You’ve Been Hacked or Spoofed: Now What?
By Mark Yatros
Unfortunately, many of us who become victims of any information security breach won’t know until someone else tells us. For example, we might get a message or call from a friend asking why we sent that “spammy” email with a link to a free Amazon gift card. Have we been hacked? Spoofed? And how do we prevent it from happening again?
Here, we’ll discuss the difference between hacking and spoofing, plus provide some simple tips to help protect your personal information.
Spoofing vs. hacking
Let’s start by looking at what happens when you’ve been spoofed versus what it means to be hacked.
Spoofing. You might think of spoofing as something like falsifying a letter sent via the USPS.
Anyone can write a letter, sign someone else’s name, and put that individual’s return address on the envelope. If you were to receive that phony letter, you would likely believe that it came from the person who supposedly signed it and that it came from the return address on the envelope. In reality, it could have been sent from anyone, anywhere.
Spoofers often forge the header information of the emails they send (i.e., the To, From, and Subject lines, as well as the time stamp and path that the emails took to arrive in your inbox). They do this to make it appear as if their messages came from someone or somewhere you know (e.g., a friend or familiar organization like Bank of America). The goal? To get you to respond to their spam or click on the malware-laden links or attachments in their phony messages.
When an email address has been spoofed, the spammer doesn’t gain access to your email account. Hacking, however, is a different story.
Hacking. This is when a criminal gets into your email account. They can do this in several ways — by sniffing your activity on a public Wi-Fi network, through a phishing email, or via password-guessing software. Once in, the hacker will have access to all the information stored in your email account. This might include your contact list, bank account numbers, credit card information, online transaction receipts, and emails from other organizations confirming changed passwords (making it easier to identify other accounts of yours that can be hacked).
What’s next?
Unfortunately, there is no way to prevent spoofing. If your email address can be viewed publicly somewhere on the internet, someone can spoof it. But there are steps that you can take if you’ve been hacked that will also help lessen the risk of any future hacking attempts.
Change your password. Here, you will want to include any passwords for other accounts that are the same or like the compromised password. In creating new passwords, avoid using dictionary words or anything personally identifiable (e.g., your birth date). Also, be sure that your passwords are at least eight characters long and include upper- and lowercase letters, numbers, and special characters.
Modify the answers to your security questions. Either create fake answers to the questions or add an extra letter or symbol to the real answers. That way, even if the hacker figures out the answers, they will still have difficulty accessing your accounts. For example, instead of answering “Jones” to the “What’s your mother’s maiden name?” question, add another symbol or character and make it “@Jones” or “JonesM.”
Set up multifactor authentication. This feature requires you to provide more than a username and password to access your account. For example, an additional layer of authentication could be a passcode sent to your smartphone that you need to input when you log in.
Review your email account settings. The hacker may have altered your account settings so that copies of received emails will be automatically forwarded to their account. So, even after you resecure your email account, the hacker can keep tabs on you. They could also have placed fraudulent links in your email signature and automatic replies. Be sure to check your settings and verify that these were not altered.
Run a virus scan. It’s also possible that the hacker inserted malware into your system through your email account. This could enable them to conduct recon — meaning that all your online activity would be automatically reported back to the hacker and allow them to collect even more of your personal information.
Ensure that there was no financial or personally identifiable information in your email account. If personal information was stored, such as your social security number (SSN), date of birth, or account numbers, strongly consider getting the compromised account numbers changed. In addition, have the banks or other organizations report the new numbers to you over the phone, not via email. Also, consider credit monitoring, especially if all or part of your SSN was compromised.
Protect yourself!
To protect your personal information, be wary about connecting to public Wi-Fi networks and what you transmit over such networks, as this is one of the most common ways that cybercriminals obtain email addresses and passwords. In addition, be suspicious of unsolicited or spam emails. If you receive one from someone you know, let that individual know that their email may have been spoofed or hacked.
By keeping these guidelines in mind, as well as the tips discussed here, you will be well-positioned to keep your confidential information secure.
This material has been provided for general informational purposes only and does not constitute either tax or legal advice. Although we go to great lengths to ensure our information is accurate and useful, we recommend you consult a tax preparer, professional tax advisor, or lawyer.
Mark Yatros is a financial advisor with Allegiant Wealth Strategies. He offers securities and advisory services as a Registered Representative and Investment Adviser Representative of Commonwealth Financial Network, Member FINRA/SIPC, a Registered Investment Adviser. Mark can be reached at 269-218-2100 or at myatros@allegiantws.com. Allegiant Wealth Strategies has offices in Battle Creek and Portage, Michigan, from which they serve Calhoun County and Kalamazoo County as well as Kent County (Grand Rapids).