Another possibility is that hackers will use a combination of the Epsilon addresses and tax refund scams to try to break into corporate networks. Some security experts, for example, have said that the Epsilon breach will produce a spike in targeted attacks -- ones aimed at specific individuals -- using the addresses and names to craft convincing messages that get recipients to open a malicious file attachment or click on a malware-infected link.
That's how hackers beat the defenses of RSA Security last month, when an RSA employee opened an infected email attachment.
"The [fake] messages from the IRS or a bank may not even have money as their direct objective," said Cohen. "In the RSA attack, what they really wanted was corporate access. The attackers got through because an employee 'unjunked' an email and opened an attachment, which planted malware."
A message claiming that the recipient has a larger-than-expected refund coming would make a perfect vehicle for attacks based on the RSA model, Cohen argued.
"They're not always after bank info," he said. "These are smart guys. Whether it's tax-related or not, we'll be seeing the Epsilon email addresses being used."
Sign up for CIO Asia eNewsletters.