Target breach: making a bad situation worse

By Kris Monroe, NCI Fellow

Phishing HooksI was prompted to write my first blog post for NCI after my wife received an email from Target on Friday, January 17th. This email with subject “Important message from Target to our guests” talked about their breach and an offer for one year of free credit monitoring.  At first read this email looked “phishy”.

Hopefully you know by now, but Phishing is an electronic attempt (usually email) by criminals to acquire sensitive information, such as usernames, passwords and credit card details, by pretending to be a legitimate entity like PayPal, an online bank or a well-known store.

This email had at least three classic phishing indicators:

  1. From unknown address TargetNews@target.bfi0.com,
  2. Generic greeting of “Dear Target Guest”, versus actual name
  3. Prompting action to click on an ID theft insurance link “To receive your unique activation code for this service”

It turns out that this particular email was legitimate. Target has set a bad example and opened it up for malfeasants to use an almost exact copy for their phishing pleasure. In my opinion they’ve taken a bad situation (breach) and opened the doors to making it worse (phishing-palooza).

Remain ever diligent:

  • Watch out for “phishy” emails asking the recipient to “confirm” personal information.
  • Don’t click on links within emails that ask for your personal information. Criminals use these links to lure people to phony Web sites that impersonate real ones. Hover over the link and look at the destination link closely in the bottom bar of the window.
  • To check whether the message is really from the company or agency, call it directly or go to its Web site (use a reputable search engine to find it).
  • Only open email attachments if you’re expecting them and know what they contain.