The compromise of 10s of millions of JPMorgan Chase accounts poses the greatest risk of phishing attacks on consumers and small businesses, experts say.
JPMorgan, the nation's largest bank, disclosed Thursday in a Securities and Exchange Commission filing that user contact information, including names, addresses, phone numbers and email addresses, had been stolen from its computer systems. The theft affected 76 million consumer accounts and 7 million small businesses.
While no credit card or bank account numbers were taken, the stolen information still poses a serious threat to the people and businesses affected, experts say. Criminals can use the account data in various scams aimed at tricking people into divulging payment card numbers, banking information and usernames and passwords to online accounts.
The hackers could use the stolen data themselves or just as likely sell it on underground marketplaces. With the information in hand, criminals could craft email to appear to come from Chase and ask recipients to click on a link to change their online banking credentials.
"I strongly expect to see a large increase in phishing email campaigns related to Chase banking services," Joshua Roback, architect for security-as-a-service provider SilverSky, said.
People familiar with cybersecurity would know that a bank would never request a password. However, such swindles are effective against people who are less familiar with Internet security.
"Any email that's perceived to be from Chase, they'll probably act upon it, because people are nervous. People are scared," Tom Gorup, security operations manager for Rook Consulting, said.
Not all the scams will happen online. People could receive a letter in the mail that looks like it's coming from Chase and asking the recipient to call an 800 number. Dialing the number could reach a person practiced in fooling people into disclosing sensitive information.
Crooks pretending to be from Chase could also call people affected by the breach early in the morning, when most people are still a bit groggy and more likely to provide personal information.
"Those types of attacks do work," Gorup said.
Some small businesses can be as gullible as consumers and therefore susceptible to the same types of scams. Phishing campaigns can be particularly effective, if targeted at specific individuals.
Small business owners often work hard and fast to stay alive in competitive markets, so a phone call from a scammer at the busiest time of the day might work.
"Any small business who is already a customer of JPMC should make sure all their employees are aware that the breach happened, and be specifically careful to make sure that anything that looks like communication from JPMC is actually from the bank," Mike Lloyd, chief technology officer for RedSeal Networks, said.
Sign up for CIO Asia eNewsletters.