a critical nature, the incident speaks to a larger concern — specifically, the growing threat posed by “phishing,” an all-too common practice defined as criminal activity aimed at fraudulently obtaining and capitalizing on one’s personal information.

Methods typically employed during phishing attacks include:

  • Falsified or “spoofed” email addresses fashioned to confuse recipients
  • A nefarious site designed to appear as a legitimate web link
  • An outright forged — or faked — website aimed at tricking users into supplying personal information or passwords

Graham Cluley, a senior technology consultant with security firm Sophos, says that while the Epsilon breach is scary, the outcome could have been much, much more severe, as the responsible cyber criminals didn’t ultimately make off with social security numbers, driver’s license information, or credit card numbers.

“The biggest danger here really is that spammers could then target you with email pretending to come from these organizations,” Cluley warns. “You might get fooled into being phished for your login information or being sent malware or a dangerous web link.”

The Epsilon data will likely lead to more phishing attacks, especially in the short term. Here’s how to protect yourself.

  1. Avoid opening suspicious emails, particularly those with attachments promising security or software updates
  2. Use an up-to-date browser that delivers anti-phishing features
  3. Never respond to emails requesting passwords or sensitive user information
  4. Stay current with the latest releases and security patches for your operating system
  5. Report suspicious or fraudulent messages/emails to the company that is being spoofed in an apparent phishing scheme

Fore more information about this attack and helpful tips, please visit the Intuit Online Security Center.

About Michael Essany

Michael Essany is a former E! Entertainment Television host and nationally published author who was recognized by A&E Biography in 2005 as "One of America's Most Remarkable People." Michael currently serves as Vice President of Indiana Grain Company, LLC.
This entry was posted in Trends and tagged , , . Bookmark the permalink.
Alan Cole
Alan Cole

Ditto the above. Verbatim shabby text. Big concern now with the only company with access to my bank account. This is another reason not to use PayTrust's - or any other company's - "feature" that lets you look at your "consolidated information". Risky enough to have a company authorized to write checks on your account, which is a price I'm willing to pay for the great convenience, but to give more than the minimum required access is really dangerous because of how easily even theoretically responsible companies make if for crooks to walk off with customer data.


I setup a specific and unique e-mail address for my account with Pay Trust. I just received this message today (July 7, 2011) which appears to be illegitimate and addressed to my unique e-mail address used only at Pay Trust. I conclude that Pay Trust account holders have had their information breached by some hacking attack.The message did not include my name but did know that the e-mail address was associated with a Pay Trust account which gives me a high degree of confidence that it was stolen directly from the Pay Trust database, otherwise the sender would have not known there was a connection between the e-mail address and a Pay Trust account:Find the e-mail attached below: ----------------------------------------------------------------------------------------------------------Greetings from PayTrust,Any standard alerts emailed to you from our bill pay will have an email address of wasadmin@p01brapp01 not Durand State Bank. If you receive an email from this address it is correct and from Durand State Bank and is legitimate. These are notices you request to confirm your payment.Please do not respond to this broadcast communication.If you have any questions, please contact us at Support@paytrust.com or call us at 1-800-PAYTRUST (1-800-729-8787)Sincerely, Paytrust Bill Center