How to Prevent an Email Hacking- Part I
Every week I talk about cybersecurity, cybercrime, and the latest news to accompany this topic in the headlines. Whether it be any number of high profile data breaches such as Yahoo, Facebook, LinkedIn or Marriot; the list goes on and on of who has been victimized. The common thread that these all share is that information was accessed via email hacking. So how do we prevent it? In this two part blog series I will address the issues head on. But let’s talk about the basis behind these attacks first.
Email hacking is one of the most common forms of cybercrime, yet one of the most destructive to a company.
It happens everyday to thousands of individuals and organizations, and there is no real way to know the exact numbers. Most individuals brush it aside when they get some weird email, or find something suspicious. The numbers of this happening are mind-blowing (and scary) to say the least. This may sound hopeless; however, it is one of the easiest and cost efficient items to handle. As with anything, in order to provide a solution to a problem we have to understand the root cause. So what are the two main causes of this growing phenomenon?
Password reuse and lack of two-factor authentication.
When an individual, company, or organization becomes a victim of an email compromise, certain actions are made by each party in order for the crime to be successful. As with any of the data breaches I listed above, each of these platforms instructed the users to immediately change their usernames and password. Some did, and some did not. The reason behind the prompt was never in question since the email was believable and looked authentic. Most victims did as they were instructed.
There are a number of reports stating that 60% of the population (and in some cases even more) are using the same username and password for multiple sites. Some of you are saying, “Yup, that’s me. So what?” Well, all the cybercriminal has to do is a “spray attack” where they take the user names and passwords from the list of stolen credentials and use them against multiple sites.
BAM. Now they have access.
This is what happened just last week, when State Farm announced they were the latest victim of a breach. Being the largest property and casualty insurance provider in the United States, you would think they would never succumb to the hands of a cybercriminal. They even have some good cybercrime tips on there website. Even still, this didn’t stop information from being stolen. According to the company’s breach notification, “A bad actor used a list of user IDs and passwords obtained from some other source, like the dark web, to attempt to access to State Farm online accounts.”
How many websites do YOU use the same login information for?
Many companies make it easy for you to become a victim. A host site wants it to be easy for you to remember your username and password, so that it’s easy to login, and so that you’re not deterred from using their platform because you forgot your credentials.
A majority of the usernames for online accounts are email addresses.
This is step one in having the same information for multiple sites. Step two? If you are using the same password for your email as you are for another account; there’s a good chance they will access your email account.
What happens if this is your work email?
When a cybercriminal accesses your corporate email account, he can use the account to send spear phished emails to everyone in your email address book. If a hacker got into the account of, let’s say, the executive of a company, he would have a field day. He could easily send an email acting as the executive, asking for W2 information for all employees, or maybe send an email to one of the vendors asking to change bank account information on an invoice. I’ve seen it play out hundreds of times. This is the Business Email Compromise, which according to the FBI is a $12 billion scam. And it’s only getting worse.
Today when an email account gets hacked, you are able to get access to the OneDrive or G Drive. What does a company store on these? Everything.
In the old days, hacking an email was just what it sounds like; but today, hacking an email means a data breach.
Read that again.
So what is the solution? Make sure the password for your email is unique and strong (12-15 characters) and isn’t something that could be easily guessed. I recommend using symbols in place of certain letters, so that an actual dictionary word isn’t spelled out in your password.
You also need different passwords for different sites.
Storing passwords in a Note on your Iphone won’t do much good if a criminal hacks into your system.
Write them down on a post-it or notebook and keep it in your desk drawer, or nightstand. It may seem like a daunting task; to have individualized passwords for various sites. But if you were to become a victim (which at this rate is probable), I’m sure taking those few extra minutes to change your passwords would have been worth it.
The solution lies with us being aware of the issue, before it becomes a problem.
If you take one thing from this week, I hope you understand how vulnerable we all are to these types of breaches. Next week we are going to talk about two-factor authentication, which is a must for your email. Until then, change your passwords and think before you click!