Archive for April 4th, 2011


Spear Phishing Season Is Declared Open

With the Epsilon breach announcement of last Friday, it seems every merchant under the sun is notifying their customers of the expected onslaught of electronic mail messages asking for bank account and credit card numbers among other personally identifiable information (PII).  Just in the last two days, I have received at least a half a dozen messages informing me of this possibility.

The result of this breach is likely to be the best spear phishing attack we have seen to date.  These phishing attacks will likely be highly targeted since the people that took the information from Epsilon know not only your name and email address, but also the merchant that the email address belonged.  While Epsilon states that only names and email addresses were taken, I would also think that all sorts of demographic information necessary to make these attacks very focused was also obtained.  That will mean the percentage of people responding to them will likely be higher than usual because of the level of detail that the attacks will be able to rely upon for targeting.  As a result, a lot of credit card numbers will likely get exposed.

So let us be prepared.  Even though you send out messages to your potentially affected customer base warning them of this possibility, there will likely be a lot of your customers that will end up getting caught in whatever scams get dreamed up.  Therefore you probably need to get your legal counsel up to speed as Epsilon and your company will likely end up embroiled in lawsuits regardless of the amount of warnings you issued.



If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


April 2011
« Mar   May »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,985 other followers