Helping people with computers... one answer at a time.
With email account hacking on the rise, it's important to understand what it takes to keep your account and its address book safe from compromise.
How do I stop [email being sent as me] or prevent a hacker from getting into my address book?
•
This was a follow-up question from someone who'd discovered that, as they put it, "Somebody is using my email address book to send spam to my friends." I had pointed them at Someone's sending email that looks like it's from me to my contacts, what can I do?
What's critical to realize here is that it's extremely likely that they don't just have access to your address book - they have access to your entire email account.
And that's exactly where prevention begins.
•
The scenario
This is the scenario that I'm hearing about frequently:
-
Someone's email account gets hacked
-
The hacker then uses that email account to send spam to everyone in that email account's address book
It's that first part that matters: they hacked into your email account.
This has nothing to do with your PC (probably)
The cases that I'm seeing are not due to a virus and it does not mean that your computer or your email program has been hacked. Your computer can be 100% secure and this could still happen.
It's most common with web-based email accounts like Hotmail, Yahoo, Gmail, and others. And that's the clue.
The hackers have somehow discovered your email username and password. Armed with that, they head off to the website for that email service and login.
They login as you.
Because they have your username and password.
So they login to Hotmail or Yahoo or Gmail or whatever service it is that you use - as you - and start sending everyone in your address book spam.
And they often do all of this from the other side of the planet.
PC-based email programs are not immune
Any email account can be hacked. The ones that keep address books on the email servers, such as those that offer primarily web-based access, are the most common because the hackers don't want just your account, they want the address book.
Some PC-based email programs now recognize online account and synchronize the contact list that you might keep on your PC with the contact list that's kept online. A great example is Windows Live Mail - a desktop email program - which, when configured to access a Hotmail account, will synchronize your local address book to Hotmail's online copy.
It's easy to check - just log in to the web interface to your email account and see if the contact list is empty. If not, then hackers would love to get access to your account.
Protecting your address book means protecting your email account
Your address book is just a part of your email account and it's your email account that needs protection.
There's nothing really magical about that.
-
Use a good password. I'd guess that perhaps as many as a quarter of all account hacks that I hear of are simply hackers guessing the password.
-
Don't share your password with anyone. Not only are you trusting their good intentions, but you're also trusting their security savvy - if they make a mistake and expose your password, it could easily result in a hack.
-
Don't login to any of your accounts using public computers. The problem is that there is no way to know that your keystrokes aren't being recorded. If you must login to something, make sure it's a throw-away account that you wouldn't mind losing to a hacker.
-
Use open Wifi hotspots safely. In many cases, logging in to your email account if you're at an open Wifi hotspot transmits your username and password in the clear for anyone with a laptop and a little software to see.
-
Use your computer safely. Even though I said that your computer may not be involved, that doesn't mean it can't be. Spyware or keyloggers installed on your computer could give hackers all the usernames and passwords that they need to get into your accounts.
-
Be skeptical. One of the other large percentage of account hacks that I see are the result of phishing - tricks that hackers play to get you to give them your password. An email that threaten to close your account unless you respond with a list of information that includes your password is a scam. Provide that information and in minutes, you'll find that your account has been hacked.
Hopefully, you get the idea: treat your email account security seriously, pay attention to online security, and you're many, many steps ahead of the hackers who'd try to get into your account.
If you've already been hacked
Start doing everything that I just listed. In fact, double-check it all just to make sure.
But most importantly: change your password. Now.
In fact, you must change much more than your password.
You need to change any and all of the information that could be used to request a password reset on your account.
Why? Two reasons:
-
Hackers often change the information while they have access to your account.
-
Whether they change it or not, hackers can often use the information that they find in your account to immediately regain access to your account by requesting a password reset after you change your password.
What you need to change depends on what your email provider uses for password reset information, but it could include:
-
Alternate email addresses
-
"Secret" questions and their answer
-
Mobile numbers
-
Billing information
-
Whatever else your email provider uses
In some cases, like the mobile number, even if you don't change it (presumably you still have the phone), you should confirm that it's still set correctly. As I said, hackers often go in and change these settings so that they can regain access.
Article C4958 - October 18, 2011 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
October 26, 2011 9:05 AM
I received an infected e-mail from one of my contacts. I know it was infected because AVG caught it when I opened the e-mail.
I immediately erased that contact from my address book, and marked the e-mail as spam, but I am still receiving e-mail from that contact, just as if it is still in my contact list. What is happening here?
26-Oct-2011
November 23, 2011 11:24 AM
In addition to a complex pw, one should also make the answer to your secret question very complex.
It does not have to make sense, but you must remember it.
For first pet or where married or mother's maiden name, enter something like "DWERYGFRETR"
So, a hacker must not only know your username and pw, in order to change the pw, they must know the answer to your secret question. Make the answer all gibberish that only you know.
November 26, 2011 2:13 AM
Just a heads up: If you use Gmail, they now offer a service that will send your mobile / cell phone a verification code in order to log on. This might serve as another line of defence, provided that you haven't been hacked and that all of your contact details are correct.
November 30, 2011 6:06 PM
ummm, sorry to say but people do not even have to have access to your account to make it look like it comes from you.
All they do is use your email address and use a program to send out spam and it looks like it comes from you.
01-Dec-2011
December 15, 2012 12:11 PM
Go to Youtube and type in: (how to stop phishing with email address encryption.) My name is Sharen and hopeful you find this of assistance. This is a technique that I developed to help deter Phisher's from using my contact list by making them work harder for it.