What We Can Learn From Target's Post-hack Email

Posted by Omri Benhaim on Thu, Feb 06, 2014

spammy emailsIn December I received a communication from a client asking if I could look into an email that their employees were receiving; claiming to be from the retailer Target regarding the recent financial security breach. Many of the employees were either not sure what to do about the email or claimed to have never shopped at any Target store and were not sure why they were receiving the email in the first place.

After reviewing the forwarded email, it was clear why so many people were confused. Once Target admitted that there had been a security breach, experts and major news organizations such as CNN advised consumers to keep their guard up and be suspicious of any Target related scams in the wake of the breach.

Organizations such as BrandProtect know that the first hack is only the beginning in a series of scams that will play out over the coming months. Nick Stuparich, Senior incident response analyst here at BrandProtect, reveals that “Hackers will leverage consumers concern and panic after an initial attack with secondary phishing and malware emails as confusion and misinformation are usually highly present in the immediate aftermath”

What made Target’s email look like a scam?

With 70 million customers affected and contacted, Target made a few errors with the emails that they sent out. 

Many people had no idea why they received the email - As I heard from my client, many of her employees had not shopped at Target over the holidays or even in the last few years. Others claimed they hadn’t shopped at Target at all.

Target states that email addresses were taken from all customers’ information. It seems the emails to people who have never shopped at Target were from a previous partnership Target had with Amazon.

The email was not sent by Target.com - The “from” field listed on Target’s email had TargetNews@target.bfi0.com as the sender which is a third party email aggregator. I have seen many scam emails over the years and this email address would easily raise suspicion not only for private consumers but for industry professionals as well.

target email pic 3 resized 600

The email asked you to gather personal financial information and click on a link

When reading through the email you arrive at a section which asks for

1. Your full name (including middle initial as well as Jr., Sr., II, III, etc.) 
2. Social Security number
3. Date of birth
4. If you have moved in the past five years, the addresses you have lived over the prior five years
5. Proof of current address
6. A legible photocopy of a government issued identification card 

And then proceed to ask you to click on a link and provide all of that data to the website it forwards you to. This practise is a typical form of phishing that hackers employ to trick you into clicking on links that may lead you to malware or fake pages.

What to do when crafting a letter to your customers

  1. Do not send mass emails to all customers with the same information and subject lines. As Target experienced consumers will investigate whether they have shopped at that retailer recently and make determinations on the legitimacy of the email solely based on that. Target should have sent 2 batches of emails; tailoring one for customers who shopped over the holidays and one for customers who have either not shopped at Target in month, years or possibly not at all.
  2. Always send your emails from a recognizable corporate email address. Using Target@target.com would have limited the confusion by consumers as to where the email originated from indicates legitimacy. Many email providers will also filter email addresses that look like spam thus limiting the number of customers you will reach.
  3. Never ask your customers to click on a link unless absolutely needed. Most security experts will advise you to never click on links directly in the email as the destination address can be easily manipulated to include malware. Advise your customer to type in a URL to visit your website manually and if you must add a link make sure your landing page has all security settings (https://, security seals, recognizable URLs).
  4. Acquire a partner such as BrandProtect to monitor for Phishing, Brand Abuse and Social Media monitoring in order to catch these post-hack scams before they reach your customers.

Most importantly think like a consumer. Imagine if you had received this email after being warned repeatedly to look out for scams regarding your company and how you would interpret all of the issues listed above. 


Get Our Latest Posts Automatically via Email


Topics: Malware, scam, Phishing, Emails

Recent Posts

Posts by Topic

see all