e-Mail Hacked? Changing Password is Not Enough!

A couple of days ago, a friend's e-mail address was compromised by scammers. They got access to her e-mail account and sent e-mails to her contacts (impersonating her) with the claim that she was stranded in foreign land and needed urgent financial aid. We discovered that the fraudsters had changed quite a few of her e-mail settings to make their scam keep working for them even after my friend would have changed her password! I learned quite a bit from the experience and I have a few (pre or post) cautionary measures to share.

If you suspect that your account has been hacked into, here are some tips that should be very useful (especially if you use Yahoo Mail).

  1.  Change your password! Luckily, many times, the hackers don't change your password in order to reduce your likelihood of suspicion. They know that if you're not able to log in, you're likely to contact your e-mail provider. The good scammers allow you to keep logging in, business-as-usual.
  2. Changing your password is not enough!. You need to be sure you're dealing with the right party every time you enter your personal information. With Yahoo, you ought to create a sign-in seal. My friend was deceived into thinking she was entering her password on a Yahoo site (by the way if Yahoo contacts you and says they will delete your account if you don't update your info, it's probably scammers in disguise). To create a sign-in seal, you need to go to your account info. Yahoo will prompt you to enter your password one more time in order to access your account info.

    This diagram above shows where you will create a sign-in seal (and also where you'll change your password). It could be either a phrase of text you'll recognize or an image stored on your device. The point of the seal is not for Yahoo to check whether it is you; rather, it's the other way round. Yahoo shows you the seal to show you that you're dealing with them and not a phishing site. The seal is applicable only on the device you're setting it on. You'll need to create a separate seal for your other devices.

  3. Check your alternate contact and verification info: Make sure that the scammers have not changed the address of the additional e-mails and personal contact info you gave your e-mail provider to be used in the event of your forgetting your password. This also applies to your security questions. A good e-mail provider will alert you if such changes have been made. Thus, experienced scammers may not bother with these changes; however, one is better safe than sorry.

  4. Check your recent log-in activity: Still under the account info, we were able to check that someone had logged in from another state in the US!

  5. Check that your sent messages are being saved: We noticed that the scammers had unchecked the  option to save a copy of sent messages in the owner's sent folder. This was so they could send numerous messages without the owner of the account noticing a thing.

  6. Change your 'Reply-to' address: This is one of the most important steps. We noticed that the scammers had changed the reply-to address to something that looked similar to the owner's address. For example "Hum" might be changed to "Hurn" which looks similar (especially with condensed e-mail fonts with wrong kerning). "Herbie" could be changed to "Herbia" and so forth. Yes, this means they create a new e-mail account for the purpose of receiving replies from your contacts. Yes, this means if your contacts reply the fraudulent mail, it goes to the scammers...even after you've 'taken back control' by changing your password!

  7. Check your filters: Just to be safe, make sure the scammers have not created a new filter. This is less likely, but you cannot be too safe.
  8. Check your e-mail trash bin. If you were able to change your password on time, you may have done it before the scammers were able to delete all the replies that actually made it to your inbox. These would be replies that came from people who didn't simply click 'reply' to the scam e-mail without checking that they were replying to the wrong address, or replies from people who created a fresh e-mail rather than click 'reply'. Either way, you may be lucky to recover some of the deleted mail in the trash. Transfer those to a new folder as soon as you can so you don't lose them (preferably not back to your inbox so as not to "lose those mails in the crowd").
  9. Still contact customer care. Still report the incident to your provider (and, I'll go as far as saying, the Police if possible). This list is not exhaustive so be vigilant and thorough. I welcome your suggestions, additions, and corrections. Good luck.

UPDATE 201306031034:
I should have mentioned that the sign-in seal is browser-specific since it is dependent on cookies. If you create a sign-in seal on a browser like Safari, it will be specific to Safari. You'll need to create another one for Opera or Chrome or Firefox. The sign-in seal is also user-account-specific, meaning if you have more than one user account (not actual users but the accounts) you'll need a different sign-in seal. If you have only one user account but many users (not an ideal scenario), then you'll have only one seal per browser. Meaning if your daughter logs you out of your Yahoo account so that she can log in, she'll see that same seal for that browser. Also, since the seal is dependent on cookies, if you are in a private browsing mode, there will be no seal.

Comments

Popular posts from this blog

My Alien Abduction Survival Story

Suggested Improvement to Facebook "Like"

Those Darned Calories