Cookie policy
Follow this topicFollow this topic Knowledge » Scams

Not just any scam - this is an M&S scam

Rosalind Kent
by Lovemoney Staff Rosalind Kent on 12 April 2011  |  Comments 24 comments

Scams come in all shapes and sizes, but the latest has targeted shoppers at places like Marks & Spencer.

Not just any scam - this is an M&S scam

Last week Marks & Spencer contacted customers to inform them that their email addresses may have been stolen by hackers, and to expect an increase in spam mails. If you can’t trust a high profile, reputable company like Marks & Spencer to keep your data safe, just who can you trust?

Data theft is big business and it seems that no one, no matter how safe they think their systems are, is immune to it.

But is it a reason to stop shopping online and keep a low profile on the web? Or are there ways to protect your money and your identity in cyberspace?

How has it happened?

Marks & Spencer, along with a number of other high profile companies, uses a US marketing giant called Epsilon to send out marketing emails to millions of customers. Among Epsilon’s high profile clientele are Capital One, Tesco, Barclaycard, Hilton and Disney. Although details are sketchy, the company admits there has been an ‘unauthorised entry into their email system’ which has resulted in some customer emails and names being stolen.

Don’t be scammed! Emma Roberts reveals some dangerous scams that are circulating the web

Epsilon are assuring their clients that a full investigation is underway into what they are referring to as a ‘malicious act by highly sophisticated cyber-thieves’.

What is the risk to you?

The good news is that, apart from names and email addresses, no other personal information was hacked into. So, financial information, like credit card or account details, has not been put at risk in this instance.

However the leaking of names and addresses is expected to lead to an imaginatively titled ‘spear-phishing’ campaign. As you might guess, this is just like ‘phishing’, whereby criminals send official looking emails to try to trick you into divulging personal information. The only difference is that it is more targeted (hence the ‘spear’) because they can personalise the emails to appear even more legitimate. The emails may also contain links encouraging customers to confirm their details, but these links will send them to bogus websites or infect their machine with a virus.

Related blog post

All very scary, but aren’t we all used to this type of ‘phishing’ scam? I am positively disappointed if I don’t get a daily friendly missive from my bank asking me to confirm my details (those forgetful bankers, always misplacing my account information!).

What are M&S doing about it?

Marks & Spencer are warning their customers that they might receive such emails, and to be on the alert.

The problem is that if you have signed up with Marks & Spencer and you receive convincing emails which are personally addressed to you, it is very easy to casually click on a link. Marks & Spencer stress that they ‘take your privacy very seriously’ and will ‘continue to work diligently to protect your personal information’.

But it is clear from this breach that any company can be vulnerable to attack. The onus is on you to protect yourself.

How can you protect yourself?

It is important that you take responsibility for your own online security, and there are plenty of ways to increase your safety when on the internet.

  • Beef up your online security. Install anti-virus software, such as Norton 360. When surfing look for the closed padlock symbol in the status bar.  Beware of ‘fake’ padlocks. Check you are on a valid site by clicking on the padlock icon in the status bar then clicking on View Certificates. If the certificate address differs, then you may be on a spoof site. 
  • Beware of downloads. It is easy to absent-mindedly download information, by clicking on innocent looking pop-up advertisements or downloading a free game, but you risk being exposed to malicious software or viruses. Your anti-virus software should scan every download, but minimise your risk by never clicking on anything unless you know exactly what it is.
  • Don't respond to emails requesting personal information. This may seem obvious, but there are still lots of people who fall victim to ‘phishing’ scams, and raising awareness is the best way to combat it. These emails are getting ever more sophisticated, so if you are ever in doubt, pick up the phone and call the company yourself.
  • Use wireless connections with caution. Wireless networks, such as ‘hotspots’ in cafes or airports, do not offer the same security as wired internet connections. They actually reduce their security so it is easier for members of the public to access them, so it is probably unwise to do your banking or go online shopping in a ‘hotspot’.

