By now you may have gotten e-mail from one or more companies saying that Epsilon, their e-mail service provider, was hacked. The e-mail warns you to watch for phishing attacks. I’d like to issue a semi-related warning about the importance of having a strong password on your e-mail account.
Many people seem to have the attitude, “It’s just my e-mail account. A hacker wouldn’t be interested in reading my mail.” True, a hacker might not be excited about the message from your sister telling you what her kids did for spring break, but the hacker is definitely interested in accessing your e-mail account for several reasons.
Performing a password reset on another account – This is the big one so I’m going to put it first. The greatest danger of someone gaining unauthorized access to your e-mail account is that he may be able to request a password reset to one of your online accounts. Many companies allow a person to request not only a password, but also a username, to be mailed to the e-mail address on file. If the hacker intercepts that e-mail, he can access your online account without your knowledge.
Mining personal data for phishing attacks – A hacker may look for personal data in your e-mail account that he can use to launch a phishing attack on you. Phishing is when someone impersonates a trusted source in an attempt to get sensitive information from you. For example, a phisher might pretend to be your bank and ask you to supply your account number “for verification”. The more personal information a phisher has about you, the more plausible he can make the attack. Is your full name stored in your account? Do you have an automatic signature with personal information in it? Do you receive any newsletters that make your city of residence obvious? Do you have sent mail hanging around that includes your address or phone number? All of these bits of information could be used to write a more convincing phishing attack.
Mining company names to impersonate for phishing attacks – A hacker may look for e-mail in your account from companies with which you do business and then impersonate those companies in a phishing attack. For example, do you have any messages from your credit card company in your e-mail account? The messages might not have any sensitive information in them, but they let the phisher know that you have a preexisting relationship with that company.
Discovering other accounts to hack into – A hacker may look for e-mail about other accounts you have, even seemingly insignificant accounts like photo sharing sites, and then try to hack into those accounts. He might do this to gather more information for a phishing attack or he may do it hoping to find a shared password between an inconsequential, weak security account and a more important account.
Accessing your address book to cause your friends grief – A hacker may use the names and e-mail addresses in your address book for phishing attacks or to spread a virus.
The bottom line is that the security of your e-mail account is important. You should use a strong password for the account and change it often.
[Photo credit: Photo by James Laurence Stewart, used under CC BY 2.0.]