Hacked Email: Why Cyber Criminals Want to Get Into Your Inbox
So you think you have nothing valuable on your email? Think again.
“I don’t care about getting hacked, there’s nothing valuable in my email”
If I had a nickel for every time I heard that!
It’s the most common reaction I encounter when I try to warn people about cyber threats and what can happen if their email ends up breached.
And the odds are against us: one in four email accounts today gets hacked.
Here’s a simple exercise I invite you to do. Open your email and take a look at everything that you keep on it, both sent and received conversations. Scan all of them, every attachment you ever sent or received, every personal and work conversation, every email draft.
The truth is, we aren’t aware that we are living a big part of our lives through our email inbox.
We keep it all there, in only one place: photos, contracts, invoices, tax forms, reset passwords for every other account, sometimes even passwords or credit card PINs.
And our emails are interconnected to all our other digital accounts, from bank accounts to social networks (LinkedIn, Twitter, Facebook, etc), cloud services (Google Drive, iCloud, Dropbox), online shops (Amazon, for, ex, where you most likely saved your credit card details as well) and so on.
By simply breaching the email, a malicious hacker can easily get access to all those. They know how to do that.
They know how to take advantage of all the information that we keep on our emails and how to cause us harm.
And don’t imagine that they just want your money.
No, they want all the details they can possibly get, no matter if you’re the CEO of a top company, a celebrity or just someone with “nothing valuable” on their emails.
As long as you have an identity and an email address, you’re valuable.
Your data can be used to make financial operations in your name. Cyber criminals can use your credit card details, open bank accounts in your name, take out loans, ruin your credit card’s rating and many others.
What’s worse? 68% of the identity theft victims don’t even know how the thief obtained their information in the first place and 92% don’t know anything about the individual / group that stole from them.
It’s no wonder that our email accounts are being traded all the time!
So never say “I don’t care about getting hacked, I have nothing valuable in my email”. Sure you do.
The information that you keep on it is just as valuable as gold.
Everything that you keep in your email that makes cyber criminals want to hack it
Contracts almost always contain confidential information that you wouldn’t want anyone else to see – especially malicious hackers!
Imagine that you’re the CEO of a company and all your employee contracts get leaked. They end up seeing all the deals that they have, a situation that might seriously shake your business.
This actually happens all the time, no matter the size of the company. Remember the Sony Pictures Entertainment hack, from two years ago? A hacker group leaked personal information about the company, their employees, their families, their emails, executive salaries, copies of (then unreleased) movies and many others, including emails of its co-chairman, Amy Pascal.
In the end, it was a very expensive hack, costing the company more than $100 million.
2. Personal conversations
Ryan Holiday been through such a scandal, back in 2008. While he was the Marketing Manager of American Apparel, a former IT employee leaked the personal conversations between him and the CFO. The media outlets span them in order to appear as if the company was facing bankruptcy.
What would be the consequences if your private conversations were ever leaked online?
How much would your business or your job suffer?
3. Photos – especially nude photos
It’s been only two years since the Fappening, when hundreds of nude photos, mostly with women, were leaked. Various celebrities were affected by this scandal, including Jennifer Lawrence, Kate Upton, Kirsten Dunst and many others.
The attacker used a simple phishing technique in order to gain access to victims’ accounts: he sent them emails that appeared to look like they came from Google or Apple, warning them that their accounts might be compromised. He asked them for their passwords and that’s how he managed to get into their emails and iCloud backups.
Lessons to be drawn?
Learn how to detect phishing attacks. Be a little paranoid and pay attention to how you spend all those clicks.
In case every other safety net falls, it’s always better to refrain from taking nude selfies in the first place.
If it’s in a digital environment, you can never be 100% sure that it’s safe, so better not take any photos that you’d be ashamed of if anyone else saw them.
4. Invoices, scanned IDs, insurances
All these can be used by malicious hackers for identity theft as well.
I tend to scan the important documents or take a photo of them and then email those to myself (or to whoever needs them at a certain moment).
Easiest solution is to delete them immediately afterwards.
5. Passwords, credit card pins or bank account information
This one’s easy: if you’re storing your passwords on your email, in case your email gets breached, so do all your other accounts.
You either write them by hand and store them in a safe place, where only you have access, or you use a password management software to keep them encrypted for you.
6. “Reset your password” emails
Most likely you used your email several times to reset the passwords for other accounts, such as Facebook, Twitter, Amazon etc.
If a criminal gets access to your email, they’ll see what other accounts you have, reset your passwords and take over those as well.
It’s not hard for them to find them, but you could make their job harder by deleting all the emails you get from those accounts.
Also make sure that you unsubscribe from all the useless notifications those services send.
If you have accounts on online shopping websites such as Amazon, try not to save your credit card details on them. Instead, fill them in every time you want to buy something.
7. Travel itinerary and calendar
These are gold for thieves or scammers. Just think about it: they know precisely when you’re gonna leave home, when you will be on a plane (and most likely without a phone signal), when you’ll be in a meeting, and when you’ll return back home.
You can end up with your house broken into. Or, even worse, they can use that information to scam your parents, as they know you won’t have access to a phone.
If you’re preparing to travel, here are some tips on how to how to have a cyber safe holiday.
8. Tax forms
Tax forms contain a crazy amount of information about us, that can be used by identity theft criminals.
If you emailed them in the past, search for them and delete them.
