I received the following email from a blog reader this morning:
FYI I have received 3 phishing emails in the last 12 hours including emails purportedly from Charter, Walgreens, and Citibank; of special interest however is the fact that I received a phone call on my home phone and the ID listed the caller as ‘Hilton.’ I was not expecting a call from Hilton, and there is no reason for HIlton to call me. When I answered the phone, the caller simply hung up.
Is it possible that the Epsilon breach also included some phone numbers?
Thank you.
Has anyone else gotten any suspicious phone calls like that after finding out that their name and email address were involved in the Epsilon breach? You can use the Comments section below, but more importantly, if you do get a phishing attempt, let the Secret Service know: [email protected]
Update: In a comment to this post, Neil Schwartzman appropriately points out that some phishing attempts may be opportunistic. I followed up with the original correspondent, and his response is a great example of how confusing this can all be for consumers:
I did not receive an email from Hilton ‘confirming’ a breach of my info, but I do not believe in coincidence and there was no reason for me to get a call from Hilton. I do have accounts with Hilton and noticed their name on your website list of companies involved.
To be honest with you, how can we know that the so-called notices of possible breach are not phishing emails in and of themselves. I received three ‘notices of possible breach’ … Charter, Walgreen, and Citibank. All three notices came to us by way of an email address that we discontinued 3 years ago and no longer currently use in our dealings with the above companies; notices to that old address are still forwarded to us internally by our email provider (redacted). The Citibank email came with the ‘last four digits of (your) credit card.’ The numbers did not match any of our cards. When I checked with a Charter live-chat agent, he denied that the notice came from Charter and went so far as to say that Charter did not use Epsilon. All three notices of ‘possible breach’ came with live sites/icons in the body of the email. I have no intention to click on any of those live icons to find where they lead.
As far as I am concerned, any so-called ‘notice of possible breach’ should not contain a live icon or address at all! These ‘notices of possible breach’ could easily be ‘phishing’ in its most devious form.
Who to trust now????!!!!
Indeed. Perhaps one of the aftermaths of this breach will be that businesses are hurt because consumers become less likely to click on links in their promotional emails, fearing that they are phishing attempts/malware.
Until there is verifiable spam sent to tightly-controlled tagged email addresses that appear ONLY on one of the purloined lists, this is speculation, at best, or possibly other opportunistic spammers capitalizing on the theft. I think the real fall-out has yet to be seen.
I agree it’s somewhat speculative, which is why I posed a question and asked what others are experiencing. Like you, I think we need to see vendor-specific (tagged) email addresses if we are to conclude that the spam or phishing is a result of the data breach.
What do you think the real fall-out from this will be?
We are a customer of Charter Communications, and a few of the other companies that their data got compromised with the Epsilon hacking, and over the last two weeks, we have gotten at least 7 bogus phone calls with different types of “Sweepstakes” and “Survey Winner” scams. We are on the Do Not Call list also! I am curious, has other information other than the company associated with the email information been compromised and they are trying to cover up the fact that more information was leaked than stated?