If you consider yourself a tech guru, internet security expert, or extremely knowledgeable when it comes to the latest in IT, this story may prove to be too basic for you. However, if you use email frequently but aren’t a “tech expert,” this story may provide a few valuable tips that could save you time, money, and a whole lot of frustration.
Like it or not, advancements in technology help us evolve, adapt, and improve in many ways, and they won’t be stopping any time soon. With all progress come setbacks, but that doesn’t make innovation a bad thing. We simply must adapt in ways that help us overcome new challenges.
My hope with this story is that by sharing my experience others can avoid the same issue, and maybe others will share their experience and we can further improve our security.
Communication Methods Evolve
In the last 20 plus years, communication has completely transformed from letters in the mail, phone calls, and face to face conversation to social media, online chats, texting, and email. Some would say “you gotta love technology” others “what’s the world coming to?”. No matter what your personal belief about today’s methods of communication, this is not meant to be a debate on the topic. The fact is that to participate in our world we must communicate the way others communicate.
My Email is Secure
It’s a day like all others, and I’ve reached the part of my schedule when it’s time to sort through emails. Although I try to maintain strict discipline by keeping my inbox clear and only opening an email when I will take direct action, it remains a work in progress. Often, I have new emails as well as leftovers that still require a response.
Suddenly, I notice an email from someone that appears odd. Every month, for the last several years, I send a message to this contact containing an invoice. Shortly after I send that email, I receive a brief Thank You response with well wishes and within a week or two, payment is made like clockwork. Except this time, a few days after I sent my initial email, I notice a response that the check is going in the mail today.
This subtle difference sparked my curiosity. Why? What made this time different? Why would the client suddenly decide to send a message like this days after my original email? My gut feeling of concern led me to scroll down through the chain of messages contained in the email.
In the chain after my original message there were additional messages to the client appearing to originate from me.
- First was an email in which I appeared to request that the client make an ACH payment to my home office today.
- Second, when the client responded that they do not make ACH payments, the next email, appearing to be from me, let the client know that they could send a check to the home office at another address, to which the client agreed.
This exchange is what led to the email that I did receive where the client informed me that the check was going in the mail.
Where did these messages come from? I did not write nor see the emails in the middle of this exchange. Immediately I picked up the phone to speak with this client. She asked what was going on and wondered why I was so desperate to receive payment since they were not late. After apologizing, I explained that these messages did not originate with me. The client immediately pulled the check from the outbound mail and voided payment.
This exposure to thieves that hack email was close to a costly, irreversible problem. Luckily, the client and I escaped without financial hardship.
How was Email Sent Without My Knowledge?
After the email hack was discovered, our IT team determined that the hackers had changed my email inbox rules so that all the communications were hidden in my deleted email file. In addition, the thieves replicated language that I frequently use making it less likely to draw the attention of the client to the fraudulent nature of the request.
Immediately following this event, our IT team set up 2-step verification for our email server. 2-step verification, or 2 factor authentications as it’s also known, can be a bit cumbersome to implement initially and adds extra work that may seem unnecessary, but the security layer provides protection worth the time and investment. Once users complete the initial set up, the process is straightforward.
In addition, it may be best, whether you are the payer or the payee, to speak to the other party and require change requests are signed in writing simply to confirm that they are legitimate.
While I’m sure there are more technical solutions available to prevent these occurrences, keep in mind that these precautionary steps are simple, practical measures that can be implemented quickly by the lay person without highly technical backgrounds or training.
Electronic threats and fraud such as this are likely to continue as innovations in technology speed the pace of progress, and we simply must approach them as obstacles to be overcome without allowing fear to negate the rewards.
What other measures have you learned to strengthen email security and make it more difficult for those that hack email to prey on unsecured user accounts?