9. Order confirmations from online shops
Such emails contain all the order details, from what you bought, to the delivery address, date, phone number and method of payment.
From here, a cyber crook can also access your online shop profile and see your saved credit card details.
Remember to delete all transactional emails after you received the orders.
Don’t save any credit card details or delivery addresses on your profiles – not on Google storage, not on Amazon, not on Dropbox, nowhere.
10. Your contacts
It’s not only your contact information that’s compromised, but also all of your contacts.
They are also valuable to cyber attackers, as they can use them for identity theft as well or to sell on the dark web to spammers.
I’m talking about email addresses, phone numbers, even physical addresses.
Here’s what you can do to keep cyber criminals out of your email account:
1. Set strong and unique passwords
This should be the first and foremost step taken.
I know I keep insisting on this step. I’d skip it altogether if there wasn’t a huge discrepancy between what people know they should do and what they actually do. Unfortunately, it’s in the human nature to react only after getting burned.
The two main characteristics of a good password are its strength and uniqueness.
A strong password should be long enough (go for at least 14 characters), include upper and lower cases, numbers and symbols.
Don’t use your name or nickname, your birth date or birth place, nor the birth date, birth place or name of any of your family members or friends (pets included as well).
Also stay away from any variation of the word “password” or common passwords such as “qwerty”, “0000”, “1111”, “12345”.
By “unique password” I mean to say that you shouldn’t reuse your passwords on any other accounts. Don’t set the same password for Facebook, Twitter, email, cloud storage and so on. Otherwise, in case one of those services gets hacked, all the rest of your accounts will be vulnerable.
Learn from the recent mega data breaches that affected hundreds of millions of users. Databases with passwords from LinkedIn, MySpace and Tumblr accounts led to many more breaches.
Celebrities were just as affected: Mark Zuckerberg’s Twitter and Facebook profiles were hacked because he was using the same (extremely weak) password he had on LinkedIn. Katy Perry and Drake weren’t spared either. I would have thought they have a team of experts consulting them on essential security matters, but…guess not.
Most likely you have tons of accounts that you use more or less often, which makes it an almost impossible mission to keep track of all the random, strong and unique passwords. You can make your life easier by using a password management software.
It will keep all your passwords encrypted and warn you if you try to set a password that’s neither strong nor unique. And this way you’ll only have to remember the master password, the one that you use for the software.
2. Activate two-factor authentication
This is the second most important step you should take. Activate two-factor authentication (also called multiple factor verification) everywhere you can.
Almost all major companies offer this option and some even impose it by default. From bank accounts to email providers, big social networks, cloud services and so on, you should keep it enabled everywhere it’s available.
It works as an extra protection layer, besides passwords. The second factor usually consists of a unique passcode that’s time sensitive and you can only receive it through your mobile phone or some other physical object that you have.
You can see how this can be an impediment for malicious hackers, lowering their chances to succeed. Even if they somehow manage to find out your passwords, they’ll only be able to access your account if they also get past this second security layer.
And you won’t need to authenticate yourself every time you open your browser or mobile app and want to check your account. You can save the devices and browsers you use most often, and you’ll only be prompted to insert the second-authentication factor if you want to log in from a new device.
3. Set a lock code to your devices
I’m surprised to see how many people leave their devices unprotected by not setting an automated lock.
We can’t always guard our laptop, mobile phone or tablet and make sure that nobody else accesses them. A lock code is one of the easiest ways to keep intruders away.
I had to learn this the hard way. A few years ago I left my laptop unsupervised for a few minutes. One of my soon-to-be-ex-employees took advantage of the occasion and installed a keylogger on it.
Just a few weeks later, he used all that info to hack me and cause damage to my work. Nothing irremediable, by it was still a huge ruckus and stress that I’d have rather not been through.
4. Install security software
Install security software on all your devices. By “security software” I’m referring to:
– A strong, reliable antivirus. Pay for one that’s well known, never install antivirus from pop-ups or ads that you run into while navigating on the web.
– Software that will keep you safe against the newest generation of malware. Yes, our own Heimdal Security is such a product – it works in a proactive way, by analyzing your traffic data. Heimdal will block the attacks before they get a chance to cause you any harm. It works complementary to antivirus.
5. Learn how to detect and prevent phishing attacks
Phishing isn’t a new technique, but it’s still an efficient one: 23% of email recipients open phishing messages, and 11% click on attachments!
Cyber criminals can use phishing attacks to withdraw money, steal your identity, open credit card accounts in your name and further trade all that information about you.
So be careful with what emails and attachments you open or what links you click on.
Here’s a complete guide on how to detect and prevent all types of phishing attacks – read it, learn it, start applying them.
6. Declutter & Backup
Stop keeping things that you don’t need anymore in your inbox. Delete all useless emails (especially all those that I talked about before in this article).
Backup everything else, every important email or attachment. Encrypt them and store them in a safe place (it can be a cloud storage or a separate hard disk).
Don’t be delusioned into thinking that this will never happen to you, that it only happens to celebrities or important CEOs. It might have already happened and you’re not even aware of it.
Yes, the violation of your privacy is a serious criminal act. Yes, law enforcement agencies will surely find and punish the ones responsible. But, by then, the damage will have already been done.
Do you really want to go through all that stress, all that wasted time and energy?
However, in case it’s too late and your account was already hacked, here’s a guide on how to control the damage.