Beware the Dangers of Spoofing and Hacking
Have you ever opened an email that looked like it came from a friend or family member, only to find it contained a strange or unintelligible message, a link to an unknown website, or explicit or inappropriate material?
Cases of “spoofing” like these are on the rise. Spoofing is when a spammer sends out emails using another person’s email address in the “from” field, in the hopes of tricking others into opening them. In many cases, the emails still originate from the spammer’s email account and email server, but the spammer modifies the “from” field and then blasts them out to hundreds or thousands of recipients. Often, these spam emails contain messages or links to websites that promote everything from pornography to online gambling to illegal prescriptions. Still others direct unsuspecting recipients to sites that install malware (malicious software) onto their computers in order to harvest their personal or financial information.
Even more troubling than spoofing is hacking—or fraudulent access—of individuals’ email accounts. Criminals obtain users’ email login credentials, either through vulnerabilities on the victims’ own PCs, or, in the case of AOL earlier this year, through hacking the email provider and stealing thousands of email addresses and login credentials at once. The hacker then sends spam directly from the victims’ email accounts, often including recipients from the victims’ own contact lists, figuring that they’re most likely to recognize the sender and open the email. In some cases, hackers pretend to be the victim, claiming that he or she is in some kind of dire situation—for example, that he or she is traveling overseas and has had a wallet stolen—then pleading for close friends and family to wire hundreds or thousands of dollars immediately.
If all that isn’t bad enough, even more cunning tactics are being used to turn a profit. One user was hacked, and her emails were reviewed to capture relevant and specific details about where she banked. An email was sent from her email account to her bank, asking to confirm a balance and for funds to be transferred or wired elsewhere. An alert bank employee phoned the customer, as the email constituted behavior that was out of the ordinary. Lo and behold, the customer confirmed she hadn’t sent the email!
Often times, victims have no idea they’ve been hacked or spoofed unless the email recipients themselves inform them. Sometimes, victims will start to receive bounced (returned) emails in their inboxes that don’t match any email messages that they’ve actually sent. If either of those scenarios happens to you, chances are good that you’ve been either spoofed or hacked. But how do you tell the difference?
Your “Sent” box may be the best indicator. If you find email in your Sent folder that you didn’t send, it means that your email account has been hacked. On the other hand, if you don’t find any strange emails in your Sent folder, chances are good that you’ve been spoofed.
So what do you do now? If you’ve been spoofed, unfortunately, there’s not much you or your email provider can do about it. You can change email addresses or providers if you choose, but spammers often quickly move on to other addresses so the spoofing should cease after a time. You may want to alert those on your contact list of the spoofing, so that they don’t inadvertently open the emails or click on links that cause them to be victimized. And, you may want to use an email filter on your inbox to avoid the continued onslaught of bounced emails.
On the other hand, if you’ve been hacked, more aggressive steps are in order. First, changing your email account password may help, and closing down that email account altogether and starting fresh with a new one may be a good idea. If you change your password, choose one you haven’t used before, and that’s different from all of the other passwords you use for other websites. Also, make it as long and complex as possible in order to make it difficult to guess, including letters (both upper- and lowercase), numbers, and special characters, and change it at least every six months. To check the strength of a potential password, visit howsecureismypassword.net and test some out. Finally, be sure your computer’s security software—anti-virus, anti-malware, and firewall—is completely up-to-date.