How to Prevent an Email Hacking: Part II
Email hacking is the number one chosen attack vector for cybercriminals. We have to face the facts that when the bad guys steal the password of your email or social media account, they will wreak havoc on your life as well as everyone in your address book.
Did you ever get a frantic email from a friend of yours, who you just saw earlier in the day, claiming they lost their passport while traveling to a foregin country? The email asks for money for a plane ticket or a medical emergency. When I ask people this question, more common than not do I get a response of familiarity with this type of situation, or they know of someone that this has happened to.
However, the intention of a hacked email may not be obvious.
Maybe you get an email from a family member or close friend with an attached link, to check out an important article about reducing stress. You click on the link and the next thing you know your anti-virus goes crazy or you start to get a bunch of pop-up ads. So much for reducing stress.
In Part I, we talked about the importance of password security. Here’s a recap:
- You must not use the same password for mission critical accounts.
- You also must make sure they are strong, which is using between 12 to 15 characters.
- Do not use a dictionary word that someone will likely guess, but instead use numbers in place of letters, and something that is random.
- Write them down on a piece of paper and keep them in your nightstand or desk drawer.
So often I hear people say they have a technique to create easy-to-remember 20 character passwords, and that there is no way the bad guys are going to guess that password. Let’s just say this person was surfing the internet and happened to go to a website that installed a piece of malicious code on their computer, which steals usernames and passwords (also known as a keystroke logger). You may be saying to yourself, “I don’t go to questionable websites; only secure legitimate websites.” Well… I have news for you.
The bad guys are infecting websites all over the place, and they are listing these websites on Google.
This is called drive-by malware or the “watering hole” technique. Just because your search result pops up on Google, does not mean it is a secure site. If this is how you deem something as trustworthy, then don’t be surprised if your password is stolen. Even if it is an ironclad 20-character password.
One of the things a majority of my victims had in common, is that they didn’t use something called two-factor or multi-factor authentication (2FA) on their accounts.
2FA is a second form of authentication such as an SMS text message or code on an App on your phone. Even if the bad guys somehow steal your password, they must get the second form of authentication.
I believe 2FA is a MUST on your corporate email, because think about what happens if the bad guys compromise that email account. In most companies, email is connected to the OneDrive, G-Drive or Shared Drive and this is where companies store their crown jewels. I have a good friend who works for an Intrusion Response company and he told me almost 85% of his work is due to an account take-over, which could have been prevented with 2FA.
I always get a lot of push-back from companies claiming it is hard to implement, too expensive, and creates an unpleasant user experience. I just remind them that this causes a majority cybercrime issues.
If it were me, I wouldn’t care about an “unpleasant” experience; the inconvenience of an extra step now will save you a priceless amount of time and money later.
The last time I spoke to a large group, I asked who used this security feature. The results were astounding. Only 10% of companies use 2FA. Who were they? The victims I worked with. They all implemented it after the fact.
My question to all of you is this: Do you want to wait until you’re a victim to use 2FA? Or do you want to enable protection before it’s too late?
It has been a real challenge for me to change corporate behavior; however, I can prevent you from becoming the next victim. Tonight go home and implement the 2FA on your personal email accounts, then on all social media. It’s free and simple to do, and will prevent you from becoming the next victim. When I try to change behavior for an organization, I make all the executives do it at home first. Once they do it at home, they understand why they need to do it at work. Go to www.twofactorauth.org to start!
I hope you’ve taken something from this small mini-series about email compromise. Just remember, great passwords and using 2FA are just the beginning. Being aware of cybercrime is the bigger issue, and you’re already better off than most.
What is your experience with email compromise? Write to me and let me know some of your stories, tips, or knowledge about it!