By Ruairi O'Shea
Investigative Writer | Kaituhi Mātoro
Consumer NZ investigative writer Ruairi O’Shea has written a lot about scams. What steps did he take when he was targeted by cybercriminals, and what would an online safety expert recommend?
It started when I woke up and checked my emails.
Most mornings, I wake up to 15 emails, primarily from mailing lists I need to unsubscribe from. This time, I had 25.
Half asleep, this didn’t ring any alarm bells. Then I saw them. Seven emails in a row from an account claiming to be the Microsoft account team, each detailing an attempt to sign into my email account from locations like Brazil, Guinea, Pakistan and France. Each had a button that would take me to an online location where I could review my recent account activity and secure my account.
Before clicking the “Review recent activity” button, I googled the email address the emails had originated from. Unfortunately, it was legitimate. Worse, there had been a successful attempt to sign in. The hackers knew my email address, and my password.
So, what do you do if this happens to you?
We spoke to Sean Lyons, chief online safety officer at Netsafe to find out.
Secure – and potentially close – your account
First and foremost, you need to secure your email account. In my case, this meant following the link in the Microsoft emails notifying me of the suspicious activity.
“Once you’ve done that, you’ll want to make sure you’re the only person who can access it. That will generally involve changing the password,” Lyons says.
“If it’s for an old service that you’re not using, maybe the job at that point is just to delete it. If you’re not using it, and it’s just sitting there waiting to be hacked, why bother with it? Get rid of it.”
Change your passwords
If you’ve reused passwords across a variety of services, you’re vulnerable to further breaches, Lyons says.
“It’s dangerous when the only key required to your email account is the combination of your email address, which might be public information, and your password. Once they’ve got those details, they can run them against every service they can think of and see how many accounts they can compromise with the information they’ve got.”
If your email account has been breached, and you’ve used the same password elsewhere, it’s incredibly important to start changing all your passwords.
This would be a good time to consider using a password locker or password manager. These are encrypted “vaults”, which can store – and generate – the vast array of complex passwords required for our online lives.
“Password lockers are one way of organising the multiple password situation, allowing you to have, to all intents and purposes, unguessable, really hard to crack passwords,” Lyons says.
It’s also worth checking if your email address or passwords have been included in any known data breaches. You can check if your credentials have been breached at www.haveibeenpwned.com. If you find out your passwords have been breached, change them and do not use them again.
Set up multi-factor authentication
Lyons describes cybersecurity defence mechanisms – such as requiring a password – as “locks”.
“Using different passwords is important, but multi-factor authentication is probably even more important because it’s putting an extra lock on the door.”
Multi-factor authentication – which can also be called two-factor authentication, MFA or 2FA – is when multiple credentials are required to access an online account. It generally works via text message or through purpose-built authenticator apps.
An example is when you use your password to log into your email (or another online) account, which then prompts a notification on your phone asking you to confirm you are attempting to log-in.
While you’re busy changing passwords on your various accounts, check whether multi-factor authentication is available. If it is, sign up. While having unique passwords can mitigate the damage from a breach, using multi-factor authentication can stop a cyber incident before it starts.
“They might have tricked you on one thing, but they can't get access to all the different accounts. Instead of getting those 10 emails to say someone has signed into your email, you'll end up with 10 messages saying somebody has tried to get into your account, but because you didn't respond to the request, then they didn't get in. That’s a much better set of messages to wake up to.”
Think about how your breach could affect others
Another vital step is to consider how a breach of your email account could affect the people close to you.
“The fact that your account is connected in some way to other people that you might know means there’s probably some information in there that can be mined and turned against you or your network,” Lyons says.
“Telling people that one of your email addresses has been compromised, and to be a little more cautious around messages that come from you, is a really good thing to do, because you are helping people defend themselves from somebody using your email, or knowledge they’ve gleaned from your email. Warning your friends and family, warning your employers, is a really useful, good thing to do.”
At this point, you might be tempted to post about the incident on social media, as a way of reaching all the people who could be affected by the breach. Lyons is hesitant to recommend this. “I worry sometimes that people will post something saying they’ve been scammed, and they’ll be contacted by a scammer saying that they can get the money back.”
If you do feel you need to alert your social media network you’ve been scammed, do some research on recovery scams first, so you can identify further scam attempts.
Report it
If your email account is breached, there are some other parties you might want to contact to limit the damage.
- IDCARE: Your email account probably contains a lot of personalinformation, which could be used to carry out identity theft in thefuture. IDCARE is Australia and New Zealand’s national identity andcyber support service. You can submit a form on its website toreceive a call from a support worker (mine took around 24 hours). Ifthings feel urgent, call IDCARE on 0800 121 068.
- Your email provider: To be honest, beyond the account recoveryservice, your email provider is unlikely to be very helpful,particularly if you use a service run by a huge internationalbusiness like Google or Microsoft. If your service does have aneasy-to-contact customer service department, let them know about theincident and see if they can do anything to help.
- CERT NZ: It’s important to report the incident to CERT NZ, NewZealand’s computer emergency response team. It may be able to findsupport for you, and reporting the incident will help it monitorcyber security developments in New Zealand.
- Your bank: Scammers might need to steal your personal informationfirst, but ultimately, they’re trying to get into your bank account.Contact your bank and let it know you’re experiencing an issue. Thatway it can increase its scrutiny of suspicious transactions.
- Netsafe: If you want free, confidential and non-judgemental advice,you can e-mail Netsafe at [emailprotected], or call them on 0508638 723. Their helpline is open weekdays from 8am til 8pm, andweekends & public holidays from 9am til 5pm.