Don’t let this security breach put you off online shopping or banking. There are so many deals and bargains to be had online and it is a shame to ignore them because of fear of hackers.

Follow the rules above to stay safe, and carry on enjoying bargain-hunting online!

More: Six cracking current accounts! | Save money with a tracker mortgage

Enjoyed this? Show it some love

Twitter
General

Comments (24)

  • Phyrefly
    Love rating 5
    Phyrefly said

    There is one very simple fix against bogus links, that most cautionary articles seem to ignore. And I know I'm a techy and hence know better, but really, it should be easy enough for everyone to do.

    When you hover your mouse over a link, it will show you (where depends on what mail app you use, if it's in a browser then it's usually down at the bottom of the window) where that link is going to. And once you click it, the address bar at the top of the browser shows you where you are. If M&S ask you to click a link and fill in your details, and you click that link and end up somewhere other than MarksandSpencer.co.uk - think twice about what you're doing!

    This is the only anti-phishing protection I use, and I have a 100% bait-spotting hit rate!

    Report on 12 April 2011  |  Love thisLove  0 loves
  • JR2006
    Love rating 2
    JR2006 said

    Another way is to never click on a link - always type in the address direct - a bit more hassle but it is safer

    Report on 12 April 2011  |  Love thisLove  0 loves
  • LastChip
    Love rating 92
    LastChip said

    When oh when are these idiot companies going to use encryption for sensitive databases?

    The technology has been available for years and yet year after year, we hear of these problems.

    Report on 12 April 2011  |  Love thisLove  0 loves
  • onthecomputer
    Love rating 80
    onthecomputer said

    Never click on a link - always type it in and never ever give out any personal info - how many times does this have to be told to the idiots out there.. err.. I am your bank , i cant access your account what is your password, omg how stupid can one be!!!! HARSH yes but come on these people need telling!!!

    Report on 12 April 2011  |  Love thisLove  1 love
  • wi-finance
    Love rating 2
    wi-finance said

    M&S, Play, Crucial - all 3 companies who tell us we are important, and allow you to sign up to NOT receive marketing emails and to not allow them to pass the details on to their associates.

    Also ALL 3 have recently had their email lists hacked/misappropriated/stolen (use whatever phrase you like).

    So if they don't take care with my information what recompense do I/should I have???

    Report on 12 April 2011  |  Love thisLove  0 loves
  • sinden
    Love rating 4
    sinden said

    Phyrefly - 100% sensible and correct advice.

    Hover - check - question and - if in doubt - send it to the dustbin. Also, if your not expecting to hear from XYZ company/bank/lottery/dead relative's representative in Nigeria - don't open it out of curiosity - DUSTBIN & DELETE.

    Report on 12 April 2011  |  Love thisLove  1 love
  • finnol49
    Love rating 22
    finnol49 said

    I once bought a download game from a reputable site with the https & the padlock. My card details were not compromised, but half the information on my hard drive was deleted, including the game. It took me several months to recover all the lost data.

    Report on 12 April 2011  |  Love thisLove  0 loves
  • wally144
    Love rating 26
    wally144 said

    Most email providers allow you to expand the headers. (In Yahoo mail, there is a link at the bottom of every email labelled 'Expand headers')

    Look for the originating IP, highlight it and copy it. Then open the website www.whatsmyip.org/iplocation and paste the IP into the box provided. The site will then tell you where the email came from. I regularly get phishing mail from Barclays Bank. The IP address invariably is located in China, or in one instance Kyrgistan! I'm pretty sure that Barclays doesn't contact it's UK customers from either of these places. I forward all phishing emails to the banks concerned.

    Report on 12 April 2011  |  Love thisLove  0 loves
  • xyon100
    Love rating 0
    xyon100 said

    Nobody needs to phish my bank details, they are freely available to all so they can send me money. The UK is the laughing stock of Europe on this subject.

