They're spamming everyone, not just impacted customers

Jan 17, 2014 10:34 GMT  ·  By

Target has started notifying tens of millions of its customers that had their personal and, in some cases, financial details compromised after cybercriminals gained access to the retailer’s systems. Security experts have criticized the email notifications sent out by Target.

Sophos experts say Target has sent out the same notification to both those who have had payment card details compromised and those who have had only names, email addresses and phone numbers compromised.

This has forced the company to come up with notifications that might be confusing for many individuals.

Furthermore, the alerts contain some bad advice: “Never share information with anyone over the phone, email or text, even if they claim to be someone you know or do business with. Instead, ask for a call-back number.”

As Sophos’ Paul Ducklin highlights, there’s no point in asking the caller for a call-back number. If the caller is a scammer or a cybercriminal, they’ll probably give you their own number or website.

“Having an honest-looking local phone number doesn't mean the caller is an honest, local person; the same applies to website domain names,” Ducklin warns.

Experts from Cisco are also disappointed with Target’s notification campaign. That’s because the emails are not sent only to impacted customers. Instead, the company has actually launched a spam run.

In fact, some of the retailer’s emails have been sent to Cisco’s spam traps.

“Target has recently notified several SpamCop spamtraps that their financial data was stolen. This is quite curious given that the SpamCop spamtraps never sign up to receive anything, never send mail, and certainly never shop at Target,” Cisco’s Jaeson Schultz explained.

Schultz also warns that such emails can become a source of inspiration for cybercriminals who send out phishing emails.