With email account hacking on the rise, it's important to understand what it takes to keep your account and its address book safe from compromise.
How do I stop [email being sent as me] or prevent a hacker from getting into my address book?
This was a follow-up question from someone who’d discovered that, as they put it, “Somebody is using my email address book to send spam to my friends.” I had pointed them at Someone’s sending email that looks like it’s from me to my contacts, what can I do?
What’s critical to realize here is that it’s extremely likely that they don’t just have access to your address book – they have access to your entire email account.
And that’s exactly where prevention begins.
This is the scenario that I’m hearing about frequently:
- Someone’s email account gets hacked
- The hacker then uses that email account to send spam to everyone in that email account’s address book
It’s that first part that matters: they hacked into your email account.
This has nothing to do with your PC (probably)
The cases that I’m seeing are not due to a virus and it does not mean that your computer or your email program has been hacked. Your computer can be 100% secure and this could still happen.
It’s most common with web-based email accounts like Hotmail, Yahoo, Gmail, and others. And that’s the clue.
The hackers have somehow discovered your email username and password. Armed with that, they head off to the website for that email service and login.
They login as you.
Because they have your username and password.
So they login to Hotmail or Yahoo or Gmail or whatever service it is that you use – as you – and start sending everyone in your address book spam.
And they often do all of this from the other side of the planet.
PC-based email programs are not immune
Any email account can be hacked. The ones that keep address books on the email servers, such as those that offer primarily web-based access, are the most common because the hackers don’t want just your account, they want the address book.
Some PC-based email programs now recognize online account and synchronize the contact list that you might keep on your PC with the contact list that’s kept online. A great example is Windows Live Mail – a desktop email program – which, when configured to access a Hotmail account, will synchronize your local address book to Hotmail’s online copy.
It’s easy to check – just log in to the web interface to your email account and see if the contact list is empty. If not, then hackers would love to get access to your account.
Protecting your address book means protecting your email account
Your address book is just a part of your email account and it’s your email account that needs protection.
There’s nothing really magical about that.
- Use a good password. I’d guess that perhaps as many as a quarter of all account hacks that I hear of are simply hackers guessing the password.
- Don’t share your password with anyone. Not only are you trusting their good intentions, but you’re also trusting their security savvy – if they make a mistake and expose your password, it could easily result in a hack.
- Don’t login to any of your accounts using public computers. The problem is that there is no way to know that your keystrokes aren’t being recorded. If you must login to something, make sure it’s a throw-away account that you wouldn’t mind losing to a hacker.
- Use open Wifi hotspots safely. In many cases, logging in to your email account if you’re at an open Wifi hotspot transmits your username and password in the clear for anyone with a laptop and a little software to see.
- Use your computer safely. Even though I said that your computer may not be involved, that doesn’t mean it can’t be. Spyware or keyloggers installed on your computer could give hackers all the usernames and passwords that they need to get into your accounts.
- Be skeptical. One of the other large percentage of account hacks that I see are the result of phishing – tricks that hackers play to get you to give them your password. An email that threatens to close your account unless you respond with a list of information that includes your password is a scam. Provide that information and in minutes, you’ll find that your account has been hacked.
Hopefully, you get the idea: treat your email account security seriously, pay attention to online security, and you’re many, many steps ahead of the hackers who’d try to get into your account.
If you’ve already been hacked
Start doing everything that I just listed. In fact, double-check it all just to make sure.
But most importantly: change your password. Now.
In fact, you must change much more than your password.
You need to change any and all of the information that could be used to request a password reset on your account.
Why? Two reasons:
- Hackers often change the information while they have access to your account.
- Whether they change it or not, hackers can often use the information that they find in your account to immediately regain access to your account by requesting a password reset after you change your password.
What you need to change depends on what your email provider uses for password reset information, but it could include:
- Alternate email addresses
- “Secret” questions and their answer
- Mobile numbers
- Billing information
- Whatever else your email provider uses
In some cases, like the mobile number, even if you don’t change it (presumably you still have the phone), you should confirm that it’s still set correctly. As I said, hackers often go in and change these settings so that they can regain access.