    Report on 12 April 2011  |  Love thisLove  0 loves
  • bengilda
    Love rating 77
    bengilda said

    I disagree with the advice to install Norton anti virus, once on your PC it is difficult to remove. There are many free and equally good anti virus programs such as AVG Free.

    Report on 12 April 2011  |  Love thisLove  1 love
  • WILCO60
    Love rating 0
    WILCO60 said

    I was so cross with M&S I sent them the following snotagram- Still awaiting a reply for past two days:-

    "...your apology is worthless, the goons behind these security breaches are certainly not fools since having access to any number of Joe Public's legitimate mailboxes gives them the capability of using our mail servers to perpetrate any number of nasty scams: from phishing to sending keyloggers to unsuspecting recipients who open one of their links to capture keystrokes in an effort to unlock online accounts and any number of nasties...the fact that I have over >800 contacts in my Yahoo contacts folder means that these unscrupulous nitwits must feel they'd hit gold dust I'm sure...!

    ...I have sent out as many of these explanations as I could from examination of my sent folder but have obviously missed a few, as I am still receiving emails from my contacts asking what the hell's going on...!?#

    ...So,what exactly are you going to do about this...???"

    Report on 13 April 2011  |  Love thisLove  0 loves
  • missflea
    Love rating 7
    missflea said

    I'm an M&S customer ands I haven't been contacted by M&S about this so are not all M&S customers affected? Or have they just missed me out?

    Report on 13 April 2011  |  Love thisLove  0 loves
  • diana6
    Love rating 3
    diana6 said

    bengilda

    I agree about Norton. It was installed on my machine and in the end I had to get the Geek Squad to remove it professionally. Even they said it was difficult. Now got AVG myself - the free version - and never had any problems. However, I am never fooled by these phishing sites and never, ever touch a link which is provided for me. I always Google my own subject and find another way to the site being advertised.

    By the way, can I just say that the Geek Squad are the very best. They have always sorted out any problems quickly and efficiently and I have never had a problem they haven't been able to solve. Generally no call out necessary - everything done remotely from their own offices. I think they are a bargain at around £7 per month. I would definitely recommend them for all those who are not really up to speed with computer speak and who are not particularly computer savvy on how things work.

    Report on 13 April 2011  |  Love thisLove  0 loves
  • msharif911
    Love rating 3
    msharif911 said

    What a bunch of idiots these companies are? They cant keep basic information safe, yet after a breach have the gall to tell us they value our privacy......

    I'd be less angry if they simply apologised and said it was another company they use.

    Report on 13 April 2011  |  Love thisLove  0 loves
  • Steviebaby1959
    Love rating 28
    Steviebaby1959 said

    It amazes me that folks still apparently only have 1 e-mail address with ALL their contacts in ??

    I shop on-line fairly regularly, but, opened additional e-mail addresses explicitly for this reason, so, whenever I give my card details out for purchasing anything, I ensure companies/organisations get my ''special'' e-mail address for confirmation of purchases, Paypal receipts, etc, so, if the worst happened and an e-mail address was hacked into, there's only little old me in there, no personal contacts.

    If you use legitimate e-mail providers you can have as many personal e-mails as you want, when I was younger I had 8 up and running and used Snow White and the seven dwarves names as passwords, as long as I remembered which name went on which e-mail address I was fine. I suggest folks differentiate between friends and family and shopping on-line and set up separate e-mails with their credit card details on, I don't trust any company now from the security breaches we hear about these days from a few ''reputable'' companies, it makes you think what else is being cyber stolen. I also change the number of my credit card and home address online that these people have from me, so, if any unscrupulous characters get hold of it, they don't get very far. I change it back when I go shopping, of course.

