Every two or three weeks, I get a call from someone who is sure their email was hacked. As the title of this post implies, in every case to date, I have found that their email was not, in fact, hacked, but there are a number of reasons why someone not thoroughly familiar with how the online world works might think otherwise. Note that just because someone’s e-mail wasn’t hacked doesn’t mean that a bad actor didn’t gain access to it. The purpose of this post is to help you understand how this actually happens and what you can do to protect your email account.
Hacking vs. Cracking
Let’s start with proper terminology: If someone gains access to your email account, or any other account or device you have, that isn’t hacking per se. “Hacking” means writing a short computer program for some very specific purpose. That purpose isn’t necessarily malicious. In fact, traditionally, it wasn’t malicious. Think in terms of “life hacks” featured in YouTube videos that show you how to soften butter faster for baking, or get wrinkles out of shirts without ironing, or build a mousetrap for less than $1.00. In the programming world, “hacking” is, quite literally, coding a hack, i.e., writing a bit of program code that solves a specific or unanticipated problem. For example, one of my clients depends heavily on being able to access data on a NAS via certain drive letters. Windows sometimes “forgets” those drive mappings, so I wrote a hack for them, in the form of a batch script, that re-establishes their drive mappings.
The proper word for breaking into a device or account is “cracking”.
Once upon a time, cracking usually involved hacking, although as you’ll see later in this post, that is usually no longer the case. Therefore, I’m going to use the words “crack”, “cracked” and “cracking” when referring to accessing someone’s account or device without permission.
How Can You Be So Sure That My Email Wasn’t Cracked?
The short answer is because cracking the security on email servers is hard, and crooks are lazy.
As I’ve said often, the days when people wrote malware, broke into computers and committed other online mischief just to get a thrill or show off or maybe find a job as a programmer are long gone. That’s not to say people no longer desire those things; it’s just that technology has provided more effective ways to get them.
Nowadays, people trying to get into other people’s accounts are usually trying to steal money. The attempt may be direct, like getting into someone’s bank account, or indirect, like using someone’s e-mail address to send out scammy spam mail that tries to bilk lots of people out of their savings. On rare occasions, the unauthorized access may be the work of an online stalker or cyberbully, but most of the time, money is the motive.
What nearly all modern cyber-criminals have in common is that they’re lazy and impatient. Getting good enough at cracking to breach logon security takes a lot of time, effort and money. That’s why I can be so certain that your email wasn’t cracked. Server software companies learned decades ago that as long as their logon systems were easy to defeat, there would be crackers breaking in, so they made logon systems among the toughest to crack. That’s not to say cracking them is impossible. If you’re enough of a celebrity or your work involves the sort of information that international spy organizations want, there might just be enough motivation for a bona fide professional cracker to break into whatever computer systems you use and get it. And if you’re one of those high-risk individuals, then I recommend you stop reading here and go find yourself a very high-level cybersecurity company to protect your digital assets. But the overwhelming majority of us aren’t worth that kind of effort, and the petty crooks and schnooks who want access to our accounts aren’t motivated, patient or capable enough to crack in.
But someone got into my email! If they didn’t hack/crack in, how’d they get in?
The short answer is that you gave them your email address and password.
Previously, I said that cracking into servers, particularly email servers, is too hard for most of us to be worth the effort, and I stand by that statement. But it’s very easy and inexpensive to trick people into handing over their account logon information, and so that’s what modern cybercriminals do. Here are the most common ways this is done:
Phishing
This is, by far, the most common method of stealing email passwords, as well as other kinds of account credentials, and even personal information. Since we started talking about people thinking their email had been hacked, I’ll pick on that. The perpetrator composes an email message intended to look as though it came from a popular email provider, such as Google (GMail), Yahoo or Microsoft (Outlook.com). The email will claim that your account has been compromised, that the company is cleaning up old accounts and you need to prove that you’re actually using yours so they don’t close it, or some other persuasive come-on to get you to click on a convenient link and log on. If you click on the link, it takes you to a web site that looks like your regular GMail, Yahoo Mail or Outlook.com logon page. And if you then type in your email address and password, it will add those to a list of email account credentials the crook has been collecting, then, most likely, pass you through to your real email account.
The reason you have no recollection of having been phished is because the crooks rarely make use of the addresses and passwords they collect. Instead, they collect them for awhile, then sell their lists on the so-called Dark Web, which refers collectively to shady web sites where stolen information is bought and sold. Whoever buys that list will eventually make use of your credentials, but that probably won’t happen until months after the phishing incident took place.
Malware
While less common than phishing, there have been incidences of malware being used to capture account credentials and report them via the Internet to a server-side program being run by cyber-criminals to collect them, either for their own use or for selling on the Dark Web. A number of data breaches reported by major companies in recent years were perpetrated by such malware.
The most difficult part of using malware to steal account credentials is getting the malware installed on a targeted computer. Computers running up-to-date versions of Windows or Mac OS have enough anti-malware software built right in to foil typical attempts to run malware on them. Some of the corporate data breaches of the last few years were perpetrated by insiders, who were employees who were disgruntled, bribed or new hires who were part of the cyber-criminal ring. In other cases, phishing or tech support scam pages were used to trick employees into turning off their computers’ antivirus software and installing them malware, or allowing a criminal to remote in using common remote control software to run the malware.
