In her most recent article, our Head of Cyber & Resilience Sarah Coles puts the spotlight on how to avoid having your email hacked - and how to limit the damage it can cause.
A familiar story
A friend recently came to me asking for help after his email account had been hacked.
He runs his own business, and relies heavily on being able to email clients. After leaving his desk for a brief meeting, he returned to find multiple email notifications saying things like 'your email password has been changed', 'your recovery email and phone number has been updated', and 'your trusted devices have been removed'.
Within 5 minutes, his account had been hacked and he'd been completely locked out of his business email account.
And so, the nightmare of trying to regain access began.
The email notifications included 'if this wasn't you, a malicious user has access to your account. Please review recent activity and we'll help you secure your account'.
However, when following the link to review the activity, he landed on a login page. No longer aware of the password, he was taken down the 'forgotten password' route, which provided an unrecognisable recovery email and phone number, presumably belonging to the hacker.
The only option left was to submit a 'recover your account' form, which requests limited personal information and these two key questions:
- Provide other passwords you've used in the past for this account
- Provide the date you created this account.
Having had the account for years, he had no idea of the creation date, or any of his historic passwords. The dreaded automated response came back a moment later - 'our automated system has determined the information you provided is not sufficient for us to validate your account ownership'.
After a week of trying to remember creation dates and/or passwords with no luck, we resigned ourselves to the fact that the account was irretrievable. Reluctantly, he set up a new email address and began the painful process of starting all over again, while trying to limit any further damage the hacker might cause.
Sadly, this isn’t an unusual situation. Hacking offenses more than doubled in the year ending March 2022 compared to the previous year. This included victims' details being compromised via large-scale data breaches, and victims' email or social media accounts being compromised [1].
What do hackers do with access to your emails?
A hacked email account can lead to identity theft, financial losses, personal and professional relationship damage and a great deal of stress.
If a hacker gains access to your email account, they could:
- Completely lock you out of your account by changing all recovery information and removing trusted devices
- Access other accounts by resetting passwords linked to your email address (e.g. social media accounts, financial platform)
- Impersonate you to trick friends/family/colleagues into falling for scams (e.g., promoting bogus investments) or requesting money be sent into a PayPal account appearing to belong to you
- Use your information for identify theft
- Access private information such as contacts, documents or photos linked (e.g. through viewing OneDrive)
- Ask you for a ransom (i.e., money) to get your account back, or threatening to send photos/files to family/friends/colleagues
- Delete your account altogether
What should you do if your email is hacked?
Knowing how to respond is crucial to limiting the damage a hacker can cause:
- Act quickly to secure accounts linked to the hacked email address
- Log into these accounts and change the email address - this prevents the hacker being able to use the ‘forgotten password’ route and receive password reset links to the hacked email account
- Change passwords for accounts using the same login credentials immediately – you could use a password manager to help you create strong, unique passwords
- Set up multi-factor authentication (MFA) on systems linked to the hacked email account wherever possible.
- Even if the hacker has the account password, with MFA enabled they won’t be able to gain access.
- Let your friends, family, and colleagues know, and advise them to be cautious of potential phishing emails or scams using your account
- Closely monitor bank accounts for suspicious transactions or changes
- Be vigilant to phishing texts or phone calls
- The hacker has a wealth of information they can now use against you- they could impersonate a fraud protection team wanting to help, which you’re more likely to believe during this time.
How can you prevent your email being hacked?
- One of the most important steps to take to improve your online security is to set up MFA , particularly for high-risk accounts such as email, financial platforms, and social media.
- Get notified when your information has been sold/published online through a data breach with help from haveibeenpwned?
- Don’t reuse passwords – a breach at one site can compromise multiple accounts .
- Use a password manager, such as Dashlane, KeePass and 1Password, to help generate and store strong, unique passwords for each account.
- Watch out for phishing by staying informed on the latest threats and common hacking techniques
- Back up your information, determine the key information (e.g., contacts, documents stored) and download your data regularly. If your account’s taken over, you can easily import your information into another email account.
- Review account activity from time to time, looking at your trusted devices, auto-forwarding rules, and recent login locations.
- Keep up to date with software updates.
- Be careful when using Wi-Fi spots. Don’t connect to public Wi-Fi - and if you must, don’t login to any accounts as your credentials can be seen by a malicious user on the same network.
This article is for financial professionals only. Any information contained within is of a general nature and should not be construed as a form of personal recommendation or financial advice. Nor is the information to be considered an offer or solicitation to deal in any financial instrument or to engage in any investment service or activity.
Parmenion accepts no duty of care or liability for loss arising from any person acting, or refraining from acting, as a result of any information contained within this article. All investment carries risk. The value of investments, and the income from them, can go down as well as up and investors may get back less than they put in. Past performance is not a reliable indicator of future returns.