American retail giant Target sent an email to customers informing them their personal information may have been stolen. Unfortunately, many of the people who received the email thought it was a scam.
Shortly after Target admitted attackers had stolen payment card information and personal information belonging to its shoppers, experts warned consumers to be on the lookout for Target-related scams, such as phishing emails and malicious attachments.
These secondary attacks are very common after a data breach, as criminals know users are looking for more information as well as wondering if they were part of the impacted group.
This week, Target sent out emails addressed to "Dear Target guest" with elements which raised warning flags and made recipients wonder at the message's authenticity.
The sender email address wasn't from Target.com, and some people wondered why they received the email when they weren't Target customers. The message also contained a link and asked users to click on it, which is a common tactic used by scammers trying to lure victims to a malicious webpage.
"This email from Target is a lesson in how to make an email that looks like a scammer's (but is actually legitimate) and is bad practice that should be avoided by all enterprises," Jame Lyne, global head of security research for Sophos, wrote on Forbes.com.
Why Target's email was suspicious
Attackers stole roughly 40 million debit and credit card numbers from shoppers who swiped the cards at Target retail outlets around the country during the holiday shopping season. Attackers also stole personal identifying information such as names, mailing addresses, phone numbers, and email addresses, for 70 million customers, many of whom may not have shopped at a Target store in months, if not years. Target sent email notifications for shoppers in the latter group this week and offered free credit card monitoring services with Experian for up to year.
Despite the sketchiness, this particular email, "from" Target CEO Gregg Steinhafel, was legitimate. It also appears that Target also sent a marketing email to other people around the same time with the exact same issues. We point out some of the problems in these messages, below.
The email didn't come from Target.com
We recommend always checking the "from" address to verify who sent the email. Scammers frequently use the company's name in front of their own domain, hoping that recipients would see the company name and not realise the mail is coming from some other source. In Target's case, the mail came from TargetNews@target.bfi0.com.
Bfi0.com sounds iffy, but it's actually owned by marketing firm Epsilon. There is really no way for the average person to know this, though, because if you go to bfi0.com, you get a "Permission Denied" or "Forbidden" page. Even one red flag will make people suspicous.
People didn't know why they got the email
Many people who received the email were surprised because they said they'd not shopped at a Target store during the holiday season. This email notification went to people whose whose personal information the retailer had on file. Target could have retained that information from a purchase you made ages ago.
Other people who received the email claimed they'd never shopped at Target, online or in the stores. Based on conversations in various online forums and on Twitter, it appears Target may have obtained the email addresses from Amazon as part of an older partnership. The unsolicited email was the second red flag.
The email asked you to click on a link
The email instructed users to click on a link in order to obtain an activation code to sign up for the monitoring service. Considering that people are already feeling nervous about potential scams, asking users to click on the link may not have been the best move, especially since the message continues with a warning: "Don't click links within emails you don't recognise."
The situation was worse in the marketing email, according to Lyne. Users should make a habit of hovering over a link to see where a link will take them before clicking on it. In the marketing email, the link "looks incredibly dodgy," Lyne said.
Need to be vigilant
This isn't paranoia — there have already been "more than a dozen operations" out to scam victims over email, phone calls, and text messages, a Target spokesperson told Associated Press.
An example of a recent Target scam has the subject line, "Target: Get 25 Target Bucks For Your Opinion."
If you receive an email that you aren't sure is legitimate, go to the company's website and look for information there. There is no need to click on the links — just open a up a browser and go directly to the company site.
Target has posted a copy of the email it sent customers as well as instructions on how to sign up for free credit monitoring on its website. Luxury retailer Neiman Marcus is also expected to post instructions for breach victims on its site sometime next week.