OK, so someone got into my email because they have my password. What do I do now?
If you still have access to the account, log into it right away, change the password and make sure your account recovery information, typically a cell phone number and an alternate e-mail address, is set so that you and only you receive account recovery and password change request messages. This will lock out the unauthorized person and any ‘bots sending out spam via your account.
And what can I do to prevent this from happening again?
The single best thing you can do to prevent an account takeover – which is what generally happens after your email account credentials end up in the wrong hands – is to turn on two-factor authentication (2FA), sometimes called multi-factor authentication (MFA). Doing this requires anyone wanting to log into your email to have physical access to a second device, usually your cell phone, in order to log into your account, even if they have your e-mail address and password. That, combined with making sure your account recovery information is up-to-date, makes your account extremely difficult to take over.
2FA/MFA works by either sending a message to your second device anytime you want to log into your email, or by requiring a code generated by a smartphone app, such as Google Authenticator. It’s a minor inconvenience, but one well worth bearing, as it makes an account takeover almost impossible.
2FA/MFA is fine for people who access their email via a web browser, but it was a tough sell for those who use 3rd party email client software, such as Windows Mail and Mozilla Thunderbird, as it locked those programs out. Fortunately, 3rd party email clients have evolved to work with 2FA/MFA or their alternatives. For example, Mozilla Thunderbird can display a GMail logon page, and it is also designed to work with the Oauth2 protocol that GMail uses to allow 3rd party software to work with it.
But it’s so convenient to use the same password for more than just email. Is there anything else I can do to foil phishing?
YES!
For starters, get a password manager that will store your passwords invisibly and securely, will fill them in for you whenever you need to log into something, and can be shared among your computers, phones and tablets. That way, you can have the convenience of just remembering one password – for your password manager – without putting your email and other accounts at risk. Lebowitz IT Services is pleased to offer LastPass subscriptions on a monthly basis to our clients.
For our corporate clients, we also offer MailAssure, a world-class, managed anti-spam system. Anti-spam systems treat most phishing attempts as spam. We also offer Ironscales, another managed solution that targets phishing attempts that get past your anti-spam solution and quarantines it.
Finally, learn to recognize what phishing looks like. Remember the old refrain, “But I read it on the Internet — it must be true!”? Internet access has been commonplace for over 20 years now, but surprisingly, there still people who believe that. Phishing depends heavily on that mindset, or at least on the reader’s unwillingness to think critically about what’s on the screen in front of him. If the e-mail message has a Fifth/Third Bank logo in it, then it must have come from Fifth/Third Bank, right? Well, wrong, actually!
I’ve read many articles that talk about telltale signs that can help you recognize phishing attempts. A logo that doesn’t look quite right or doesn’t match the name of the company that the message purports to be from are two such signs. Misspellings, poor grammar, circumlocutions and stilted wording are others. An email domain name that doesn’t look like the company’s domain name is yet another sign, as are URLs that don’t look anything like the company’s domain name when you hover your mouse pointer over links in the message. But all these require attention and a bit of technical knowledge that not everyone has, and many people don’t have the English skills to spot misspellings and grammar mistakes.
So, is there anything that can tip you off to a phishing attempt even if you didn’t ace AP English or have a degree in Computer Science? Absolutely.
Start by looking at the name of the company the message is supposed to have come from. Have you ever had an account with that company, or done business with them in any capacity? You’d be surprised how many people don’t ask this basic question. If you receive a message saying your Yahoo Mail account is going to be deleted if you don’t log into it *right now*, and you can’t remember ever having a Yahoo Mail account, that’s a sure sign of a phishing attempt. If you receive a renewal notice for McAfee or Norton security software, and you have no recollection of ever buying their software, then the message is most likely a phishing attempt. If you need more evidence, hover your mouse over each icon in the “hidden icons” section of your Taskbar Notification Area. If you don’t find a McAfee or Norton icon there, then you aren’t using their software, and the message is most likely a phishing attempt.
Another question to ask yourself is, “Why would this company send me this kind of message?” Since we’ve been talking about email account cracking and takeovers, let’s pick on GMail. GMail is Google’s email service. Google is a company that has long been accused of keeping too much information about everybody. How much information is too much, what kind of information is appropriate for them to keep, and even whether or not this assertion is true are beyond the scope of this article, but if you accept it as fact, then why would Google need to ask you to log into your GMail account *right now* to confirm that you’re still using it? (I’m just going to let that one sink in for a moment. How is it that the same people who believe Google tracks what they ate for breakfast this morning can be tricked into thinking that Google doesn’t know when they last checked their GMail?)
Finally, think about the propriety of using email, which is generally a non-secure, easily faked means of communication, to reach out to someone whose account has been flagged as problematic. The majority of companies know better than to do that. What they do if their internal checks detect something amiss about your account is they lock your account and simply wait until the next time you try to log in. When you do, they display a message saying that your account is locked and why, and then they direct you to a page where you can take whatever action is appropriate, such as changing your password or contacting Customer Service. So, if you receive a message in your email that notifies you of an account problem, particularly if it includes an all-too-convenient hyperlink to a web form, that’s probably a phishing attack.