Ask the Expert: Am I At Risk If Stores I Shop At Keep My Email Address on File?

Q: In the last month I’ve received emails from some of the stores I shop at warning me that my email address might have been stolen by hackers. I thought it was safe for these companies to have my email address, but now I’m not so sure. Am I at risk? These companies say it’s safe — but now I’m not sure who to believe.

A: You’re right to be concerned about this. If you’re like me, you probably don’t even know that your favorite stores keep personal information about you, stuff like your name and email address.

Normally this wouldn’t be something to think twice about, because all of these companies pay security consultants a boatload of money to keep this information safe. But a few weeks ago, hackers were able to breach the security at Epsilon, an online marketing company. These hackers stole a bunch of customer data from Best Buy, Verizon, Brookstone, Capital One, Citi, JPMorgan Chase, US Bank, TiVo, Walgreens, Home Shopping Network, TurboTax, McKinsey and Company, including many other companies (and even some government agencies like the Department of Defense and the Department of Energy).

Between this massive email breach at Epsilon and the recent Sony attack (click here to read a startling timeline of events leading up to the Sony hack!), we may be witnessing two of the biggest attacks in recent history!

What’s even scarier is that no one really knows exactly what they stole.

So you probably received an email from one of these companies which mentioned this security breach. This warning said that you should not reply to suspicious emails asking you for personal information, like your account login, which is excellent advice.

As a rule, you shouldn’t reply to any email that looks suspicious or asks for personal information. Companies never ask for personal logins or other information via email, so any email which asks for such information should be reported to the company they claim to represent in order to confirm the validity of the email message.

Epsilon has over 2,500 clients and sends out nearly 40 billion emails each year, so it’s possible that an extremely large number of email addresses were stolen by these hackers.

In fact, we now know that it’s far worse than “only” names and email addresses that were accessed — Big Pharma has admitted your private medical information and prescription habits could have also been revealed.

Hackers can use this information for phishing and malware distribution, so it’s important that you know how to protect yourself from these kinds of intrusions.

What are phishing and malware, you ask? Phishing is the process of attempting to acquire usernames, passwords, or credit card details by pretending to be a trustworthy entity, usually via email. And malware is software designed to secretly access your computer without your knowledge. Malware includes computer viruses, worms, Trojan horses, spyware, and other malicious and unwanted software.

Email Safety Tips

How can you protect yourself from this kind of security breach? Below are some things you can do:

• If you receive a suspicious email that contains an attachment or a link, delete it immediately. Do not open it, forward it, or reply to it. Don’t fall prey from someone posing as the IRS or customer support from eBay, Amazon, PayPal, or other such website.
• eBay. Any eBay message about your account or that requests personal information will be in your My Messages folder. If you receive an email about your account, you should check to see if it is in My Messages. If it’s not, it’s fake and you should forward the entire email to spoof@ebay.com.
• PayPal. PayPal never sends email with the greeting “Dear PayPal User” or “Dear PayPal Member.” Real PayPal emails address you by your first and last name or the business name associated with your account. If you think you have received a fake email, forward the entire email to spoof@paypal.com.
• If you receive an email asking you to verify your account and/or giving you a time limit to respond you can assume that the email is fraudulent and is part of a phishing scam. Do not respond to the email in any way.
• Subscribe to an antivirus software and keep it up-to-date. Update your web browser so that it has anti-phishing security features, such as those available for Internet Explorer 7 and Firefox versions 3 and higher.
• Keep your operating system releases and patches up-to-date, as these releases are frequently security related. Make sure you download software, browser, and operating system patches from reputed and official sites to avoid viruses.
• Make sure you use strong passwords on your computer and each site in which you store personal information.

So these are some things you can do, but probably the best advice I can give is simply to use your common sense. If you receive an email that looks suspicious, trust your instincts and delete it.

Finally, if you want to read more about email security, Gmail has a great checklist here.