Many people believe that it wouldn’t matter if their email account was hacked – it’s only full of trivia, what use is it to anyone that my aunt has sent me birthday greetings? Well now the hacker knows your birthday, and if she’s said something like “Happy 40th” they’ve got your full DOB. When a hacker is trying to get access to your accounts, one of the questions to prove identity is DOB.
ANY personal information is pure-gold to a hacker so even without your login credentials public sites like Facebook are gold mines. At places like that people publish all kinds of information which can help a hacker impersonate you. That’s why you get a continual stream of adverts on websites and by email. At least the adverts are just trying to sell you something but the hackers can the same information and more. They can use it to manipulate, and ultimately rob, you and your contacts.
Your email account is key to much about you and fragments of information add together to paint a pretty detailed profile of you. That can be used to impersonate you. It’s not simply about the headline frauds where people have gained access to your bank account and drained it.
One very significant issue is that the email account provides a list of your correspondents. A hacker inside your account can email them masquerading as you.
A few days ago I received an email from an elderly acquaintance reading simply “can I ask you a favour”. I was suspicious because although the sender’s address used his full name (i.e. john.smith@… that’s increasingly uncommon, most of us find we have to use something like john.smith2931@…) it was not from his usual email provider, also Gmail had flagged it as possible spam. In this instance I took a chance because it was someone who might ask a favour so I replied something like “I found this in my spam folder…”. That generated a prompt response asking me to buy an amazon voucher on his behalf, a gift for a sick child, with a promise to reimburse me. That’s a common scam (https://supporttree.co.uk/watch-out-amazon-gift-card-scams-about/ ) so I knew I could safely disregard it.
This example is still puzzling as I doubt that my acquaintance does own the originating account. I didn’t make a full analysis of the story but I expect the sender’s address was faked (but in that case why not make the fake look like his true email?). All the scammer needed to know was that we are occasional correspondents, both our names and my email address. If he did indeed have access to Mike’s email account he could have made the scam mail more convincing by referencing something from our past correspondence.
Another common misperception is that the fix if your email is hacked is to change the password. That’s not enough, the hacker may have changed other things like your account recovery details, he can use those to regain access. Someone asked me for help because his gmail account kept getting hacked. He told me his password, it was a strong one like 2^LTZnAe&qaK4@ he was convinced it meant Gmail was insecure so he’d changed to a different email service and, within days, got hacked again. The actual reason was that he was regularly using a free WiFi connection in his local coffee shop. Those connections are easily hacked so when he logged in his password was being captured. That’s why you should only use other people’s WiFi through VPN software (e.g. https://protonvpn.com/).
One of those fragments of information can be used to gain access to your bank account. One of the validation techniques banks use is to ask you to detail a recent transaction. Some banks send statements by email so the hacker has an opportunity to trick the bank. More security aware banks will just tell you a new electronic statement is available but you need to log on to view it.
The shocking fact here is that you can easily make your email far more secure by using 2FA (2 factor authentication) but fewer than 10% of Gmail users did and so Google are now becoming more insistent that you switch (Google call it 2SV, 2 step validation). 2FA requires a second factor to evidence that you are a valid user, it’s easy to set up, not intrusive to normal use but provides an additional and very effective obstacle to hackers.
Passkeys (aka Passwordless logins)
This is a more recent development, Google is in the process of rolling it out, many small organisations also offer passkeys as a login option. Like so many new developments it takes a little effort to get started but the outcome is improved security as compared even with 2FA while at the same time being easier to use. If it’s available, use it.