Abracadabra! Hocus Pocus! I Was Spoofed Once, Never Again

By Alphonzo A. Albright

Email is undeniably one of the most efficient and secure means of communication in our professional and personal lives. But how we arrange those insecure emails to make them easily accessible could also leave us exposed to high risk within the cyber world, as Hillary Clinton and Democratic National Committee have learned.

A few years ago as a matter of habit, I often sent myself emails, especially valuable documents, as backups so they would be at the top of my inbox. This simple practice worked fine until one day I realized that I never received a particular message.

As a globetrotter in both my personal and professional lives, I kept emailed copies of my passport, insurance cards and other travel documents as a precautionary measure should they get lost or stolen. Surprisingly, it gave me the right amount of reassurance if a “just in case” scenario arose. As exact replicates of the originals, the emails can be used for verification in most countries.

So I decided to email myself this particular document, along with copies of my travel documents. An upright habit with no consideration for the possible consequences, I then realized something I’d never noticed before. Upon selecting my name from my contact list, the email address that appeared in the highlights was not my own. This caused great alarm and anxiety. “How long has this been the case?” I wondered.

My immediate first action was to scan my sent folder for this fictitious address. Results showed that one email was sent to this address a few weeks earlier. Luckily it was not a classified email, nor did it contain valuable information.

I fell victim to the classic email ploy known as “spoofing,” a common practice of scammers. Email spoofing allows someone to forge your email address and make it appear that the email it was coming from was you when it is coming from someone else. A “spoofing attack” is a situation in which one person or program successfully masquerades as another by falsifying data, thereby gaining an illegitimate advantage.

Another typical example of email spoofing that many individuals fall victim to is the notification of an inappropriate email by a friend that you have no knowledge of sending. You may wonder who, where and when this could have happened. This may cause great embarrassment and misrepresentation of one’s character. Additionally, email spoofing is a source for virus and all recipients of this email are susceptible as well as all the beneficiaries who receive the forwarded email.

The thought of how this is possible if scammers don’t have access to your password or direct access to your account is very hard to process, much less understand. The unfortunate answer to this question that many ask is: it is very easy, and anyone can fall victim, even an IT security professional.

Let’s just say I learned my lesson and began following expert advice to prevent this from happening again. “So much of your online security really hinges on your email address,’’ says John Bonora, owner and founder of Privacy Solution Partners, a privacy consultation and identity theft prevention firm based in New Haven, Connecticut. “The Federal Trade Commission tracks all fraud and identity theft, and about half of all fraud originates via email.”

If your email account is compromised, you should strongly consider the following:

  1. Recognize the signs. Occasionally, a sender’s address (and other parts of the header) is altered to hide the true source of an email. You can see evidence of this spoofing, for instance, when you receive a spam email that appears to come from your own address. If your friends tell you they’ve received spam from your email address, it’s safe to assume your computer’s security has been compromised. You’ll want to proceed as if your computer has a virus or other malicious software that places all the personal data at risk.

  2. Notify friends. Use a different email address or another form of contact to warn friends and contacts not to open anything from your compromised email address.

  3. Create a new email address. If you don’t mind losing the email address, the best thing to do is close it down and open a new one, Make sure you use a strong password, combining numbers and letters, for your new account.

  4. Maintain an inventory. Your email address is likely tied to many of your online activities. If your account is compromised, you don’t want the bad guys asking your bank to send a new user name and password to that email account. Keep track of every activity tied to your email account, and if the account is compromised, notify your bank, your credit card company and your other online accounts that you’ve changed your email address.

  5. Make sure your computer is clean. Run a strong anti-virus, anti-spyware program. Check to make sure your firewall is turned on.

  6. Use your email user name wisely. Many of us try to simplify life by using the same user name as our email address on many accounts. If your email is compromised, you’ll need to adjust those user names and vary the names you use in the future.

Think this seems like a hassle? It’s true that you’ll have to do some recovery work, but the alternative can put you at risk for far bigger problems.

About Alphonzo A. Albright

A former New York City executive government official, Alphonzo A. Albright, today as Vice President of Global Justice Services for the Canadian-based firm Abilis Solutions, meets colleagues across the world to engage in conversations that highlight thought leadership focused on driving government performance.

More About Alphonzo