Spear Phishing: the real danger behind the Epsilon data breach

By now, many have heard about the data breach at Epsilon, a marketing company that sends email messages and claims to be "the world’s largest permission-based email marketing provider". According to their website, they send, on average, 109 million email messages a day.  

It has been reported that the only data lost by Epsilon were names and email addresses.

I am skeptical of this for three reasons.

First, an article in the Wall Street Journal says that Epsilon specializes in things like not sending winter coat ads to someone living in Florida. Doing so implies they have more information than just names and email addresses.

Also, the company has said that they are limited in what they can disclose publicly due to ongoing investigations. Finally, David Perry, the Director of Public Education for Trend Micro, who is much more up on these things than I am, said on The Personal Computer Show that other data was probably stolen.

Update: April 13, 2011. Bill Snyder, writing for PC World, is "not entirely convinced" of the accuracy of statements by Epsilon. He notes that "The really skilled hack is invisible to the victim."

Roughly 50 companies had their data leak from Epilson; among them: Kroger, US Bank, JPMorgan Chase, Capital One, Citi, Ameriprise Financial, Ritz-Carlton Rewards, Marriott Rewards, Hilton Honors, Brookstone, Walgreens, Disney Destinations, Best Buy and the Home Shopping Network. Databreaches.net has a longer list.    

As the list implies, Epsilon is also involved in loyalty programs, another indicator that they store more than just names and email addresses.

Needless to say, this data breach will result in more spam. But, the bigger danger is spear phishing. Spam is an annoyance, phishing may be dangerous but spear phishing is much more likely to be dangerous.


Phishing emails are scams designed to trick the victim into divulging personal information.

One common tactic is threatening to close your account unless you follow the instructions in the email. Another popular scam asks the victim to confirm information after suspicious activity in their account. Or, the lie may be that security is being improved and this requires the confirmation of assorted personal information. JPMorgan Chase warns that:

 ... phishing e-mail usually takes an urgent or demanding tone, telling you to act immediately to verify or update personal information such as bank account numbers, user names/passwords, credit card account numbers - even your Social Security Number.  

Phishing emails can often be detected as such, both because the scammers don't know anything about the victim (a note from a bank where you don't have an account, for example) and because they may send out tons of identical emails.

Spear phishing is much harder to detect, for both these reasons. As the name implies, these scams are more directly targeted, meaning there are few emails for spam filters to latch on to. Also, the bad guys know something about their target making the scam much more likely to appear legit.

Computerworld reporter Gregg Keiser writes:

Spear phishing is most commonly used by identity thieves hoping to obtain access to consumers' and businesses' bank or credit card accounts, although the term is also used to describe any attack aimed at specific individuals rather than relying on huge volumes of messages.

To illustrate the danger of spear phishing, consider Condé Nast. The Wired Threat Level blog just wrote about how their corporate parent was scammed

[The] accounts payable department received an e-mail that purported to come from Quad/Graphics, the company that prints Condé Nast magazines. The e-mail instructed Condé Nast to send payments for its Quad/Graphics account to a bank account number provided in the e-mail, and included an electronic payments authorization form. The e-mail indicated the account was for Quad Graph, a name similar to the real printer’s name.

Someone at Condé Nast took the bait, and for about 1.5 months, they paid the bad guys rather than their actual printer. In total, they falsely paid out roughly $8 million.


Regular phishing may appear to come from a company that you do not have a relationship with. Spear phishing always purports to be from a company you do business with (such as Quad/Graphics in the case of Condé Nast).

Regular phishing starts with Dear Customer. Spear phishing addresses the target by name.

Regular phishing may talk about your frequent flyer miles as a concept. A spear phish will mention your 76,400 frequent flyer miles and you actually have that many.

Regular phishers don't know where you live. An article in the New York Times suggested that data taken from Epsilon could be cross checked with public information to learn your mailing address.

Regular phishing emails target one company. As a result of this huge theft of data, emails like the following may appear

Dear Groucho Marx,

VictimCompany1 has just teamed up with VictimCompany2 and VictimCompany3 in a new loyalty program. This program offers great savings on products from all three companies. To sign up click this link.

And, of course, since Groucho has a business relationship with all three companies, it appears legit.

Spam blockers can't be counted on to detect a message like this, since it's so personalized. And, it's not spam. In the case of Condé Nast, the bad guys only needed to send one email message to hook their victim.

Spear phishing also seems to be at the root of the RSA data breach where it has been reported that an employee opened an Excel spreadsheet attached to the scam email message.

The spreadsheet contained a Flash file that exploited a bug in Flash to install malware and things went downhill from there. These spear phishing messages were sent to "two small groups of RSA employees".


This illustrates that there are two actions the bad guys try to get victims to perform: either clicking on a link in the email message or opening an attached file.

Warnings about files attached to email messages have been around forever. If the Internet had a handbook, it would be on page one. The world seriously needs an Internet User Guide.

Another thing Internet users need to know is that reputable companies never request personal information by email.

Here is what some of the companies whose Epsilon data was stolen had to say about this:

Chase:  "We want to remind you that Chase will never ask for your personal information or login credentials in an e-mail. As always, be cautious if you receive e-mails asking for your personal information ... It is not Chase's practice to request personal information by e-mail."

Crucial: "We will not send you emails asking for your credit card number, social security number or other personally identifiable information. If ever asked for this information, you can be confident it is not from Crucial."

Kroger:  Kroger would never ask you to email personal information, such as credit card numbers or social security numbers.

Best Buy:  Best Buy will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, www.bestbuy.com. If you receive an email asking for personal information, delete it. It did not come from Best Buy.   

More reasons why phishing scams succeed, and, how to defend yourself, coming soon.

Copyright © 2011 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon