MediaMade possible by

How my email was hijacked, and how you can stop it happening to you

A cautionary tale, by Paul Brislen.

It started with an email from a colleague. Could I sign the attached form?

I get this sort of email a lot; no two clients or providers use the same format so it was quite nice to see a link to an online service. I clicked on it.

Almost immediately my anti-virus app went nuts warning me about the dangerous activity I was undertaking and WAS I TOTALLY SURE this was a good idea. Since I’d retrained my anti-virus software from ZOMG UR ON THE INTERNET PANIC NOW mode to a more refined “Hey, you seem to be opening an email. All good?”, this level of red ink on my screen made the pit of my stomach fall away like I was on a roller-coaster.

Almost immediately I got an email from Google wondering if I was logging on from a machine in Nigeria and if that was OK. It decidedly was not, I told Google, and immediately began changing passwords like a mad thing.

Of course, first of all I had to remember my passwords, which is annoying since everything I own auto-logs in as soon as I look at it. Who can remember all those passwords? I barely remember my children’s names; I tend to resort to Thing One and Thing Two. Passwords? Fuggedaboutit.

And then it all went quiet. I had done the right thing and nipped it in the bud. I had a shiny new difficult to remember password on my account and I was 98% sure I hadn’t used that password on anything else that was important, but I changed a few other passwords as well just in case.

I contacted my colleague and sure enough he hadn’t emailed me anything. I suggested he might get someone in to have a look at his machine. Now I think about it, I haven’t heard from him since so I might give him a ring later to see if he’s OK.

At the time I thought no more of it. I’d done my bit – I ran a scan of my PC and various accounts and all was dandy. I wasn’t sending out thousands of emails so I probably wasn’t infected with anything and so, as with all STD close-calls, I breathed a sigh of relief and carried on regardless.

And so it was I had a quiet afternoon on Thursday followed by a sudden realisation over dinner that I hadn’t got any email at all to my work account for ages. I have several accounts for various clients and they’d all been pinging away merrily so I hadn’t immediately noticed the peace and quiet at my work address until late in the day. I made some tentative enquiries on Thursday night (“anyone out there not getting email?”) followed by a full morning on the chat bot and phone to Google trying to sort this mess out.

Apparently spammers will route all your inbound email to the trash as a way of ensuring you don’t notice when everyone in your contact book starts emailing you that you’re spamming everyone with a nasty virus and demanding reparations for the damages done to their systems and the like. It’s usually a great way to make new friends and to really tell your client base that you know what you’re doing. Former clients, that is.

Fortunately, I had managed to change my password before they really took control of my account and locked me out entirely, and so the moral of this cautionary tale is simple: set up two-factor authentication.

What, I hear you ask, is two-factor authentication (2FA to the cool kids)? It’s all that stands between your inbox and reputational Armageddon and I encourage everyone to turn it on.

All the major banks use it, as does your email provider and most of your social media accounts. In essence you give the service access to your mobile phone number and whenever you (or someone pretending to be you) wants to make a major change (like to your password, or your address, or anything remotely sensitive) it sends a text to the number you’ve nominated. So, when Rattus Baggus decides to steal your identity, the first thing that happens is your phone gets a text saying “Hey, we see you want to change this important thing. Here is a PIN number to let you do just that” at which point you can say “Gadzooks, I never asked for such a thing! What the dickens is going on?” and generally react with alacrity and speed.

Turn it on. Turn it on at once and turn it on for anything that has any value in your life.

You might think your Facebook page isn’t all that important but consider how much free time you won’t have if your Facebook page gets taken over by Nigerian spammers and Dear Old Auntie May infects her mah-jong group with your filth. If you think calling your old girlfriends/boyfriends to explain about an STD is tough, you haven’t tried to explain ransomware to someone who has only just come to grips with Internet Explorer.

And while we’re at it, here’s a tip for anyone with a password.

Write it down.

Seriously, now. Make it insanely complicated and write the damned thing down somewhere. Keep it in your wallet or in a notebook in your bag or somewhere but make it too difficult to guess.

I got this advice from a security expert I interviewed years ago and it flies in the face of everything we were ever told but it’s good nonetheless. Anyone who steals your laptop is more likely to try to sell it at the pub (or similar) and won’t care about the data. Anyone who is after your data won’t care about or have access to your little notebook and so won’t have a chance of breaking in.

Of course, for many, a password manager is the answer, and there are a heap of them out there. But if you don’t like the idea or won’t use one for religious reasons (or because, y’know, you’re old like me) then writing down your passwords and storing them in a safe place beats the past off using the same password for everything.

It also means you can ditch that whole PasswordJanuary123 rubbish and come up with a really good password (I like pass phrases myself) that make hijackers’ jobs that much more difficult.

Give it a go. Hopefully you’ll never have to thank me at all.


The Spinoff Media is sponsored by MBM, an award-winning strategic media agency specialising in digital, with vast experience across all channels. We deliver smart, tailored media solutions as well as offering a leading data and analytics consultancy.Talk to us about your communications challenges and how MBM can help bring you success through the power of media and technology.

The Spinoff Longform Fund is dedicated to facilitating investigative journalism. Our focus is on supporting in-depth reporting on important New Zealand stories. Your donation will help us sustain this most resource-intensive form of journalism, ensuring that the most complex and important stories still get told.