Tips & Advice

10 tips to protect against an email hack

Charlotte Empey, 11 December 2018

Email accounts are hacked every day. Follow these simple tips to keep yours protected.

Hackers have every reason to want to infiltrate your inbox. For one, email is the most common form of web communication today. But more importantly, it’s the unique identifier for many online account logins, which is the reason it’s still highly targeted by cybercriminals.

Think about it: If your inbox has been hijacked, the malicious third party will most likely be able to a) find out what types of services and accounts you’re enrolled in and b) request password resets for one or more of those accounts. And since most password reset requests go directly through email, there really isn’t much you would be able to do to stop it. A circumspect cyberattacker will even cover his or her tracks (e.g., delete all those password reset emails) in an attempt to mask suspicious activity that would otherwise clue you into the intrusion. 

Once hacked, your email can be used for just about anything on the web. Cyberattackers can attempt to pilfer personal data acquired through an online account — including your credit card information. They may try to login to your online banking account. If that doesn’t work, they can Venmo themselves a lump sum of your money to a fake account and then cash out. Maybe they’ll start  spamming your friends via email and social media in an attempt to steal even more information. This wouldn’t bode well for your reputation, and it could lead to a lot of disgruntled contacts.

Then there’s the worst-case scenario:identity theft. It happens to millions of Americans every year, and recently, it very nearly happened to a close friend of mine.

Bad guys hacked her email account

My friend’s email account was hacked a few months ago. Somewhere between her kids buying things online, her email/password being compromised in a data breach, and maybe clicking a phishing link in an email, she found that her email account was hacked and ultimately taken over. She changed her password multiple times to take back control of her email account, but the hackers hijacked her email again. Despite reaching out to her email provider, she could not get the help she needed to stop the attackers. Regardless of how it happened, my friend was feeling overwhelmed and vulnerable.

How my friend got her groove (and email) back

Eventually, her only choice was to abandon the original email account and sign up for a new one. It was time-consuming, as it included changing her logins for every online account — first changing the email address associated with the account, and then making each password strong (and unique!) by using a password manager. In addition, if two-factor authentication was available, it was enabled. Another step was to educate all family members with access to those accounts on what ‘not’ to do, so there would be no chance for another attack.

Lastly, to be extra safe, she put a credit freeze in place. With so much personal information online, it just felt better to have that high level of protection making sure her credit would not be affected long term.

10 tips to protect yourself from being hacked

Here are 10 easy steps to protect yourself online. They can help protect your family and friends too and help to prevent your email from being hacked:

  1. Use a password manager and two-factor authentication wherever possible
    Use a reputable password manager to change all of your online passwords to strong, unique ones for each login. We can’t stress this enough. Hackers today use a tactic called credential stuffing, whereby they literally cram previously stolen usernames and passwords into as many online services as possible. Why? Because a lot of usernames and passwords are identical across accounts.

    Creating a unique password for each of your online services can take some time, but it’s worth it to avoid the risk. As you set up the passwords for your accounts, also set up two-factor authentication (2FA) as an added layer of security for the accounts that offer it. This is especially important for preventing unauthorized password resets. Do the same when setting up IoT devices in your home (and look for IoT devices with 2FA support when you buy them!).

  2. If signing up for a new email service, check for 2FA support
    Not all email providers provide 2FA.  So, when signing up with an email provider, check to see what layers of security are available such as 2FA either through SMS (less secure) or app-based such as Google Authenticator or Authy.

    The main benefit of 2FA is that it provides a second layer of security such as a text message sent to a smartphone with a one-time password. Only the person with your device can ostensibly complete a new login. Not to mention, it can inform you when someone is trying to log into your email account.  

  3. Don’t click suspicious links in email or texts  
    Phishers often send links via email or text that look legitimate, but once clicked on, allow them to steal your information. Email attachments that contain malware are also popular vessels for cyber mayhem. The easiest way to avoid these scams is by not clicking the links or attachments. Instead, open another tab, and go to the website of the company in the email or link to see if the information presented matches the official source. As a general rule, never open links or download attachments from unknown senders. Emails from known senders that contain links or attachments without any context are also bad news.

    This will also help you catch one of the more notorious types of phishing emails—the fake password reset (for example, “Your account has been compromised! Click here to reset your login and password.”) Remember the 2016 Democratic National Convention email leak? It started as a fake password reset.

  4. Use a VPN on your computer and your phone
    Be anonymous by using a VPN to encrypt your internet connections. There’s no reason not to when it comes to protecting your personal information. While you’re at it, the VPN will make your browsing experience even better, with fewer ads, less tracking, and, of course, more peace of mind knowing you’re secure.

  5. Don’t use public Wi-Fi or public computers, if you can help it
    When you’re traveling or not at home, try to use the internet only through your own computer or mobile device, with your VPN turned on, of course. Public computers at hotels, for example, are accessible by other people who can put keyloggers or other malware on them, which can come back to haunt you. Wait to do your online banking or access other highly personal accounts on your protected home network, whenever possible.

  6. Get a strong antivirus
    A good antivirus raises the bar on securing your information, with real-time protection from phishing attacks and threats like malware, ransomware, and more. Antivirus should be installed on your PC, Mac, Android phone, and other devices. 

  7. Secure your router and Wi-Fi
    Whether a home user or a small business owner, identifying who and what is on your network is as important as ever, as unauthorized users could be trying to hack into your system. Ensure you change the admin password for your router and set your Wi-Fi password to something really strong that a hacker could not crack. 

  8. Keep your computer and smartphone OS up-to-date
    Whenever a security update is released for your operating system, update it immediately. Consider this a basic tenet of information security.  

  9. Keep all of your computer and smartphone apps regularly updated
    Updates often include security improvements, so if an update is available, get it right away.

  10. Consider putting a credit freeze on your account
    As a last resort, if your email has been hacked, put a credit freeze on your account. It’s easy to do and gives you more control over who has access to your accounts. When making purchases (like a car), if someone needs to access your credit report, you can easily turn the account back on, then reinstate the freeze afterward.

Assume that email is not secure, even if you have taken measures to protect it. What do we mean by this? Simply, that you should avoid sending highly sensitive information such as payment or credit card data, Social Security numbers and other personally identifiable information over email if at all possible.

Sure, hackers can find ways to dig for this information if they infiltrate your inbox, but don’t make it easy for them. Safeguards such as 2FA and good old-fashioned vigilance should hopefully be enough to flag suspicious activity so you can take immediate remediation steps.   

Keep yourself from being a target by following the easy tips above. Taking these few extra steps may not keep the spam out of your inbox, but it will help to put hacking attempts into the junk folder.