It didn't take long for victims of the Anthem hack to start experiencing problems.
Anthem warned consumers Friday to be aware of scam email campaigns targeting current and former customers of the insurance company. The emails encourage recipients to click a link for credit monitoring services. "These emails are NOT from Anthem," the insurance company said in the statement. Nor, it said, is Anthem calling members about the attack.
The insurance company announced Wednesday that its database had been hacked, exposing personal data on as many as 80 million records for current and former customers and employees. The information accessed includes names, birthdays, Social Security numbers, street addresses, email addresses and employment information, including income data, according to the company. There is currently no evidence that financial or medical information was compromised, Kristin Binns, a vice president for Anthem, said in a statement.
But there's still a treasure trove of information, Tom Gorup, security operations center manager for Rook Security, told CNBC.com earlier this week. It's enough to commit identity theft, or bypass security questions to lock you out of existing accounts. And the risk isn't short term, like when a credit card number is stolen. "Just because the attacker stole the data today doesn't mean they'll sell it tomorrow," he said. "They could sit on this information for years."
The breadth of data stolen also makes phishing attacks like the ones already underway riskier, said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse. Not only does it allow thieves to target consumers by their income or employer, but they could also craft very detailed, personalized missives. "Whereas someone who might be vigilant about a general email, if they get one that's very targeted to them, they're less likely to be aware that it might be a phishing email," he said.
Advice for recipients is simple: Don't click on any links, open attachments or respond to the email sender's calls to action in any way. Anthem says it will be contacting affected individuals by regular mail delivered by the U.S. Postal Service with specific information regarding how to sign up for credit monitoring. The company has also set up AnthemFacts.com with details about the hack.
If you're not sure a missive is legit, use channels of communication that you know to be correct, said Stephens. That might mean calling a customer service line on your insurance card, or directly typing Anthem's site into your web browser.
Victims of the attack should also take other steps to protect themselves, including monitoring their accounts for signs of fraud and placing fraud reports on their accounts with each of the three major credit reporting bureaus.