Target shoppers at risk of "spear phishing" attacks
The biggest risk for Target (TGT) shoppers whose personal data was recently compromised may come less from the original breach than from a wave of secondary scams seeking to pilfer far more important
information.
Target's failure to safeguard consumer information – an incident now estimated to affect as many as 110 million people and involving far more information than just credit card numbers, including names, email addresses and phone numbers – puts the company’s customers at risk of so-called “spear phishing.”
Spear phishing is a more toxic version of the generic online “phishing”
scams that aim to ferret out your personal information with a phone call or
email. What makes spear phishing more dangerous is that fraudsters have enough information about the target to make the
contact appear legitimate.
If you are in the habit of getting electronic bill notifications and paying your bills online, a spear phishing attack with the information stolen from Target could look nearly identical to the routine communication you receive from your credit card companies and bank.
Dear John,Your account xxxx-xxxx-xxxx-2056 has been compromised. Please click on the link below to contact our fraud department.
Or
Dear Sally,
Your online statement is ready to view. Please click on the link below and sign into your account.
Worse, because locations and phone numbers were also compromised, victims may have to ward off attacks from multiple fronts – email, social media and telephone. That makes it imperative that Target shoppers take these five steps to protect their accounts and identity.
1. Accept the retailers’ credit monitoring offer. Target has offered to provide one year of free credit monitoring and identity theft protection to every consumer who has shopped in their stores over the past year – regardless of whether or not they are affected by the data breach. Take them up on it. Details of the offer are not yet available, but should be accessible here next week.
2. Double-check statements. If you used a credit card at Target, make a concerted effort to go through every item on the bill and continue to do this for several months. Don’t just look for big items, said Bill Hardekopf, chief executive of credit card information site LowCards.com. In some cases, crooks charge small items to verify the card before ringing up big purchases.
3. Respond, don’t react. If you are contacted by email or phone to verify your account, view a statement or report fraud, stop and think before responding. A real creditor will allow you to call back – not to a number they specify, but to the listed number for the company – to respond to an inquiry. A real email contact about your monthly statements will follow an identical format as the statements you’ve received in the past. Look for any deviation before assuming it’s legitimate. And be aware that any pressure tactic to push you to respond immediately is a red flag of fraud. Hang up on high-pressure callers. Ignore threatening emails.
4. Don’t click through. Even if you think the statement you’ve received via email is legitimate, consider opening a new browser window and going to the company’s web site another way. There’s no downside to being too cautious. On the other hand, clicking on a malicious link could load your computer up with viruses and "malware" that could put your entire electronic life at risk.
5. Update your security software. If you don’t have security software on your computer and phone (if you use it for banking or payments), get it. Keep it updated. Normally, if you click on a link that’s about to take you to a suspicious site, the security software will issue a warning and allow you to back out before any damage is done. Don’t ignore the warnings.