Whenever a data breach occurs, the compromised company responsible for losing your data eventually reaches out to inform you that your sensitive personal information may have been exposed in some way. The message typically comes with assurances that the company values your privacy more than life itself, and cautions you to watch out for any phishing scams attackers might launch trying to appear as if they came from the company. And, that message usually comes…by email.
That standard response plays into the attacker’s hand to some degree. The user becomes used to the idea that they might receive email communications from the company related to the data breach. That opens the door for an attacker to follow up with a convincing email that appears to be from the company directing users to provide account details or change their password…in response to the breach of course.
I realize that email is fast, and easy, and is probably the best and most efficient way for companies to notify affected customers. It just seems like a bit of hypocrcisy to send an email from the company that tells users to watch out for emails that appear to be from the company.