OK, so a hacker gets your email address and your password and can now go to a webmail website and send emails pretending to be from you. Maybe the webmail address for your email is obvious and the attacker can now sign on to your webmail and see your contacts. They can spam them and send emails as though they were from you.
It is a problem, but sending emails that pretend to be from someone else is child’s play anyway. It takes seconds to set up and do. So why would a hacker spend time and effort phishing for email addresses?
The problem with email security.
I have said for a while now and continue to believe it – your email security is the crux of your entire internet security. Blow that and you blow everything. It’s as simple as that. Your email address and password and the one key that can give a hacker unlimited access to everything you do on the internet.
And yes, I really do mean everything!
The first part of an attack
Once a hacker can log on to your webmail they can glance through your emails looking for key emails. Anything from banks, PayPal and so on is useful for them. They will tell the attacker what you are using. You might also have been careless and left a welcome email laying about from a bank that is your reminder to your password there.
And if that fails…
The next step is no doubt very easy. A quick glance through your emails and they can guess where you are from (looking at your time zone being a huge clue!). Now they can visit all of the most popular banks that cover your region as well as PayPal and request password resets.
OK, most will be “email not recognised”, but once they hit upon your bank and get the response that they need, they have the link to reset your password. Now you can’t access your bank details but they can.
The two part fix
It goes without saying that the first part of this fix is to guard that email password very jealously. If you can, set up a separate email address and use one for emails and the other for password resets. Use very strong passwords (the longer and more complicated the better).
The second part is to use secure institutions. Some sites (e.g. ClickBank) will not allow withdrawals for a week after a password reset. My bank will also send you a text message with a key before any password resets are activated. That way, you need email address and the mobile phone.
But losing your email password is more than just a lot of spam in your name, you could also lose your bank accounts.