This is the second post in my Myth-busing my Mac Miniseries (say that 3x fast!). Get the background on my excellent computer skills (ha!), and how I still got in trouble, here.
Today I’m going to focus on what happened with my e-mail:
I knew I was in trouble when I had a text from my boss before work on a Friday morning. “Amye, I think your e-mail got hacked.” TGIF to me.
(Over the course of this saga, I had at least a dozen kind souls reach out to me – in fact, this trauma served to re-connect me with some old friends with whom I’d lost touch. A #SilverLining but a very slim one compared to the massive 5+ day headache that was about to ensue.)
When you realize your email is compromised, you’ll need to spring into action. You’ve been invaded. You don’t know how bad the damage might be. And at the moment its still an open, bleeding wound. Time for Triage!
My recommended steps, which worked for me, are:
1. Change password immediately.
Don’t waste any time. #Justdoit. If you can’t change your password then its possible the opposing team already did. In that case, my knowledge of how to help you ends and you’re going to need to talk to someone else. But if you CAN change your password, do it and move on to Step Two.
2. Enable 2-step verification.
This is a feature in Gmail where your phone can act as a backup. I’ve found this to be incredibly helpful in re-establishing my peace-of-mind. There are two aspects:
A. When I want to use my Gmail in an application (e.g. iPad, iPhone, computer) I enter my new password and then I wait for a text with a 16-digit app-specific password. It comes as a text message. This unique code is entered only once, at which time it authorizes this app on this device to work with my Gmail. Then its business as usual, forever. (And if I delete the app, but then re-add it later, I just do this process again and it sends me a new 16-digit password. Easy peasy.)
B. Every time I sign in to Gmail, anywhere, I’ll need to enter my new password AND a unique 6-digit verification code. This also comes as a text message. The first time you do this, you can authorize the computer as “trusted” and you won’t need to do it again. (But if you revoke the authorization somehow, just enter your password again and get a new 6-digit verification code).
It sounds like extra steps – and it is – but only the first time. I’ve been using this method for over a week now and haven’t had to re-enter my codes since the first time on each device. And Gmail walks you through the steps. I am the only person who can get these text messages, so if I get one that I’m not expecting it means someone else is trying to get into my account.
If I’ve thoroughly confused you with 2-step verification, learn more here because this is a vital step toward email safety.
3. Check your Account Permissions and Recent Activity.
Click on your name in the upper right corner of Gmail, and it will have a little drop-down where you can select “Account” or “Privacy” or “Sign Out.” Select “Account” and on that new page, select the second tab for “Security.”
Here you can see a few things. I want you to focus on Account Permissions first, and review the list. Anything unfamiliar? Anything unnecessary? Revoke Access immediately. In my case I revoked almost everything because I was a #nervousnellie.
Then, review your Recent Activity. Again, anything suspicious? Unfamiliar? This is where you might be able to see what went wrong.
4. Complete the Gmail Security Checklist
To make sure I wasn’t missing anything, I found this Gmail Security Checklist and walked through each step. At this point you’ve already completed some of their recommendations but again, for peace of mind, I wanted to comb through everything to protect my account.
5. Check spam/trash/sent mail folders
This is where I could see what “my account” was doing without my authorization – aka the spam emails “I” was sending to everyone in my Contacts. Hopefully your Sent Mail folder only contains messages you actually sent. For me, when my Spam and Trash folders stopped getting new messages I knew the worst was over.
Bonus Step: Alert your Contacts via social media
While you’re busy Triaging, you might also want to alert your contacts to ignore the faulty messages coming from your account. Posting something to Facebook or Twitter is a good option since its likely a good amount of your contacts might see it there. Don’t email them because they shouldn’t open your emails until this situation is under control. You want to help prevent people from clicking on the message.
Extra Bonus Step: Review your Contacts
This might also be a good time to review your Email Contacts. I took the opportunity to clear out contacts that I truly didn’t need, or contact’s old email addresses that I knew weren’t active. In many cases, you’ll be able to find someone’s current email on the web if you really needed it again. Simplify, and that way if you somehow get hacked they’re not messaging the family you used to babysit for in high school or the partner on a college project that you’re not even friends with on Facebook.
Spam 2.0: Spoofing
It turns out what happened to me wasn’t even Spam, but Spoofing. Is this new for you? Because it was new for me. My basic understanding is that they got into my account, grabbed my contacts, and got out. Then, using someone else’s e-mail account (in my case, someone with a Cox E-mail account in NJ) they used my email as an alias and sent to my contacts.
Because they were using a Cox account, not Gmail, the messages sent EVEN THOUGH Gmail did NOT authorize the messages. We figured this all out from the header of a message that got returned to my Spam folder.
Confused yet? Me too. Stay with me.
The problem with Spoofing is that you can’t stop it. Eventually they stopped sending as me, but it went on for 5 days straight to all of my contacts. The only solution is to get a new email address, so if you suspect your account is Spoofing, not Spamming, that may be your best option. I’m not sure why they stopped in my case – I reported the problem to Cox multiple times so its possible that Cox was able to stop it. I also reported the problem to Gmail, which is good practice.
Lesson Learned: Even if your password is secure, enable 2-step verification and keep an eye on your Account Permissions and Recent Activity.
Tomorrow, come back to learn how I got myself into this mess in the first place (and why you should start protecting your Mac.)