Since the beginning of 2020, the Federal Trade Commission reports that there have been more than 150,000 fraud, phishing scams, and identity theft occurrences. Security experts, Risk Based Security, see various schemes emerging to take advantage of people’s vulnerability due to COVID-19. Examples include phishing emails referring to urgent pandemic updates, robocalls from the Department of Public Health, texts related to unemployment claims, and of course email hacks. Like most experts, Risk Based Security anticipates that the incidence of fraud will continue to escalate.
For the past six years, I have written and spoken extensively about getting one’s financial house in order. Passwords, security, and identity theft protection are all topics that I address.
I am well versed in the subject, but despite this I discovered that my personal email was hacked a few weeks ago. Data breaches are unfortunately common – we have all seen the headlines. As surprised as I was that this happened, I was equally surprised at how little help I received from my provider to address the issue. While I took some steps right away, there were also others that I wish I had known about sooner. I wanted to share what I learned in hopes of helping others.
Discovering the Hack and Initial Steps
It all started when I received the dreaded text message …”I received a strange email from you”… My friend shared a copy of the fraudulent email content.
Within minutes, I received notifications from dozens of friends, through email, text, DMs, and phone calls. Whether it was someone from one of my two non-profit boards, parents of my kids’ former teammates or classmates, members of my book club or old paddle tennis teams, friends from high school, college, or the neighborhood, I heard from a lot of people on my contact list. I appreciate everyone looking out for me.
After I took a deep breath, my first thought was, “what should I do now?” Fortunately, a neighbor who helps me with IT consulting texted me as soon as he received the fraudulent email. He walked me through the first steps:
- Update your password on your email account.
- Let friends know you have been hacked and tell them not to open any attachments.
- Scan your computer and smartphone with security software.
- Report the hack to your email provider.
Email Account Fixes
I was apprehensive about sending emails from my hacked email account, so I posted a message on Facebook. I figured it was the fastest and most efficient way to let friends know about the suspicious activity.
In addition to changing my email password and making sure it was both strong and unique, I looked at my security questions. Consider revising them. People often “overshare” on social media and give away answers to common security questions.
Additional Security Measures
I have used a password manager service for years and appreciate the convenience and added security. When my email was hacked, it was helpful to have my key passwords accessible and organized. In addition to changing my email password, I changed the passwords for my financial accounts.
Even though my bank accounts and credit cards seemed unaffected, I still filed a fraud alert with one of the three major credit card bureaus. I was relieved to learn that when you report a fraud alert with one of the three credit bureaus – Equifax, Experian, and Trans Union – the other two are automatically notified. This a big timesaver during a stressful period.
Think of everything tied to your email. Since I access my email on my laptop and on my phone, I wanted to be extra careful. You could have malware on your devices. Make sure that your security protections are current.
Although you may be tempted to run a quick antivirus or malware scan, make sure to run a full scan. In my case, a quick antivirus software scan looked at less than 12,000 files, where a complete antivirus program scan looked at over 1 million.
What I Wish I Had Known Earlier
The biggest surprise related to my email settings. It is essential to check the following settings right away, regardless if you use Gmail, Yahoo, AOL, or any other free or paid email provider.
Auto Forward
When the hacker emailed my family and my friends asking, “for a favor,” he/she asked them to reply to a different email address. For several hours after discovering the hack, I thought it was odd that I did not receive a single email. Later that day, I realized that the scammer also changed my settings to forward all incoming email to that same fraudulent reply email address. As a precaution, I removed the fraudulent email from the forwarding instructions and inputted my work email. Once I did, I started receiving personal emails again through my professional email. I had called my email provider fraud team several times on the day of my hack, and no one ever mentioned that I should check my settings.
Mail Filter Rules
After a few days, I decided to remove the forwarding to my professional email. Soon after, I noticed that I was not receiving any emails. I called my email provider once again. Finally, I received some helpful advice, and they walked me through what was happening. In addition to forwarding my incoming emails to the fraudulent email, the hacker had installed a mail filter rule. If anyone sent me an email containing a period or “.”, it would be transferred into spam and automatically deleted. Since almost every email has a “.com,” “.net,” “.edu,” etc. extension, his/her intention was to delete all incoming emails.
As a result, this rule would prevent anyone from contacting me to let me know that I was hacked. Fortunately, when I initially changed the forwarding to my professional email, this condition overrode the mail filter rule. Once I removed the forwarding, the second level fraud kicked in.
One Final Thought
While I have learned a great deal since discovering the hack, there is still one lingering question – how did it happen? I pride myself on being cautious and protecting my personal information. Like many others, I believe that I was preoccupied with COVID, the economy, my work, etc. and let my guard down. I may never figure out what happened. This experience, however, does reinforce my fundamental belief that simplicity is powerful. With so many accounts and passwords, it is easier to be distracted and become vulnerable.
If you want to learn more about how to get started managing your financial life, see our collection of Get Organized posts.