Spammers use a variety of methods to send spam, but the use of hacked legitimate user’s email accounts is booming.
According to Verizon's 2017 Data Breach Investigations Report, 1 in 131 emails contained malware in 2016, the highest rate in 5 years. In addition, the amount of spam spewing into inboxes globally is at its highest rate since 2015. This is related to malware like Emotet and Trickbot stealing email addresses to feed spam campaigns.
As positive as crackdowns on other channels have been, one outcome is that spammers have scrambled to shift the focus of some of the recent larger malware outbreaks and phishing attacks to now be about acquiring enough compromised email accounts to make spamming viable. This includes email accounts like yours.
How was my email hacked?
Your computer was most likely compromised in one of four ways:
You do not have up-to-date security software installed.
Your passwords are weak and easily hacked.
You clicked on a malicious link in an email, IM conversation, or on a social networking site, or webpage.
You downloaded a game, video, song, or attachment with malicious scripts or files attached
What to do after your email was hacked
When your email account is hacked, here are several steps you need to take to fix the problem and prevent it from happening again:
- Check (and update) your computer’s security. Most hackers collect passwords using malware that has been installed on your computer (or mobile phone if you have a smartphone). No matter which operating system you use, be sure your anti-virus and anti-malware programs are up to date. Choose the setting that will automatically update your computer when new security fixes are available. If you’re already using an antivirus program, run an end-to-end scan of your computer.
Look to see that all operating system updates are also installed. To find these, type ’(the name of your operating system) and updates’ into your search engine. Set your computer to update automatically so that you get protection from new attacks as soon as possible.
Change your password and make it stronger. Do this after your anti-virus and anti-malware programs are updated or the hackers may collect your new password as well.
- Strong passwords do not have to be hard to remember, they just have to be hard to guess.
- Make your password at least 10 characters long, and use capital letters, lower case letters, numbers, and symbols.
- Do not use information about yourself or someone close to you (including your dog or cat!) like name, age, or city.
- Do not use words that can be found in a dictionary, these are easy for hackers to break, even if you spell them backward.
- Text messaging shortcuts can help make strong, memorable password creation easier. For example L8rL8rNot2Day! translates to later, later, not today.
- Studies show that the average email account has 130 password-protected accounts linked to it, so it's no wonder passwords often aren't as secure as they should be. A password manager can help you keep them in order and encrypted.
- Send an email to your contacts saying you were hacked. When an email comes from someone you know you are more likely to open it and click on links within it - even if the subject is weird. Help stop the spread of the malware by warning those in your contact list to be cautious of any email sent by you that doesn’t seem right and to not click on the links.
- Smarten up about spam, phishing, and scams. Spam comes at us from all angles; in the mailbox in front of your home (junk mail) in your email inbox, via IM, social networking sites, chats, forums, websites, and sadly, now also on your phone. Now more than ever, it is important to be on the lookout for phishing scams.
- You do not have a rich uncle you’ve never heard of in some foreign country trying to send you money. You have not won the lottery. No stranger is going to give you money for any reason. No hot babe is lonely and waiting for your response. The only things you’ll get via an unsolicited pharmacy offer is ripped off or an infection (on your computer or phone). If there really was a miracle weight loss cure, it would be front page news and on every TV station.
- No reputable bank or company is ever going to ask you to ’authenticate’ information online. And if you get an email with a link to one of these sites, don’t use it; instead, use your search engine to find the site yourself, and then log in. If the message was legitimate, the message will be waiting for you in your account.
- Validate the legitimacy of any program, game, app, or video before downloading it. Of the millions of new or updated mobile apps analyzed by Webroot in 2017, 32% were determined to be malicious in nature. If the content is pirated, free, or comes to you anonymously, assume it has malware. Only download content that you have read good reviews about from sites you can trust.
- Change your security question(s). If your email account was hacked from a device or location not matching your normal usage patterns, it's possible the cybercriminal needed to correctly answer a security question. If your question and answer are common (Question: What is your dog's name? Answer: Spot), that may not have been a difficult challenge.
Consider adopting two-factor authentication. Many email providers offer two-factor authentication (2FA) as an additional security measure. This method requires both a password and some other form of identification, such as a biometric or a mobile phone number, to access an account.
As mentioned, it's fairly common for malware to be the avenue through which an email account is hacked. Having an up-to-date internet security solution is the essential first step in establishing online safety and ensuring your email isn't hacked. Webroot offers a full line of internet security solutions for the home to keep your email password out of the hands of hackers.