How do I stop [email being sent as me] or prevent a hacker from getting into my address book?
This was a follow-up question from someone who’d discovered that, as they put it, “Somebody is using my email address book to send spam to my friends.” I had pointed them at Someone’s sending email that looks like it’s from me to my contacts, what can I do?
What’s critical to realize here is that it’s extremely likely that they don’t just have access to your address book; they have access to your entire email account.
And that’s exactly where prevention begins.
Become a Patron of Ask Leo! and go ad-free!
This is the scenario I’m hear frequently:
- Someone’s email account gets hacked.
- The hacker then uses that email account to send spam to everyone in that email account’s address book.
It’s that first part that matters: they hacked into your email account.
This has nothing to do with your PC (probably)
The cases that I’m seeing are not due to a virus, and it does not mean your computer or your email program has been hacked. Your computer can be 100% secure and this could still happen.
It’s most common with web-based email accounts, like Hotmail, Yahoo, Gmail, and others – and that’s the clue.
The hackers have somehow discovered your email username and password. Armed with that, they head off to the website for that email service, and log in.
They login as you …
… because they have your username and password.
So they log in to Hotmail or Yahoo or Gmail or whatever serviceyou use – as you – and start sending everyone in your address book spam.
And they often do all of this from the other side of the planet.
PC-based email programs are not immune
Any email account can be hacked. The ones that keep address books on the email server, such as those that offer primarily web-based access, are the most common, because the hackers don’t want just your account – they want the address book.
Some PC-based email programs recognize online accounts and synchronize the contact list you keep on your PC with the contact list that’s kept online. A great example is Windows Live Mail, a desktop email program which, when configured to access a Hotmail account, synchronizes your local address book to Hotmail’s online copy.
It’s easy to check; just log in to the web interface of your email account, and see if the contact list is empty. If not, hackers would love to get access to your account.
Protecting your address book means protecting your email account
Your address book is just a part of your email account. It’s your email account that needs protection.
There’s nothing really magical about that.
- Use a good password. I’d guess that perhaps as many as a quarter of all account hacks I hear of are simply hackers guessing the password.
- Don’t share your password with anyone. Not only are you trusting their good intentions, you’re also trusting their security savvy – if they make a mistake and expose your password, it could easily result in a hack.
- Don’t log in to any of your accounts using public computers. The problem is that there is no way to know that your keystrokes aren’t being recorded. If you must log in to something, make sure it’s a throw-away account you wouldn’t mind losing to a hacker.
- Use open Wifi hotspots safely. In many cases, logging in to your email account with an open Wifi hotspot transmits your username and password in the clear for anyone with a laptop and a little software to see.
- Use your computer safely. I said that your computer may not be involved, but that doesn’t mean it can’t be. Spyware or keyloggers installed on your computer could give hackers all the usernames and passwords they need to get into your accounts.
- Be skeptical. A large percentage of account hacks I see are the result of phishing – tricks hackers play to get you to give them your password. An email that threatens to close your account unless you respond with a list of information that includes your password is a scam. Provide that information, and in minutes, your account will be hacked.
Hopefully, you get the idea: treat your email account security seriously, pay attention to online security, and you’re many, many steps ahead of the hackers who want to get into your account.
If you’ve already been hacked …
… start doing everything I just listed. In fact, double-check it all just to make sure.
But most importantly: change your password. Now.
In fact, you must change much more than your password.
You need to change any and all of the information that could be used to request a password reset on your account.
Why? Two reasons:
- Hackers often change the information while they have access to your account.
- Whether they change it or not, hackers can often use the information they find in your account to immediately regain access to your account after you change your password by requesting a password reset.
What you need to change depends on what your email provider uses for password-reset information, but it could include:
- Alternate email addresses
- “Secret” questions and their answers
- Mobile numbers
- Billing information
- Whatever else your email provider uses
In some cases, like the mobile number, even if you don’t change it (presumably you still have the phone), you should confirm it’s still set correctly. As I said, hackers often go in and change these settings so they can regain access.