According to the Federal Trade Commission's Consumer Sentinel Network, the complaint category that ranked number one during the 2011 calendar year was identity theft. The 250,854 complaints filed for identity theft nationwide exceeded that of the second ranked complaint category by more than 100,000. Even more disconcerting is the fact that Florida had the highest per capita rate of reported identity theft complaints in the nation!
The information derived from the Consumer Sentinel Network also indicated that of those consumers who filed a fraud complaint and indicated how they were contacted, 45 percent said that the initial contact with the perpetrator was by email. For this reason, we've dedicated the April issue of the Florida Consumer E-Newsletter to providing you information on a current potential identity theft threat, spear phishing, as well as a few tips on how you may be able to avoid being victimized. Remember, we are here for you. Either visit us online, or simply call 1-800-HELP-FLA (435-7352) from within Florida, 850-410-3800 from outside of Florida or 1-800-FL-AYUDA (352-9832) en Español. A member of our Consumer Assistance Center will be more than happy to answer any consumer-related questions you may have or direct you to the best resource for assistance.
In an age where identity theft impacts more than 10 million Americans each year, the protec- tion of consumers' data is a fundamental respon- sibility of any business… even when it is only names and email addresses.
The Perils of Spear Phishing…
There is no doubt that, for many reasons, it is enormously beneficial for a company to be able to communicate with its customer base whenever necessary. Email is the most efficient way to accomplish this, and many businesses will ask for permission to do so, either at the point-of-sale or when the consumer patronizes their website. In an effort to stay focused on their core mission, these same companies are often opting to outsource the managing of their customer database to a third party. Normally this would not seem problematic, but a recent data breach at Epsilon Data Management LLC has consumer advocates across the country gravely concerned.
Epsilon is one of the world's largest permission-based email marketing providers, touting over 2,500 clients. Some of the companies that have reportedly been affected by the breach include: Target, Capital One, Marriot Rewards, Hilton Honors Program, Verizon, Disney Destinations, Best Buy, TiVo, Citi, Walgreens, JP Morgan Chase, Ameriprise Financial, LL Bean Visa Card, Home Shopping Network, The College Board, Kroger and Brookstone. A full investigation is underway, and the company is assuring consumers that the information the hackers were able to access was limited to email addresses and/or customer names.
Should I Be Concerned?
Consumers should be aware that while the hackers in the Epsilon data breach did not get passwords, financial data or any other compromising data, the information they did get may allow them to conduct a more sophisticated, targeted phishing campaign called "spear phishing." Phishing is simply a method of acquiring an individual's personal data (bank or credit card account numbers, Social Security number, passwords, etc.) in order to perpetrate identity theft. The scammer will typically use the internet (email, social networking sites or pop-up messages) to impersonate a legitimate business or government entity. The message may ask you to "update," "validate" or "confirm" your account information. You will be directed to a website that looks just like the legitimate organization's site, but it's not. This bogus site will either attempt to trick you into revealing sensitive personal data, or it may download a virus or malware onto your computer that will allow the scammers to access the same information themselves.
If you have reason to believe that a financial institution actually does need personal information from you, pick up the phone and call the company yourself to verify. Use a number that you know to be correct, not the one the email provides!
The success rate of a basic phishing attempt is relatively low. Consumers usually recognize it as fraudulent, because there is no reference to them personally and/or they've never had any type of business relationship with the particular organization that has contacted them. The fear among consumer advocates regarding the Epsilon data breach is that the scammers now have access to a list of confirmed email addresses and names, which enables them to conduct a targeted or "spear phishing" campaign. These consumers signed up to receive marketing emails from many of the aforementioned companies, so it would not seem out of the ordinary that they are being contacted. The possibility that the email will personally address them by name, combined with the fact that it is coming from a company they are already familiar with, almost ensures that the level of success will be much higher than a "blind phishing" campaign might yield.
How Can I Protect Myself?
- Don't respond to any emails that request personal or financial information, especially not ones that use pressure tactics or prey on fear. Email is not a secure method of transmitting personal information. Legitimate companies typically don't ask for this type of information via email.
- Avoid opening any attachments or downloading files from emails you receive. If you would like to visit the website of a company or organization that has contacted you by email, don't just click on the link provided in the email, open a new internet browser session and type in the company's web address yourself. Don't copy and paste it in. Even though a URL in an email may look like it's real, scammers are able to mask the true destination.
- Personal firewalls as well as the most up-to-date, high quality, security software packages (with anti-virus, anti-spam, and spyware detection features) are a must-have for those who engage in online financial transactions. Don't download free software unless it is from a site that you know and trust. You should also set your operating system software to download and install security patches automatically. Only conduct your financial transactions on a secure web page that uses encryption. While no indicator is foolproof, look for a closed padlock in the status bar, and make sure the URL starts with "https" instead of just "http."
- Take action immediately if you think your computer has been infected. Disconnect from the internet and run an anti-virus and anti-spyware scan.
- Don't toss aside your monthly account statements. Read them thoroughly as soon as they arrive to make sure that all transactions shown are ones that you actually made. Check to see whether all of the transactions that you thought you made appear, as well. If the statement is late by more than a couple of days, call the company to confirm your billing address and account balance.
- Visit the Anti-Phishing Working Group. You'll find a list of current phishing attacks, the latest news in the fight to prevent phishing, as well as links to helpful resources.
- If possible, avoid using your email address as a login ID or password.
- Forward any spam that is phishing for information to all of the following entities: the company, bank or organization being impersonated in the email (most organizations have information on their websites about where to report problems), firstname.lastname@example.org, the FBI's Internet Fraud Complaint Center, and the Anti-Phishing Working Group. If the email claims to come from a brokerage firm or mutual fund company, be sure to also forward it to the U.S. Securities and Exchange Commission's Enforcement Division at email@example.com.
- If you believe you've been scammed, file a complaint with the Federal Trade Commission (FTC), and then visit the FTC's Identity Theft page.
Security Tip: Some phishers make spoofed websites which appear to have padlocks. To double-check, click on the padlock icon on the status bar to see the security certificate for the site. Following the words "Issued to" in the pop-up window, you should see the name matching the site you think you're on. If the name differs, you are probably on a spoofed site.