“Hello,” I said.
“Hi,” my friend, Sandy, replied and then continued, “I’m so sorry to hear about your Mom’s illness!” she exclaimed.
“WHAT?!?!” I responded. My mom isn’t ill. My mom hasn’t been ill. I hope my Mom is never ill. “What did you hear?”
“Just what you sent in the email. I’ll try to help. I don’t have much money, but I think I can come up with $100 to help pay for your plane ticket.”
Ah, Sandy! Always the generous one. But, there was a problem. I never sent an email talking about my mother’s illness and requesting my friends to send money to help me get to her. I explained to Sandy that it was a fake email. We shared other news about our kids and the conversation came to an end a few minutes later.
It was then that I realized: I’ve been HACKED!
After 29 years of email use, it had finally happened to me … someone had figured out how to get into my email, had spammed my contacts, and who knows what other information they were able to garner. I quickly entered into the stages of grief:
Denial: Surely this didn't really happen. It was probably a fluke and Sandy was probably the only one to receive the weird email.
Anger: I'm SO MAD that these bad guys have stolen my password and have sent fake emails to my friends. That bad guy might have actually received some money from some of my friends - I know a lot of nice, generous people!
Bargaining: ...I think I skipped this step...
Depression: I feel bad that my friends received this email. I'm overwhelmed at the thought that some bad guy has access to my personal information. What's going to happen now?
Acceptance: Ok. Breathe deeply. This happens all of the time, so there must be some simple steps that I can take to minimize the damage, right?
Even though it’s so very frustrating to be hacked. Even though it does increase the risk that your identity as whole will be stolen (did you know that The Federal Trade Commission (FTC) estimates that as many as 9,000,000 Americans have their identities stolen EACH YEAR?). Even though it will ruin your day on the day that it happens, the truth is that it is going to happen as some point.
What, exactly, needs to happen when you find out that your email has been hacked? Below are steps to take when your email is hacked, listed in chronological order.
- CHANGE YOUR PASSWORD! We all know that we are supposed to change our passwords regularly … but there are so many of them … and they’re so difficult to remember, especially now that we have to use passwords that are more complex than, well, just retyping our names.But, seriously, as soon as you realize that you’ve been hacked CHANGE THE PASSWORD ON YOUR EMAIL ACCOUNT. This will ensure that the hacker can’t continue to access your account. Make sure that you follow the rules of “good” passwords. Make it long (minimum 8-10 characters .. and the longer, the better). Use capital letters as well as small letters. Use numbers and special characters. A great way to create a new password is to use a sentence that uses all of the recomendations (for example, “ICantB3li3v3Som3on3Hack3dM3!”).
Sometimes hackers change the password on the account before you realize that you’ve been hacked. If this happens to you, use the “Forgot My Password” link on the email sign in page to access the system to create a new password.
- SCAN FOR MALWARE AND VIRUSES. Run your trusty security software scan. If any malware or viruses are found, take the recommended actions to resolve (ie get rid of) them.
- CHANGE YOUR PASSWORD AGAIN! This step is optional if, and only if, no malware or viruses were found. But, if your security software found any malware or viruses, then change your email password AGAIN.
- CHANGE THE PASSWORD ON ALL OTHER ACCOUNTS THAT SHARE THE SAME PASSWORD AS THE ONE THAT WAS HACKED. I know you don’t reuse passwords, so this step is probably one you can skip. But, just in case you *do* reuse passwords, let this serve as a reminder that you really shouldn’t and that you definitely need to change those that were the same as the hacked email account.
- CHANGE YOUR SECURITY QUESTIONS. If the hacker accessed your account, he probably accessed your security questions or now has enough information to answer the questions if your typical answers to security questions are like most people’s (ie, honest). From now one, don’t answer the questions honestly or with information that someone might find on the internet or your credit report. And, now that you’ve been hacked, now is the time to CHANGE THE ANSWERS. Today. Right now.
- SEND YOUR EMAIL CONTACTS AN EMAIL. This seems a little counter-intuitive to me, but it is indeed a recommended step in protecting your email from this point going forward. Simply send a quick email to all of your contacts stating something like, “I’ve been hacked! Please ignore any strange emails that you may have received from me!”
- MAKE SURE THAT YOUR EMAIL SETTINGS HAVE NOT BEEN CHANGED. Hackers are sneaky and will often change your EMAIL SETTINGS so that:
— A copy of each incoming email is forwarded to them. Yikes.
— Your signature now includes fake information.
— The “Reply To” field is set to an email other than yours.
Simply go to your email Settings and verify that there is nothing strange. Don’t forget to check your signature, which is often accessed through a different setting.
- ACCEPT THAT YOU NEED TO MAKE USE OF THE MULTI-FACTOR AUTHENTICATION. What is multi-factor authentication? Many systems now offer this security feature. These are the sites where you can enable more than one criteria for logging in. For example, instead of simply needing to enter a password, if you are using multi-factor authentication, then you will also need to enter other information (perhaps answers to security questions and a code that is sent to your phone via text) before gaining access to the account. While it seems like a hassle and is a little difficult to get used to, using multi-factor authentication provides a great deal of security for your email account. Use it and save yourself the grief of having to cycle through the grief cycle, then find this blog post again, and then have to go through all of these steps, AGAIN.
At the end of the day, you might want to consider creating a fresh, new email account. Generally, this isn’t necessary, but if you’ve been hacked multiple times, then you should seriously consider a new email account. If you go this route, you should still complete all of the steps above on the existing email account and add a step to DELETE ALL OF YOUR CONTACTS FROM THE EXISTING ACCOUNT. Also, DO NOT DELETE the old account. Email providers are notorious for recycling email account names (ie, allowing someone new to use the account name after you’ve deleted the account) and this provides an easy avenue for that pesky hacker to impersonate you.
BONUS: You can always just use the old account for all of those advertisements that ask for an email and then their spam emails won’t clog up your new, secure email.