Email is ubiquitous. Everyone has at least one email address and many of us have four or more for different purposes. Each year a number of our clients have their email box stolen or compromised by criminals. This most often happens to public email accounts, but has also happened to the client’s business email account. Why do criminals want access to your email?
In the past, the most common reason was to send spam to all of the people in your contacts list. By making an offer or a link seem like it was coming from you, the criminals had a better chance of tricking the victim to click. Other uses of the email box included relaying spam and holding the email box for ransom.
Today’s attacks on email are more targeted and sinister. Criminals use social media to discover email addresses that may be associated with a victim’s bank account or another account that can be used for purchasing or verifying an identity. Rather than completely hijacking the account once they gain access, the criminals assess what financial accounts the email is connected to and they wait. Recent documented thefts through email hijacking include cell phone numbers, diversion of bank wire transfers, Bitcoin theft, and identity theft. In short, the email associated with financial transactions, regardless of the form, must be protected.
The best way to protect an email account is to use random complex passwords or pass phrases. The National Institute of Science and Technology (NIST) issued new password guidelines last year recommending the use of pass phrases instead of passwords. The longer the better. Most systems support passwords from 8 to 32 characters. Pick a hard one and you have decreased the likelihood of having it stolen by a factor of 10. If multi-factor authentication is available for the email box, turn it on and use it as a secondary authentication system.
Check out this YouTube video link to see how easy it is to use social engineering to guess passwords.