The big news in the anti-spam world lately has been the customer data breach at Epsilon. You may never have heard of Epsilon before this incident, so here is a quick description of them by Ken Magill.
Epsilon is the largest permission-based email marketing services provider in the world. According to the company’s Web site, it sends more than 40 billion emails annually for more than 2,500 clients, including seven of the Fortune 10.
The data breach first came to widespread attention as major brands such as Hilton, Tivo and Dell began emailing their customers to warn them that their email addresses had been compromised.
This is nothing new in the world of email marketing, high profile data breaches have occurred in recent years with email providers such as iContact and Aweber (twice) and there is a longer history of them dating back to 2005 and 2002. And thats just a few of the ones we actually hear about.
It should come as no surprise that databases of active, verified email addresses are a rich target for data thieves, just as other targets such as the companies that issue SSL certificates or make security tokens are also highly targeted.
The thought of your email addresses being compromised in this way might alarm some customers. But what is the real impact? More spam?
As I explained to one of my customers, if you have an email address then there is a pretty good chance the spammers already have it. In this particular case an office of only 8 staff has close to 40,000 spam emails blocked each month. A few new spammers getting hold of those email addresses might increase the volume of spam a little.
But as long as that spam is still spam-like then it stands no greater chance of making it past the anti-spam protection our customers already have. In other words if the spam is still coming from untrusted IP addresses such as botnets, contains content that will be filtered, or links out to malicious URLs, then you can expect it to be blocked just like other spam.
The real risk is if the spammers are able to construct spam emails that make it past the anti-spam filters, which as we all know does happen from time to time. Depending on the extent of the Epsilon data breach the spammers may also be in possession of information that makes it easier to trick the receiver into believing it is a legitimate email.
For example of the spammer knows your email address and your real name and which companies you've done business with and therefore expect to receive email from, then they can craft a more personalized and relevant spam email to send to you.
So while most people would recognize an email from a bank that they aren't a customer of as spam, if the same email appeared to come from the bank that they do use and addresses them by their real name then the phishing attempt may be more successful.
All of this places the weakest link (aside from the apparently flawed security of email service providers) at the same place it has always been – the end user and their awareness of issues around spam, social engineering, and phishing.
Unfortunately these are complex issues and as Laura Wise recently showed it can be hard enough for an expert in this field to tell real email from fake. Worse still some companies send legitimate email that easily fits the profile of a phishing attempt.
So what are you telling your customers about this?