Over the weekend someone breached Epsilon, a major security firm, and got the email addresses of clients at several large companies including JPMorgan Chase, Walgreens, and Capital One. As my BNET colleague Erik Sherman notes, you've probably started receiving emails from companies telling you about the breach.
However, how do you know the emails from the companies are actually legit? The irony is that the very same hackers the companies are warning you about could be using your email address to send so-called phishing emails to get your personal information.
Here are five ways you can avoid phishing scams:
- Go to the actual company website: If you receive an email, type in the actual company website directly in your web browser. Phishing emails have links that look like they would go to the website, but actually send you to a fake one.
- On the actual website, look for a notice: When a security breach happens, nearly all websites post a front-page notice in addition to sending an email. For instance, as of today, Chase.com has a front-page warning for all customers.
- Avoid giving personal information: Legit companies rarely, if ever ask for personal information within the context of an email. On the other hand, phishing emails often use threats, like "We will shut down your account if you don't log in," to fool you into giving up your username/password.
- Downloads are never necessary: During an email breach, a company would never ask you to download a piece of software to protect your account. Phishers want you to download their software so their program can scan your computer, track your keystrokes, or another nefarious plan.
- Look for mistakes: The most obvious way to spot a phishing email is to look for grammatical and visual. Note any misspelled words or off-looking icons. Companies have whole departments dedicated to customer communications, so you can bet that they would not send out an email with errors. A phishing email would not have the same standard.