    And as has already been mentioned, these organisations 'promise' not to give your personal details away, absolute bull, it's about time that these companies were made to stop these personal marketing procedures, we see enough on-line advertisements everywhere we go as it is, all ones targeted towards me get deleted from my inbox immediately anyway, and these folks actually 'sell' your details between each other, just a minute, that's my e-mail address, where's my commission in all this, and I presume that if your e-mail is on Hotmail, Yahoo, or, Orange, do they get a cut as well ??

    Report on 13 April 2011  |  Love thisLove  0 loves
  • pansypotter
    Love rating 1
    pansypotter said

    What a ridiculous, sensationalist, unfair title Rosalind Kent!

    What dictionaries say about scam:

    1. A ploy by a shyster to raise money.

    2., A fraudulent business scheme. To scam means to victimize: deprive of by deceit; "He swindled me out of my inheritance"; "She defrauded the customers who trusted her"; "the cashier gypped me when he gave me too little change"

    3. A confidence trick, confidence game, or con for short (also known as a scam) is an attempt to intentionally mislead a person or persons (known as the mark) usually with the goal of financial or other gain. The confidence trickster, con man, scam artist or con artist often works with an accomplice called the shill, who tries to encourage the mark by pretending to believe the trickster.

    It's not an M&S SCAM, it's an M&S ERROR, those who have stolen the information are thieves and POTENTIAL 'scammers.'

    Ms Kent, it's very important to get your facts straight and know the correct meaning of words and phrases if you are to be a journalist of any worth.

    No...I do not work for M&S, (I don't even shop there,) I'm just fed up with the ridiculous, sensationalist and in this case, INACCURATE headlines on this sight. Do your writers think that we're all thick?

    Report on 13 April 2011  |  Love thisLove  1 love
  • ladymissfear
    Love rating 1
    ladymissfear said

    WILCO60,

    What precisely is going on with your email account? You say " I am still receiving emails from my contacts asking what the hell's going on..." Do you mean your account is sending unauthorised emails (spam) to your contacts? If this is the case your computer may have a virus or your email account may have been hacked. Neither of these will have happened directly from M&S losing your email address - you must have clicked on a bad link/downloaded something unwittingly/used a really obvious password on your account. Do a virus check on your PC now and change your email account password. Knowing someone's email address does not give anyone the "capability of using (their) mail servers to perpetrate any number of nasty scams", they would need to have access to the account first and that is where you and your security procedures come in. It's like living in a block of flats - it is the building owner's responsibility to keep the main door in working order, it is your responsibility to keep the door to your flat in working order. If someone breaks in downstairs and then steals all your stuff you can't blame the building owner when you left the door to your flat wide open!!

    Report on 13 April 2011  |  Love thisLove  0 loves
  • gola
    Love rating 4
    gola said

    " If the certificate address differs, then you may be on a spoof site. " Differs from what? If you mean differs from the genuine certificate, how can you find the genuine one?

    Report on 13 April 2011  |  Love thisLove  0 loves
  • alol
    Love rating 3
    alol said

    use linux, forget Micro$oft. Ubuntu is extremely user-friendly. Viruses would be the thing of the past for you then.

    Report on 13 April 2011  |  Love thisLove  0 loves
  • Rosalind Kent
    Love rating 1
    Rosalind Kent said

    Thanks for all your comments on this article.

    gola - sorry if that statement is a little confusing. When you click on the Padlock on (for example) Barclays online login page, you will see View Certificates. If you click on this and look at the General Certificate information you will see the internet address of the website issuer. If it does not say ibank.barclays.co.uk and instead shows an issuer address that you do not recognise, then you could be on a spoof site. ]

    pansypotter - "Ms Kent, it's very important to get your facts straight and know the correct meaning of words and phrases if you are to be a journalist of any worth."

    With regard to your comments, the site editors chose the title, and the scam referred to is the 'phishing' scam. The article makes clear that M&S, through their loss of customer data, have opened customers up to the possibility of being targeted by scammers.

