How do I protect my email address book?

With email account hacking on the rise, it's important to understand what it takes to keep your account and its address book safe from compromise.

//

How do I stop [email being sent as me] or prevent a hacker from getting into my address book?

This was a follow-up question from someone who’d discovered that, as they put it, “Somebody is using my email address book to send spam to my friends.” I had pointed them at Someone’s sending email that looks like it’s from me to my contacts, what can I do?

What’s critical to realize here is that it’s extremely likely that they don’t just have access to your address book – they have access to your entire email account.

And that’s exactly where prevention begins.

The scenario

This is the scenario that I’m hearing about frequently:

  • Someone’s email account gets hacked
  • The hacker then uses that email account to send spam to everyone in that email account’s address book

It’s that first part that matters: they hacked into your email account.

This has nothing to do with your PC (probably)

The cases that I’m seeing are not due to a virus and it does not mean that your computer or your email program has been hacked. Your computer can be 100% secure and this could still happen.

It’s most common with web-based email accounts like Hotmail, Yahoo, Gmail, and others. And that’s the clue.

The hackers have somehow discovered your email username and password. Armed with that, they head off to the website for that email service and login.

They login as you.

Because they have your username and password.

So they login to Hotmail or Yahoo or Gmail or whatever service it is that you use – as you – and start sending everyone in your address book spam.

And they often do all of this from the other side of the planet.

PC-based email programs are not immune

Any email account can be hacked. The ones that keep address books on the email servers, such as those that offer primarily web-based access, are the most common because the hackers don’t want just your account, they want the address book.

Some PC-based email programs now recognize online account and synchronize the contact list that you might keep on your PC with the contact list that’s kept online. A great example is Windows Live Mail – a desktop email program – which, when configured to access a Hotmail account, will synchronize your local address book to Hotmail’s online copy.

It’s easy to check – just log in to the web interface to your email account and see if the contact list is empty. If not, then hackers would love to get access to your account.

Protecting your address book means protecting your email account

Your address book is just a part of your email account and it’s your email account that needs protection.

Emails Hacked!There’s nothing really magical about that.

  • Use a good password. I’d guess that perhaps as many as a quarter of all account hacks that I hear of are simply hackers guessing the password.
  • Don’t share your password with anyone. Not only are you trusting their good intentions, but you’re also trusting their security savvy – if they make a mistake and expose your password, it could easily result in a hack.
  • Don’t login to any of your accounts using public computers. The problem is that there is no way to know that your keystrokes aren’t being recorded. If you must login to something, make sure it’s a throw-away account that you wouldn’t mind losing to a hacker.
  • Use open Wifi hotspots safely. In many cases, logging in to your email account if you’re at an open Wifi hotspot transmits your username and password in the clear for anyone with a laptop and a little software to see.
  • Use your computer safely. Even though I said that your computer may not be involved, that doesn’t mean it can’t be. Spyware or keyloggers installed on your computer could give hackers all the usernames and passwords that they need to get into your accounts.
  • Be skeptical. One of the other large percentage of account hacks that I see are the result of phishing – tricks that hackers play to get you to give them your password. An email that threatens to close your account unless you respond with a list of information that includes your password is a scam. Provide that information and in minutes, you’ll find that your account has been hacked.

Hopefully, you get the idea: treat your email account security seriously, pay attention to online security, and you’re many, many steps ahead of the hackers who’d try to get into your account.

If you’ve already been hacked

Start doing everything that I just listed. In fact, double-check it all just to make sure.

But most importantly: change your password. Now.

In fact, you must change much more than your password.

You need to change any and all of the information that could be used to request a password reset on your account.

Why? Two reasons:

  • Hackers often change the information while they have access to your account.
  • Whether they change it or not, hackers can often use the information that they find in your account to immediately regain access to your account by requesting a password reset after you change your password.

What you need to change depends on what your email provider uses for password reset information, but it could include:

  • Alternate email addresses
  • “Secret” questions and their answer
  • Mobile numbers
  • Billing information
  • Whatever else your email provider uses

In some cases, like the mobile number, even if you don’t change it (presumably you still have the phone), you should confirm that it’s still set correctly. As I said, hackers often go in and change these settings so that they can regain access.

This is an update to an article originally posted : October 18, 2011

There are 7 comments:

  1. Cub Reply

    I and my contacts have been receiving a phrase from “Smilebook” that they sent to me and I can’t seem to erase it from my e-mails, nor can my contacts. I’ve contacted “Smilebook” and they deny sending it to me. It says; I have tryed to do this all in vain. It was when I cancelled them and they had a problem with the cancellation. What to do?

    Cub

  2. Gabe Lawrence Reply

    I’m thinking like a hacker here….why wouldn’t I get your email/password and go to all major websites and say “I forgot my password”. Most use their email address as the username and probably the same password. If you have an account there, it will email a “reset password” link to your email account that I have access to! I can now get into your OTHER accounts. Not to mention, if I search your email archives (gmail especially as they promote NOT deleting anything) then I can get a feel for where you do your banking and other online activities.

    HTH.

  3. Steve Carsey Reply

    I received an infected e-mail from one of my contacts. I know it was infected because AVG caught it when I opened the e-mail.

    I immediately erased that contact from my address book, and marked the e-mail as spam, but I am still receiving e-mail from that contact, just as if it is still in my contact list. What is happening here?

    No way to know as it depends entirely on what email program you use. Being or not being in your contact list does not control whether you recieve email from someone.

    Leo
    26-Oct-2011
  4. bob prickett Reply

    In addition to a complex pw, one should also make the answer to your secret question very complex.

    It does not have to make sense, but you must remember it.

    For first pet or where married or mother’s maiden name, enter something like “DWERYGFRETR”

    So, a hacker must not only know your username and pw, in order to change the pw, they must know the answer to your secret question. Make the answer all gibberish that only you know.

  5. Chris Stilgoe Reply

    Just a heads up: If you use Gmail, they now offer a service that will send your mobile / cell phone a verification code in order to log on. This might serve as another line of defence, provided that you haven’t been hacked and that all of your contact details are correct.

  6. dave Reply

    ummm, sorry to say but people do not even have to have access to your account to make it look like it comes from you.
    All they do is use your email address and use a program to send out spam and it looks like it comes from you.

    Yep… this article covers that: Someone’s sending from my email address! How do I stop them?! But the reality is accounts are also being compromised at an alarming rate.

    Leo
    01-Dec-2011
  7. Sharen Reply

    Go to Youtube and type in: (how to stop phishing with email address encryption.) My name is Sharen and hopeful you find this of assistance. This is a technique that I developed to help deter Phisher’s from using my contact list by making them work harder for it.

Leave a reply:

Before commenting please:

  • Read the article. Seriously. You'd be shocked at how many people make comments that prove they didn't.
  • Comment only on the article. If you have a new, unrelated question start with the search box at the top of the page.
  • Don't post personal information. Email addresses, phone numbers and such will be removed.

VERY IMPORTANT: because of a rise in comment spam that's making it through our filters any comments that do not add to the discussion - typically off topic or content-free comments - run a very high risk of being flagged as spam and removed.

If you have a new question unrelated to the article above, ask it on the Ask Leo! ask-a-question page.