Target, a retail chain in the United States, is the company whose security was breached recently in a fairly massive theft of account information from their customers. Unfortunately, this gets really complicated really quickly. Compromised companies like Target try to do the right thing for their customers, but of course there’s always somebody who wants to come along and take further advantage of the situation.
Stolen credit card information
I’ll use Target as my example, although there have been other companies who’ve suffered similar issues since then. The security breach happened during the 2013 holiday season. Their point of sale terminals apparently were somehow hacked, and customer credit card information, sometimes quite complete, was stolen and then resold or reused by hackers.
So the scenario is like this: Target had their database or their point of sale terminal hacked. Some large number of customer records were copied. This information included a combination of things like credit card numbers, perhaps even pins, addresses, names and much more. So now, hackers have some millions of credit card numbers that they can then go out and start using. Or as is more typically the case, the hackers actually start selling these credit card numbers to others who then in turn use them and rack up fraudulent charges.
The wrong thing, followed by the right thing
Target did the wrong thing of course in not being secure and allowing the breach in the first place.
However, they’re doing the right thing by offering at least a year of free credit monitoring from one of the larger credit bureaus to victims of the attack. Target contacted all of their customers who’ve been affected with this offer, either by snail mail or email, or some some kind of combination thereof. And as I said, all’s well and good so far.
Target’s doing the right thing, trying to recover from this breach.
Trust me, I’m from Target
Now, another wave of hackers came along. What do they do? Well, they send out spam that looks like it came from Target, claiming that your card was part of the breach. They make you an offer of free credit monitoring, and direct you to a website to sign up, where this sign up requires your personal information, perhaps including your social security number.
The problem is that this is spam. Or more accurately, it’s a phishing attack based on the news: that sign up site is completely bogus. Rather than doing something to protect yourself, you’ve just given away your personal information to a hacker.
So, there are legitimate emails from Target with a legitimate offer. But there are also bogus emails from phishing hackers that look like they’re from Target but are not. How do you tell the difference?
Don’t click that link
This is one of those cases where you never, ever click on links in the email. It’s just too risky.
If the email contains a link that looks like it’s on the company’s corporate domain, for example, then instead of clicking or even copy/pasting, just type that URL into your browser. If you’re not certain, just go to the corporate domain yourself, (target.com in this case), type it in and look for information about the breach.
If you’re still not certain, go to the corporate website. Again, type it in by hand and look for the customer service numbers or contact information and initiate a conversation that way.
Unfortunately, it’s just too risky to actually click on the links in the email that looks like it’s from the affected company.
Ultimately, I do believe that it’s probably worth taking Target up on the offer of free credit monitoring if you know that your credit card was in fact compromised during the breach, but it’s critical that you don’t get fooled in the process.