Spear Phishing: The Real Danger Behind the Epsilon Data Breach

By now, many have heard about the data breach at Epsilon, a marketing company that sends e-mail messages and claims to be "the world's largest permission-based e-mail marketing provider." According to their website, they send, on average, 109 million e-mail messages a day.

It has been reported that the only data lost by Epsilon were names and e-mail addresses.

I am skeptical of this for three reasons.

First, an article in the Wall Street Journal says that Epsilon specializes in things like not sending winter coat ads to someonline living in Florida. Doing so implies they have more information than just names and e-mail addresses.

Also, the company has said that they are limited in what they can disclose publicly due to ongoing investigations. Finally, David Perry, the director of public education for Trend Micro, who is much more up on these things than I am, said on The Personal Computer Show that other data was probably stolen.

Roughly 50 companies had their data leak from Epilson; among them: Kroger, US Bank, JPMorgan Chase, Capital One, Citi, Ameriprise Financial, Ritz-Carlton Rewards, Marriott Rewards, Hilton Honors, Brookstone, Walgreens, Disney Destinations, Best Buy and the Home Shopping Network. Databreaches.net has a longer list.

As the list implies, Epsilon is also involved in loyalty programs, another indicator that they store more than just names and e-mail addresses.

Needless to say, this data breach will result in more spam. But, the bigger danger is spear phishing. Spam is an annoyance, phishing may be dangerous but spear phishing is much more likely to be dangerous.


Phishing e-mails are scams designed to trick the victim into divulging personal information.

One common tactic is threatening to close your account unless you follow the instructions in the e-mail. Another popular scam asks the victim to confirm information after suspicious activity in their account. Or, the lie may be that security is being improved and this requires the confirmation of assorted personal information. JPMorgan Chase warns that:

"... phishing e-mail usually takes an urgent or demanding tone, telling you to act immediately to verify or update personal information such as bank account numbers, user names/passwords, credit card account numbers - even your Social Security Number."

Phishing e-mails can often be detected as such, both because the scammers don't know anything about the victim (a note from a bank where you don't have an account, for example) and because they may send out tons of identical e-mails.

Spear phishing is much harder to detect, for both these reasons. As the name implies, these scams are more directly targeted, meaning there are few e-mails for spam filters to latch on to. Also, the bad guys know something about their target, making the scam much more likely to appear legit.

Computerworld reporter Gregg Keiser writes:

To illustrate the danger of spear phishing, consider Condé Nast. The Wired Threat Level blog just wrote about how their corporate parent was scammed:

Someone at Condé Nast took the bait, and for about 1.5 months, they paid the bad guys rather than their actual printer. In total, they falsely paid out roughly $8 million.


Regular phishing may appear to come from a company that you do not have a relationship with. Spear phishing always purports to be from a company you do business with (such as Quad/Graphics in the case of Condé Nast).

Regular phishing starts with Dear Customer. Spear phishing addresses the target by name.

Regular phishing may talk about your frequent flyer miles as a concept. A spear phish will mention your 76,400 frequent flyer miles and you actually have that many.

Regular phishers don't know where you live. An article in the New York Times suggested that data taken from Epsilon could be cross checked with public information to learn your mailing address.

Regular phishing emails target one company. As a result of this huge theft of data, emails like the following may appear:

Dear Groucho Marx,

VictimCompany1 has just teamed up with VictimCompany2 and VictimCompany3 in a new loyalty program. This program offers great savings on products from all three companies. To sign up click this link.

And, of course, since Groucho has a business relationship with all three companies, it appears legit.

Spam blockers can't be counted on to detect a message like this, since it's so personalized. And, it's not spam. In the case of Condé Nast, the bad guys only needed to send one e-mail message to hook their victim.

Spear phishing also seems to be at the root of the RSA data breach where it has been reported that an employee opened an Excel spreadsheet attached to the scam email message.

The spreadsheet contained a Flash file that exploited a bug in Flash to install malware and things went downhill from there. These spear phishing messages were sent to "two small groups of RSA employees".


This illustrates that there are two actions the bad guys try to get victims to perform: either clicking on a link in the e-mail message or opening an attached file.

Warnings about files attached to email messages have been around forever. If the Internet had a handbook, it would be on page one. The world seriously needs an Internet User Guide.

Another thing Internet users need to know is that reputabile companies never request personal information by e-mail.

Here is what some of the companies whose Epsilon data was stolen had to say about this:

Chase: "We want to remind you that Chase will never ask for your personal information or login credentials in an e-mail. As always, be cautious if you receive e-mails asking for your personal information ... It is not Chase's practice to request personal information by e-mail."

Crucial: "We will not send you e-mails asking for your credit card number, social security number or other personally identifiable information. If ever asked for this information, you can be confident it is not from Crucial."

Kroger: Kroger would never ask you to e-mail personal information, such as credit card numbers or Social Security numbers.

Best Buy: Best Buy will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, www.bestbuy.com. If you receive an e-mail asking for personal information, delete it. It did not come from Best Buy.

More reasons why phishing scams succeed, and, how to defend yourself, next time.

Subscribe to the Best of PCWorld Newsletter