    Thank you,

    Rosalind

    Report on 14 April 2011  |  Love thisLove  0 loves
  • LastChip
    Love rating 92
    LastChip said

    alol: "use linux, forget Micro$oft. Ubuntu is extremely user-friendly. Viruses would be the thing of the past for you then."

    That statement is more or less true.

    I am a Linux (so called) power user and would not claim Viruses would be a thing of the past. It is true to say, most of us do not find it necessary to use anti-virus software. It is also true, whereas Microsoft is fighting a constant battle against viruses and malware in all it's forms, Linux does not suffer to any perceivable degree. That is not to say, we should ever let our guard down.

    However, I would want readers to note a couple of things;

    first: Linux does have proof of concept viruses written to test it's vulnerability (or not). They (as far as I'm aware) are not generally a threat to anyone and I've never heard of anyone becoming infected. Linux by design, is extremely resilient to that sort of attack.

    second: the article referred to phishing. That is not platform dependant, and it's just as conceivable for someone using Linux to become a victim of a phishing attack, as anyone else. Remember, phishing is generally via email, sending you to a fake site, which then lures you into taking an action that you believe to be acceptable. Therefore, more often than not, is is a browser based attack. Some browsers are better than others in detecting false sites, but are only as good as the databases they rely on.

    In conclusion, I believe Linux is a far superior platform when compared to Microsoft, but never ever take it for granted.

    Report on 14 April 2011  |  Love thisLove  0 loves
  • Mars Express
    Love rating 12
    Mars Express said

    Rosalind kent writes:

    The good news is that, apart from names and email addresses, no other personal information was hacked into. So, financial information, like credit card or account details, has not been put at risk in this instance.

    How do you know? We have Marks & Spencers' word only: Epsilon may not have revealed the whole truth?

    Report on 14 April 2011  |  Love thisLove  0 loves
  • Abu Ella
    Love rating 3
    Abu Ella said

    Hilariously over agressive (and dare I say sensationalist) response from Pansypotter! Instead of banging on about dictionary definitions, why not try reading the content of the (rather well written I thought) article.

    p.s. while you have your dictionary to hand why not look up the correct spelling of "site".....

    Report on 15 April 2011  |  Love thisLove  0 loves
  • pansypotter
    Love rating 1
    pansypotter said

    Abu Ella,

    I simply claimed that the TITLE of this article was 100% inaccurate and mis-leading as there was no scam at all on the part of M & S. What is the point of a well-written article if the title is slanderous? I made no comment on the article itself; only the title.

    As for your sarcastic comment about, 'having my dictionary to hand,' - yes, guilty as charged...a simple semantic overSIGHT I'm afraid... perhaps you would like to shoot me at a suitable SITE? Or maybe have a look in your own dictionary under the 'a' section as last time I looked 'aggressive' had two g's!

    Report on 04 June 2011  |  Love thisLove  0 loves

Post a comment

Sign in or register to post a reply.

Related content

Our top deals

Credit card
company 		Balance transfers rate and period Representative
APR 		Apply
now

Barclaycard 26Mth Platinum Visa

0% for 26 months (3.5% fee) Representative 18.9% APR (variable) Apply
Representative example: assumed borrowing of £1,200, representative 18.9% APR (variable). Purchase rate 18.9% PA (variable)

Barclaycard 25Mth Platinum Visa

0% for 25 months (2.4% fee) Representative 18.9% APR (variable) Apply
Representative example: assumed borrowing of £1,200, representative 18.9% APR (variable). Purchase rate 18.9% PA (variable). BT fee is reduced from 3.5% to 2.4% (T&Cs apply)

Halifax BT 25 Month MasterCard

0% for 25 months (2.5% fee) Representative 18.9% APR (variable) Apply
Representative example: assumed borrowing of £1,200, representative 18.9% APR (variable). Purchase rate 19.0% PA (variable).
W3C  Thank you for using CGWEBLIV1