Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

4 comments on “How to Avoid an Account Recovery Scam”

  1. Just a heads up about recovering a Microsoft account. If a user gets to the point of using their recovery code, Microsoft imposes a thirty day waiting period before the user can get back in.
    I discovered this the hard way when an individual had locked himself out of his computer with too many incorrect attempts using a PIN and his password for his Microsoft account.
    I was able to make an image of his computer’s hard drive using Macrium Reflect and then mounting that image on a virtual machine on mine. Surprisingly (for me) I was able to find his password, then used it to log into his account on line. Once I made the changes to his recovery phone number and email, a message showed up from Microsoft that I wouldn’t be able to log in for 30 days. Sure enough, 30 days later he was able to login.
    This individual has suffered a series of strokes, which has affected his ability to recall his PIN at times and his coordination to some extent when typing it in. I set up his account recovery plans on all his accounts when we were back into them, this time using a password manager to manage them.
    After going through all that, I made sure everyone in the household with an account of any type had recovery plans in place and how to find them. It is a lot easier to do ahead of time and not resort to Hail Marys, hoping something worked.

    Reply
  2. I’m a long time LastPass user. When I learned of the data breach, I started going through all my Internet accounts to change and lengthen my password (from 12 to 16 characters), and to check that I had 2FA enabled on each account. For the few accounts I found that didn’t offer/support 2FA, I looked for a replacement, and took steps to delete/close the account and all information it held. My logic was/is that if the service doesn’t care enough about my account security to support/offer 2FA, I don’t want to trust them with my information/data. There was one account that had no mechanism to close/delete the account, and no contact information listed, so I changed my username to anon, and my email address to IQuit@rightnow.com. The site wanted my real name, so I changed it to Anonymously Yours, then I removed it from my LastPass vault and never looked back. As one of my annual routines, I go through all my Internet accounts to weed out any I no longer use/want, and to confirm that they all have 2FA enabled. To this day, one of my main criteria for setting up an Internet account with any service is to check that it supports 2FA. If not, I cancel the setup operation and look elsewhere for a similar service that does support/offer 2FA. I also take pains to set up an alternate email address (I use one of two addresses for that purpose), and record all account recovery information (including brief usage instructions), then add it to the account’s item in my LastPass vault, in the notes area. This way, if I ever have to recover an account, I know exactly where to look for what I’ll need. By checking all my Internet accounts annually, and setting up (and recording) all available account recovery options when I create an account, then moving that information into the account’s item in my LastPass vault, I ensure that I can recover any account I have, no matter what happens. The only way all this could fail would be if LastPass abruptly disappeared from the Internet/stopped doing business, and I don’t see that happening anytime soon. To handle that remote possibility, I also export my LastPass date annually, and save it in my OneDrive vault, with the year added to the file name, so I know what I’m looking at later.

    Ernie (Oldster)

    Ernie

    Reply
    • “The only way all this could fail would be if LastPass abruptly disappeared from the Internet/stopped doing business”
      If LasrPass goes out of business, the program and local vault should still work and give you tome to import your vault into a new password manager.There are other things that can go wrong, so backing up you password vault is also an important protectection agains loss. If you aren’t the only person with access to your computer, it’s also a good idea to encrypt yout vault backup. An encrypted .zip file is fine for that.

      Reply
  3. I have read this with interest as recently lost £300 before I smelt a rat. What accounts are we talking about here, is it email accounts or all the websites that I have joined, even if it was a one off purchase.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.