Con Watch: What to Do if Your Email Is Hacked

Steve Weisman is a lawyer, college professor, author, and one of the country’s leading experts in cybersecurity, identity theft, and scams. See Steve’s other  Con Watch articles.

Recently I received an email from a “friend” asking for a favor. He wrote that he needed me to send a gift card to someone because he was unable to do so, and it needed to be sent right away. The request did indeed come from the email address of my friend, but the email was sent by a scammer who had hacked my friend’s email account and was sending the same email to everyone on his contact list.

But how does someone hack into an email account, and what should you do if your email is hacked?

The three most common ways that email accounts are hacked is through phishing emails, weak passwords, and poor security questions.

Phishing emails look legitimate, but they lure you into clicking on a link that takes you to a phony website that requires you to enter your username and password of your email account for verification purposes. The real reason, of course, is to steal your username and password to take over your email account.

The second way that email accounts are hacked is when the scammer guesses your password or uses software to try huge numbers of passwords until the hacker arrives at your password. Too many people use simple, common passwords such as “123456” or “password” that are easily compromised. Also, people tend to use the same password for all of their accounts, leaving their email account in jeopardy if their password from another account is compromised in a data breach.

The third way that email accounts are taken over is when someone answers your security question and is then able to change your password. This is how Sarah Palin’s email was hacked when someone answered her security question of where she met her husband, which the hacker found through Wikipedia.

The best ways to protect the security of your email account is to use a strong password, make up fake answers to your security questions, and activate dual factor authentication so that even if your password becomes compromised, they will not be able to access your account.

What to Do if Your Email Account Is Hacked

1. Report the hacking to your email provider. They may be able to help you restore your account.
2. Contact people on your email list and let them know you have been hacked and not to click on links in emails that may appear to come from you.
3. Scan your computer thoroughly with an up-to-date anti-virus and anti-malware program. This is important because the hacker may have tried to install a keystroke logging program that can steal information from your computer.
4. Change your password. If you use the same password for other accounts, you should change those as well. Pick a strong password that has capital letters, lowercase letters, and symbols. I suggest that you start with a sentence like IDon’tLikePasswords, which has capital and lowercase letters. You can then add a couple of symbols such as exclamation points to make your password even stronger. You can then adapt that base password for each account by adding a few letters to describe the account. For instance, your email password could be IDon’tLikePasswords!!Mail. You can use this base password and adapt it for unique passwords for all your accounts.
5. Change the answers to any security questions. I often suggest that people use nonsensical answers to security questions because a hacker would not be able to be guess or obtain it by researching online. For instance, if the question is “What is your favorite color?” you could change the answer to “seven.”
6. Review the settings on your email. In particular, make sure that your email is not being forwarded somewhere.

These steps will go a long way toward protecting your account. Unfortunately, you can’t make all of your email contacts take the same precautions. Therefore, you should never give personal, credit card, or gift card information or wire money in response email requests from friends unless you have absolutely confirmed that the communication is legitimate.