Will Lukang, PMP, CSM, MBA, MASCL
Never in my wildest dream would I ever think that such thing would happen to me. Not me – I have the technical know-how and background to prevent such a thing from happening. I’ve been in information technology for over 20 years and I consider myself an above-average technician in terms of maintaining hardware or software.
On the morning of January 11th everything changed, on my way to work with my friend Jason. He told me that I sent him a link to a blog. He asked what it was all about. I was like, what are you talking about? I don’t have time to send e-mails in the morning as I’m trying to get ready for work. I quickly checked my iPhone and saw that my other personal e-mail account received the same message. The worst part is that it accessed my contact list and e-mailed the same message to everyone.
Another friend of mine named Barry also alerted me via text message that he receive an e-mail with a link to a blog. On my way to work, a few of my friends did the same thing. They brought it to my attention. At this point I was so embarrassed that such a thing happened to me. While running a meeting, I could not help but think of what happened and was trying to figure out how to stop it. By 10:23 a.m. another round of e-mails went out while I was in another meeting. I called my wife to power down my laptop, because I was not sure if there was a Trojan virus on my laptop. While in a meeting, I was busy trying to change my password on my Gmail account. Thankfully my account was not highjacked, meaning I was still able to gain access to it and change the password. It was only at that point that the e-mails stopped. While the spam e-mail continued, I felt helpless and did not know what to do. I’m thankful to have my iPhone that allowed me to access my personal e-mail; otherwise the problem could be worse.
After my 10 a.m. meeting, I stopped by Barry’s office to pick his brain on how to prevent such a thing from happening. Barry is our resident technical expert. Besides two brains are better than one. We chatted and he gave me a couple of pointers like scanning my laptop and possibly installing Ubuntu on my laptop. The rest of the day, I was thinking how to craft the apology e-mail to everyone who received the spam e-mails.
That night, I checked my laptop for viruses and found none. I proceeded to send apology e-mails to people whom I inconvenienced. Some were supportive while others gave me a stern warning as to what I was sending. Either way the whole experience taught me some valuable lessons that I’d like to share.
- Website login account – If you have the same login accounts for different websites, use different passwords.
- Website using e-mail address as login ID – When a website requires that you use your e-mail ID as the user ID, do not use the same password that you use for your email account.
- Password strength – Make sure your password is a combination of characters and numbers. If you can use special character that would be great, but make sure you can remember it.
- Change password – change your password every quarter. Set up a reminder to alert you of the need to change your password.
- Request for information – If you receive an e-mail requesting information from you, DO NOT respond. Unless you’re the one who initiates a request like password reset. This is a common way for bad people to get your information. It is otherwise known as Phishing which means a fraudulent attempt to secure your information such as password, credit card number, social security number, etc.
To close, no matter how experienced you are in a field, you can always be caught empty handed if you’re not prepared. Don’t let your guard down. Same is not really good. With so many passwords to remember, I made a mistake of using the same password just so I would remember them easily. That was a big mistake. Hopefully this blog will help others avoid a similar situation to what I experienced.
Great post Will.
Sooner or later this happens to all of us. No matter how experienced we are.
Thanks for sharing these great reminders.
Another tip is to always use SSL!
When logging into your webmail or checking email via outlook/thunderbird the username and password are normally sent without encryption unless you opt to use it.
For example if you use gmail, visit https://www.gmail.com instead of http://www.gmail.com.
Gmail even offers a setting to always use SSL and best of all its 100% free.
Sniffing passwords has become as easy as installing a firefox extension (firesheep anyone?) and affects all operating systems including Linux, Mac, Windows and smartphones like the iPhone.
This may be a bit advanced for some users, but its worth the effort!
Every host is different so you’ll need to ask your email host for the encrypted settings (they’ll be different from standard POP/SMTP settings) and for instructions on how to set it up on your device.
Great suggestions on making sure to choose SSL when logging in to your e-mail account.
Great advice Will!
Just to clarify – install Ubuntu as a dual boot, not as a replacement for Windows. That way you can scan your whole PC from an uninfected area.
And one small suggestion – I would recommend not having the same password for your bank account and your email. The hackers can still ask for a password reset, but at least you will receive an email about that which should alert you to unusual activity.
I know it is stressful, but don’t beat yourself up. The only safe computer is one that has the power turned off 🙂
Like Joan said…it happens to the best of us my friend…recently the same thing happened to me and my AOL account…point #2 cannot be stressed enough ~~ “Website using e-mail address as login ID – When a website requires that you use your e-mail ID as the user ID, do not use the same password that you use for your email account.”