Wait! Don’t open that e-mail yet

Read your e-mail carefully to avoid falling prey to phishing attempts.

You should second guess all e-mails from companies right now because of a trend in very targeted phishing attempts.

The news media reported earlier this week that Epsilon, an e-mail marketing company, experienced a large data loss to hackers. Epsilon lost e-mail addresses it stores for companies. Those companies are reported to include TiVo, Chase, Walgreens, TIAA-CREF, Best Buy and many others. I received a message from 1800flowers.com apologizing because my e-mail was among those lost by Epsilon.

This loss is particularly dangerous because it includes not just your e-mail address, but also the names of companies you have done business with. If your e-mail address is among those that were lost, you may receive phishing e-mails that look just like e-mail messages a company would send you. For example, you might receive an e-mail claiming to include coupons from Walgreens, or claiming that your bank account needs to be updated or that your quarterly retirement account statement is ready for viewing. Those messages will be crafted to look like messages you’ve received from those companies in the past.

Those e-mails may come to your personal e-mail address or to your FNAL e-mail address if you’ve used that address for any communications with companies involved in this loss. So it’s important for you to be especially careful responding to e-mails or following links in e-mails or opening attachments in e-mails that appear to come from companies you’ve done business with and might be expecting messages from.

Here are some steps you can take to help protect yourself:

  • Don’t click on links in e-mails. Use bookmarks to navigate to sites you frequent, especially those used for financial transactions. Establish those bookmarks by carefully typing in the known address off correspondence from the company or bank.
  • Use bookmarks instead of typing in URLs. If you misspell a URL you may end up on a malicious site. Look up “typosquatting” in Wikipedia to read more.
  • Never respond to e-mails asking for account or personal information. Use the phone if you believe there’s a problem with your account or navigate to the site using a bookmark and review the status of your account online.

Pass this info on to members of your family and friends.

If you do fall for one of these phishing messages, contact the company by phone and tell them if you’ve revealed any information that might be used to steal your account information, identity or money. If you revealed a password, and you use that same password for any of your accounts at the laboratory, notify the service desk immediately at x2345 so your laboratory account passwords can be changed.

— Mark Leininger, Fermilab’s computer security manager