Target breach leaves customers vulnerable to phishing threats
Target rolled out the one-size-fits-all approach to data breaches: the dreaded one year of free credit monitoring for affected consumers.
Signing up for credit monitoring in the wake of a breach is kind of like taking a sugar pill for cancer.
It’s a placebo.
Just once, I’d love to see a company that failed to protect consumer information foot the bill for credit freezes for affected consumers. Monitoring may let you know when a lender checks your credit in response to an application, but freezes proactively keep lenders out. No ability to do a credit check, no new credit lines.
Ordinarily, I’d say if a breach didn’t involve Social Security numbers, consumers aren’t likely to be victims of new credit fraud if their credit card numbers are stolen.
But there’s a lot going on in the Target breach, including the theft of email addresses tied to card accounts, that could leave consumers especially vulnerable. It’s not for nothing that Target announced it was throwing $5 million into an anti-phishing campaign aimed at consumers.
And with the news that Neiman-Marcus and other retailers may have suffered eerily similar breaches during the holiday shopping season, consumers are justifiably on edge.
Greg Kelley, the chief technology officer at the Medina-based computer forensic firm Vestige Digital Investigations, says victims are likely to get emails that appear to be from banks – or even from Target itself – warning that fraudulent activity was detected on a consumer’s account.
We all get these types of fraudulent emails all the time. They try to scare us about unauthorized activity and offer us a link to click on to solve the problem. Consumers recognize many of theses emails as fraudulent because the bank isn’t one they do business with.
But consumers often are confused when the spam appears to come from their own bank.
The Target breach offers scammers a better way to target, if you will, victims.
So a Target customer gets an email purporting to be from a bank or from Target itself, warning that the person is indeed a breach victim and offering a new card. Or for that matter, credit monitoring.
Because account numbers were stolen – we know they’re being sold with location information on the black market – “the email might even have your credit card number,” Kelley said.
So you have multiple things going on in the email that are meant to instill trust – a bank name, a logo, the copyright info that spammers love to put on the bottom of spam, and your name and your credit card number.
And you’re worried about the breach – so half the scammers’ job is done. They don’t have to induce panic, as they ordinarily would. They just have to exploit the panic you’re already feeling and offer you a seemingly easily solution – which is how many frauds work.
The solution is fake. It could be anything. A new card. Credit monitoring.
“They’ll make the email sound so inviting and convincing,” Kelley said. “People are going to think, ‘my bank’s being so proactive.’ ”
Chances are, if you’re not on guard about phishing, you’ll be tempted to click the link, which can either infect your computer with spyware or take you to a spoofed page that will look like a real bank where you are asked to fill out personal information thieves don’t already have.
And while saavy computer users may know their bank doesn’t use a gmail account or that they can hover over a link and see where it actually leads, or check the email properties to see the sender, many people simply don’t know how to do those things.
So consumers should be extra wary about what’s in their email boxes as the breach revelations unfold.
- Don’t reply to emails about fraudulent account activity, even if they contain threats to close your account. (You’d be surprised how many people attempt to check the veracity of an email by responding to ask if it’s for real.)
- If you want to check to see if an email is real, contact your bank using the phone number on your bill, not the one in the email.
- The same goes for calls about account fraud – because we know that in some cases, the thieves got some phone information, too.
- Proactively ask for a new account number if you suspect you were a breach victim. (You can look at past statements to see if you have charges –or worse, debits – at Target from November to mid-December.)
Kelley says it’s a good practice in general to establish separate email accounts – one exclusively for shopping and communicating with retailers and a separate one for social media accounts. It just makes it easier to spot phishing emails.
One last thing: Make an effort to develop strong passwords (characters, numbers and symbols) and avoid using the same password on multiple accounts.
Kelley shared a scary story (https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/) of how hackers can sometimes use a small bit of information from one online account to hack the victim’s other accounts. Strong passwords can help protect you.
Finally, if Target offers you credit monitoring, ask if it will pick up your tab for a credit freeze instead.
The cost for freezes varies by state – and in enlightened states, freezes are free. But in Ohio, people have to pay the three bureaus $5 each for a freeze and then pay $5 for a temporary thaw when they want to apply for credit or open their report for a credit check if, for example, a potential employer requests one.
If an identity thief used or tried to use your personal information (as opposed to just taking it), you qualify for free freezes and thaws in Ohio.
Not a breach victim? Your time will no doubt come. Getting a freeze now makes getting breach notices a little less stressful.
Freezes won’t prevent someone from misusing an existing credit account, but it will keep bad guys from applying for new credit cards or loans using your name and personal information.
To find more information on freezes in Ohio, visit http://bit.ly/freezeoh.
The Plain Dealer – Cleveland, OH | Plain Dealing
By: Sheryl Harris, Consumer Writer