Blog    Tutorials    Old Articles    About Me

ALAN ZISMAN ON TECHNOLOGY

Don't let this happen to you!  
Lock out email hackers before they try to scam all your friends.
 
By Alan Zisman     2024-01-26


Yesterday morning, I got an odd-seeming email from an old friend. The title was Checking.... It read:

"Greetings from here, How are you doing?
I want to know if this email address is still valid to write to you. There is something important I would like to discuss with you.
Thank you,"

Where most emails say who they're sent to, that information was missing - suggested it had been sent to a whole bunch of people, using the email BCC (blind carbon copy) option - which hides the list of recipients.

And the text was pretty generic. Let's call the sender 'Tom' (not his real name); Tom and I have known each other for a long time - probably nearly 40 years by now. But there's nothing in the message about Tom (who I know was on holiday right now)... just a request to verify the email address.

Still, I didn't think much of it, and I didn't reply.

Then I got a second identical email. Well, many people have two email addresses for me, and Tom might legitimately be checking which one to use.

Then I got a third.

Then I heard from two other people who know both me and Tom, who'd gotten the same message - in one case, a couple of times. They were wondering whether I thought it was legit. I said that I agreed that it sounded iffy. One of them had replied, without thinking, then wondered if in doing that, they'd infected their computer. She got a reply - and had deleted it without opening it.

I told her that she probably had not been infected by just replying to the initial email or by receiving an opened message, but knowing that she had the (very good) anti-malware app Malwarebytes installed (available for Mac, Windows, and Android - recommended) it wouldn't hurt to run a scan. It came up clean.

But that got my interest up... so I replied to the message. Just in case, I sent it from a lesser-used email account of mine; no sense in giving potential scammers an email address that I actually relied on. I said:

"Hi Tom. I hope all is well. What's up?"

I heard back pretty quickly. Whoever was on the other end wrote:

"How are you doing today? Thanks for your acknowledgment. I need to get an Amazon gift Card for a friend of mine who one of her daughter is diagnosed with stage 2 mesothelioma cancer, She lost her second daughter to the disease (COVID-19). it's her birthday but I can't do this now. I tried purchasing it online but unfortunately, I got no luck on that. Wondering if you could help me take care of this online or go to a store or Supermarket close to you? I'll reimburse you once I get back home.

Please let me know so I can provide you with her email."

As I'd suspected, it had quickly turned into a request for money. I wrote back asking for more information - but never heard any more, for reasons that will become apparent.

Meanwhile, I'd also emailed Tom's partner - I wasn't sure whether contacting Tom directly would get through given that it wasn't clear to me whether the faux-Tom was actually using (and possibly controlling) Tom's email accountor not And if that was the case, they could easily have changed the email password, locking Tom out of his own email.

I told Tom's partner what I'd learned, and suggested that she tell Tom to change his email password ASAP and to get Tom to contact me.

Tom got back to quickly, saying he'd heard about these messages from a lot of people and that he'd changed his email account password - which explained why I hadn't gotten a reply from my second message to faux-Tom. Real Tom asked me if there was anything more he should do.

My strong suggestion - enable two-factor authentication for the email account (along with Facebook account and any financial institutions with whom he did online banking).

So-called 2FA requires an additional step beyond logging in with a user-name and password - this extra step requires something of yours, typically a mobile phone. As a result, someone who's gotten your user name and password - but doesn't have your mobile phone - is unable to access the account in question.

Tom had known about 2FA but hadn't enabled it for his email account. He had two concerns about it:
  • Typically, when you set up 2FA for an online account (email, bank, Facebook, etc), you give the online account your cell phone number - when needed, you receive a text message on your phone with a code number - you enter that as an extra step with your log-in and you're then able to access your account.

    Tom, however, was often travelling (as am I) and might be getting a different SIM card to use a local phone number, saving on roaming charges. But that means he wouldn't be getting text messages sent to his home mobile number.

    2FA can be set up not send a text to your cell number. Instead, prior to setting up 2FA with an account, you download an authenticator app on your phone - there are a number of these: Google Authenticator, Microsoft Authenticator, Authy, and others - each with versions for iPhone and for Android. All work similarly. With the app installed, start to set up 2FA with your account - using a different device: a laptop, a tablet, whatever - but not your phone!

    As part of the 2FA setup, you'll be asked whether you want to receive a text message, use an authenticator app, or some other method. If you choose to use an authenticator app, one of those funny grid-like code squares will appear on screen. Open the authenticator app on your phone, go to its setup option, and point your phone's camera at the grid. Bingo! You're set up for thataccount.

    When you try to log-in for the first time and enter your user name and password, you'll then be asked for a 2FA code - open your authenticator app on your phone, tap on the account name and you'll see the code to enter. Type it in and away you go! No text message needed.

  • Tom's other concernwas whether he would need to enter a 2FA code every time he tried to access his email (or Facebook or his online bank account). The answer is 'no - but....'. When you add 2FA to an account, you need to enter a 2FA code the first time you log onto that account - with a given device and a given piece of software. Maybe you access your email on your laptop, on your phone, and using an iPad or other tablet. You'll be asked for a 2FA code the first time you access it on each of those devices - when you enter the code, there'll be a checkmark to 'Don't ask again on this computer'. Check it and you won't be asked again - on that device.

    Well, you might be - that's because it's also per piece of software. Maybe on your laptop you use two different web browsers, say Apple's Safari and Google's Chrome browsers, both on your Macbook. You'll have to enter a 2FA code the first time you try to log-into your email account (etc) using each of those browsers. (Be sure to click the box to 'Don't ask again on this computer' so you don't get asked again). Similarly, maybe you access Facebook on your iPad using the Facebook app but sometimes go there using Safari on the iPad. If you've turned on 2FA for Facebook (and you should!) you'll be asked for a 2FA code once for the app, and once when you use Safari.

  • No, any wannabe-you who has somehow gotten your account login and password will be locked out without the correct 2FA code - even if they've installed the same authenticaor app on their phone. The codes created are unique to you and your account.

  • Using 2FA is a bit of a pain, sort of like locking your door when you leave your house. But like a door lock, it's an extra step that provides the security of knowing that you're locking out the folks who might be wanting to break in. Just do it!
More on enabling 2FA for several popular services:

- Google or Gmail
- Outlook.com or Microsoft account
- Facebook or Facebook Messenger
- Yahoo Mail
- Check your financial institution's website for information on how to do this for your online banking!

Older blog postings....


About This Blog...

I've been writing about computers, software, Internet and the rest of technology since 1992, including a 17 year (1995-2012) stint as 'High Tech Office' columnist for Business in Vancouver. This blog includes thoughts on technology, society, and anything else that might interest me. Comments, emailed to alan@zisman.ca are welcome - and may be published in whole or part. You can follow me on Twitter or Google + for notice of new blog postings.
AZ Dog Baby