How to Protect Yourself from Email Identity Theft

How can you keep this from happening to you? Hackers steal your identity by intercepting your email password, go into your email account, steal your entire address book as well as your signature, and send a bogus email to your list. They program it so that any replies come to them and not to you. The bogus email is requesting money. It seems so real because they have signed it with your very name. Your friends get worried about you and some even do send money, sometimes thousands of dollars, to the hackers.

Here is a case study, along with possible ways to protect your friends and yourself.

First, here is the bogus email I received from the email address of a trusted friend. I knew it was bogus because I was in close contact with her and knew that she had not left the U.S. To protect my friend’s privacy, I will call her “Jane Doe.” The email was addressed to me and cc’d to “undisclosed-recipients.” The subject line read, “Trouble.”

“Hi,

Apologies for having to reach out to you like this, but I made a quick trip two days ago, to London, United Kingdom and had my bag stolen from me with my passport and credit cards in it. The embassy is willing to help by authorizing me to fly without my passport, I just have to pay for a ticket and settle Hotel bills. Unfortunately, I can’t have access to funds without my credit card, I’ve made contact with my bank but they need more time to come up with a new one. I was thinking of asking you to lend me some quick funds that I can give back as soon as I get in. I really need to be on the next available flight.

I can forward you details on how you can get money to me. You can reach me via email [email protected] or hotel’s desk phone, +447045749898
waiting for response.
Thanks
Jane Doe”

A similar email came from the slightly altered email address of another trusted friend. It read:

“Subject: OMG…..HELP!!!
To:
Date: Tuesday, February 22, 2011, 8:58 AM

This message may be coming to you as a surprise but I need your help. Few days back we made an unannounced vacation trip to London,UK. Everything was going fine until last night when we got mugged on our way back to the hotel, all cash and credit card were stolen off us but luckily for us we still have our passports with us.

I’ve been to the Embassy and the Police here but they’re not helping issues at all they asked us to wait for 3 weeks but we can’t wait till then and our flight leaves in few hours from now but we’re having problems settling the hotel bills and the hotel manager won’t let us leave until we settle the hotel bills, we are freaked out at the moment … I really need your financially assistance Please let me know if you can help us out?

you can wire the money to me through western union all you need is the Name on my passport and location below.

Name:(name of my trusted friend)
Location:7 Albemarle Street, London W1S 4HQ, United Kingdom
Amount:$2,450

I’ll def refund your cash as soon as i get home.

Reply

Talk to you soon Love, (name of my trusted friend)

When I replied to the email to warn Jane that someone was sending fraudulent emails from her account, I noticed that my reply was sent NOT to Jane Doe’s real email address, but to [email protected]. This worried me, so I sent a warning email to my entire list to be careful if they received an email from me that requested money.

Here are some replies I received that shed light on the scope of this problem and offer some possible solutions:

“This mail hijack business is becoming quite common and impacts many people who use web-based email services like yahoo and gmail where they connect to a web site using regular http rather than https to save and read mail. I guess people will have to learn about these things whether they like it or not. One way or another, an attacker gets your yahoo or gmail password, sends stuff to your contact list, and intercepts the replies. The most common ways seem to be interception of the user’s traffic on a public wifi spot or internet cafe; the other is some website tricking you into entering your account info and password.

“Anyway we haven’t seen any suspicious traffic from your address but will be on the lookout.”

Another person replied with this experience:

“This is a very common scam. It happened to me. My service provider sbcglobal was no big help. They said to change my password. The hacker stole my address book and sent this to all my addresses:

“‘I’m writing this with tears in my eyes,my fam and I came down here to London,United Kingdom for a short vacation unfortunately we were mugged at the park of the hotel where we stayed,all cash,credit card and cell were stolen off us but luckily for us we still have our passports with us.We’ve been to the embassy and the Police here but they’re not helping issues at all and our flight leaves today but we’re having problems settling the hotel bills, and the hotel manager won’t let us leave until we settle the bills,I’m freaked out at the moment.wondering if you could help us with a quick loan,we can pay you back in a couple of days once we get home.i promise.

‘Unfortunately, hacking is an international enterprise. Not sure about using a anti-virus program.'”

What happened to Jane when her email was invaded, spammed, hacked?

Besides sending the fraudulent “Trouble” email to every single person in her Contacts folder, the “wire” that was planted in her computer wiped out ALL her contacts along with all sent and received email messages.

Sadly, one friend of Jane’s sent $2,500 via Western Union to the hackers. Jane felt so bad about being a conduit for problems.

For 24 hours Jane’s mail was not happening at all. ATT said this problem has become widespread and that the FBI is investigating it.

Jane changed her password and was strongly assured by ATT she could safely keep her email address. She paid for high-level ATT tech support and they were at it for about seven hours to first remove “wires” and viruses that were put into her email program and computer. Three months later, Jane’s computer is finally getting back to normal.

An ATT tech said a spammer could have encountered her while she visited Facebook or any number of other websites on the internet. He stressed that she should not use Firefox or Explorer to connect to yahoo and send and receive email. ATT said if she had been using a program such as Outlook Express, Windows Mail, or Mail (for Mac) all her private info would have been saved to her hard drive.

Jane now has an icon on her desktop and will use that only to send email. This makes her far less exposed to attacks like this in the future, according to the experts.

Jane was instructed to run her malware detection software when she starts up her computer, or at least once each day.

Since the first call she got about the email, she methodically went through her phone book on her Blackberry calling every number to explain about the fraudulent email. She also got calls from dozens of concerned friends ready to rescue her. That was wonderful, but in a way also made her feel even worse about the whole thing.

Jane doesn’t understand why ATT did not tell her about all of these precautions before she had to experience a complete meltdown of her email communication tools.

Stephen Campbell, a geek everyone would like to know, offers this advice: change your password to make it more complicated, so hackers cannot quickly figure it out using their computer programs that can try millions of password combinations in just seconds.

How long will it take a hacker to crack your password? Stephen says you can check it out here or here.

How can you create a secure password? This website explains the nuts and bolts of passwords, so you can better protect yourself.

Stephen, our favorite geek, says, “Many people have trouble remembering a secure password like 4Fz@lo49% (this password would take about a million years for a modern PC to hack). So I suggest you modify an existing password and/or use a word you can remember with a few modifications. 

“Let’s say your current password is hotdog (this password would be hacked almost instantly as it’s a dictionary word). We can make a few modifications to it to make it a very strong password, yet still easy to remember. We will use pager code (swapping out letters for numbers and symbols that look similar) to make this password a little more difficult, turning the password hotdog into H01d@g (capital H, replaced the o with a zero and the other o with an @ symbol which looks like an o. This password by itself would take about 4 hours to crack). Then we add some numbers before and after this word—22H0td@g98 (added a 22 before it and a 98 after it. Still relatively easy to remember – but this password would take about 17,000 years to hack).”

Do you have questions about how to change your password? Often you can find the answer in the help section of the service you use. 

CHANGE YOUR PASSWORD NOW

Cutting to the bottom line, you can protect yourself if you create a password that is 10 characters in length, contains both upper and lower case, and has a combination of numbers and letters. If the letters are a dictionary word, toss some numbers in there to mix it up and use both upper and lower case letters. Do it. Now.