Email Hijack

A few weeks ago I got a strange couple of emails from one of our clients. Unlike the usual “Mugged in London” type of email scams, this one seemed more legitimate -- he requested an account balance so he could wire cash to make a real estate purchase.

It turns out that a hacker had gotten into this client’s email account, searched through the online address book, and found my email address (as his financial advisor); he then simply asked for money. I noticed the scam right away because the email was a bit out of character – but the grammar in the message wasn’t too bad, and the hacker even took the time to sign the email with the client’s nickname.

After quite a bit of hand-wringing, calls and text messages to and from the client, we determined that the hack was isolated to the email account which had a fairly weak password. Nevertheless, we took other precautions.

Top 5 Tips

Email hijacking and “social engineering” types of attacks are becoming more common as both companies and individuals put more of our personal information online. Here are my top 5 tips to building a defense against fraud:

• Use strong passwords (include upper/lower case letters and numbers), try to use different ones for each website.
  • There are people actively trying to hack your account with commonly used passwords like: "password", "12345678", "abc123", "password1", "baseball", etc. So this is the toughest, but most important tip to implement.
  • Here’s a fun mnemonic to create and remember a password: Think of a phrase, and use the first letter of each word. For example, “Mom always says, chew each bite 13 times” -- your password would be “Masceb13t”; or “Bank of America has $10 of my money” – “BoAh$10omm”.
• Create a separate second or third email account for backing up your address book (to warn contacts of a hack) and for password recovery.
  • Don’t use your “cloud” based email or account ID for anything important. A recent hack of wired editor Mat Honan’s Apple ID is an example of why this is a bad idea.
• Use a separate credit card only for online purchases, and track transactions closely.
  • Some might think this is overkill, but I like the idea of tracking purchases knowing where a card has physically been used.
• Use Anti-Virus/Malware software on your computers, and only use these "safe" computers for online transactions.
  • My favorites are Microsoft’s freely available for Anti-Virus, and MalwareBytes for Anti-Malware (free and paid versions available).
• Check your credit for errors regularly at https://www.annualcreditreport.com; and consider adding a “Security Freeze”on your credit to prevent unauthorized account opening in your name
  • Expect to pay a small one-time fee to freeze or unfreeze your credit. For example, Experian charges California residents $10.