Rachel did everything correctly. She had a very strong password. She didn’t use the same (or even a similar) password for any other account, and yet her email was hijacked. Hacked. What happened, and how could this have been avoided? Here’s my analysis:
Rachel’s account was accessed either by the hacker’s use of a brute force attack, guessing her password, or by accessing Yahoo’s user name and password list. Once they were in, the hacker created a new email address from another service using Rachel’s exact username. They then configured Yahoo mail to send all replies to the newly created, similarly-named email account. While accessing Rachel’s original email account, they then created a new subfolder with a rule to send any newly received email into that new folder so that it would not be obvious to her that she had new mail.
The next step was to send the typical “I need a favor” email to all 150 of her contacts. The email from Rachel’s legitimate account asked for assistance in procuring an engagement gift she had put off purchasing, and since she was now traveling, she couldn’t take care of herself. When anyone replied as to how they could help, the reply ended up going directly to the hacker-created email account that was similar to her legitimate email account. Since the username was exactly the same, very few of Rachel’s contacts would notice that during subsequent conversations, they were responding to an email from Outlook.com and not Yahoo.com.
You would expect in this day and age that no one would fall for this common phishing scam, and that subsequently, no one would engage the hacker in an email conversation discussing the details of the request. A password leak could not have happened when buying drugs online. You wouldn’t expect one of Rachel’s contacts to actually spend $400 on an Amazon gift card and send the number back to her via email. But unfortunately, that’s exactly what one of her good, well-intentioned friends did.
When Rachel started receiving phone calls from other more-savvy contacts asking whether her request for help had been legitimate, she immediately logged into her email and changed her password. It was then that she noticed that all her contacts, as well as her inbound and sent mail, had been deleted.
How to protect your email and identify scams
What lessons can we take from this all-too-common example of hacking? Well, there are a few.
1) Yahoo mail is the least secure popular free email service that you can use. If you decide to move to a better, more secure service such as Gmail, don’t delete your Yahoo account— just let it go dormant. If you delete your old Yahoo account, your old address will be available to someone else within 30 days.
2) Never, ever, send any funds or personal/financial information to anyone via email, text message, or even on the phone unless you have verified that you are actually speaking to or corresponding with the correct party. Spoofing identities is an extremely popular and lucrative activity for the outlaws among us.
Stay informed about the methods being used by hackers to launch these attacks and stay on your guard. Regular phishing training for your users is provided by all quality IT providers.