Rachel did everything correctly. She had a very strong password. She didn’t use the same (or even a similar) password for any other account, and yet her email was hijacked. Hacked. What happened, and how could this have been avoided? Here’s my analysis:
Rachel’s account was accessed either by the hacker’s use of a brute force attack, guessing her password, or by accessing Yahoo’s user name and password list. Once they were in, the hacker created a new email address from another service using Rachel’s exact username. They then configured Yahoo mail to send all replies to the newly created, similarly-named email account. While accessing Rachel’s original email account, they then created a new subfolder with a rule to send any newly received email into that new folder so that it would not be obvious to her that she had new mail.
The next step was to send the typical “I need a favor” email to all 150 of her contacts. The email from Rachel’s legitimate account asked for assistance in procuring an engagement gift she had put off purchasing, and since she was now traveling, she couldn’t take care of herself. When anyone replied as to how they could help, the reply ended up going directly to the hacker-created email account that was similar to her legitimate email account. Since the username was exactly the same, very few of Rachel’s contacts would notice that during subsequent conversations, they were responding to an email from Outlook.com and not Yahoo.com.
You would expect in this day and age that no one would fall for this common phishing scam, and that subsequently, no one would engage the hacker in an email conversation discussing the details of the request. A password leak could not have happened when buying drugs online. You wouldn’t expect one of Rachel’s contacts to actually spend $400 on an Amazon gift card and send the number back to her via email. But unfortunately, that’s exactly what one of her good, well-intentioned friends did.
When Rachel started receiving phone calls from other more-savvy contacts asking whether her request for help had been legitimate, she immediately logged into her email and changed her password. It was then that she noticed that all her contacts, as well as her inbound and sent mail, had been deleted.
How to protect your email and identify scams
What lessons can we take from this all-too-common example of hacking? Well, there are a few.
1) Yahoo mail is the least secure popular free email service that you can use. If you decide to move to a better, more secure service such as Gmail, don’t delete your Yahoo account— just let it go dormant. If you delete your old Yahoo account, your old address will be available to someone else within 30 days.
2) Never, ever, send any funds or personal/financial information to anyone via email, text message, or even on the phone unless you have verified that you are actually speaking to or corresponding with the correct party. Spoofing identities is an extremely popular and lucrative activity for the outlaws among us.
Stay informed about the methods being used by hackers to launch these attacks and stay on your guard. Regular phishing training for your users is provided by all quality IT providers.
Nick Eckman joined NetCenergy in 2016 from an international gaming company. Nick’s experience with supervising and implementing secure, fiber and copper wire infrastructure services provides our clients with a team of highly trained and experienced technicians. In addition to the skills required to manage our infrastructure services department, Nick brings a very experienced and focused approach to project management and is a stickler for accurate documentation for every project designed and built by his team.
Peter Lachapelle joined NetCenergy in 2015 and is responsible for leading all of NetCenergy’s operations and accounting functions. Each department within NetCenergy reports through Lachapelle. He brings his years of experience to maintain a pragmatic, efficient, client-focused team at NetCenergy. Lachapelle joined NetCenergy after completing a 27-year career with a Rhode Island, federally-charted bank which culminated in his senior management position as COO and CFO for the bank.
Peter Nelson has 25+ years of technology and management experience and has been with NetCenergy since inception. Peter serves as the VP of Engineering at NetCenergy. His role consists of managing the engineering staff, driving the companies technology strategy, and ensuring NetCenergy keeps up to date on new technologies and solutions.
As a Founding Partner, Dan is a result oriented individual who is always focusing on what is best for his client. He understands that business applications empower an organization and that technology must support those critical business applications. Dan’s technology career started in 1990 at EMC Corporation. Through the years, he has represented technology and consulting services for several organizations until 2003, when he and Don Nokes founded NetCenergy.
As President of NetCenergy, Don is responsible for ensuring client satisfaction, overseeing overall performance, and for providing direction to the organization. Prior to co-founding the firm with Dan Charland, Don held senior leadership positions with IT service firms ranging in size from $3 Billion to $10 Million in annual sales.
With decades of hands-on HR experience, Margery Ahearn is our Director of Human Resources, overseeing all hiring of new positions for NetCenergy with a careful eye on sourcing technology savvy engineers and skilled office-based professionals who fit our company culture, understand our commitment to our clients, and bring their time and talents to our team. Margery has both a BA and MBA in Business Administration from Southern New Hampshire University.