When Basic Email Security is not Enough

Alexander Freund

You may think that the standard security policies that come with your email account can protect you from hackers. It’s an easy mistake to make, but the truth of the matter is that, if a hacker really wants access to an account, then they will employ every tactic possible to get it, which can make standard password security measures woefully inadequate.

For the casual Internet user who only uses email to message family about holiday dinners, having basic password security for your email may be just fine. However, you still don’t want to underestimate the value of even a domestic email account. Just because you may not be a security guard at Ft. Knox, doesn’t mean that your personal financial information linked to your email account won’t be valuable to hackers. What makes email so appealing to hackers is that a single account is often linked to other various online services that you use. Some services are more valuable to a hacker than others, and the more services attached to an email account will make it that much more of a target.

The bigger the target you are to a hacker, the more time that they will invest into getting around your email security solution. If a hacker has any level of skill, then a flimsy password won’t keep them out. A good hacker can bypass password security, but the thing about doing this is that it takes time. Therefore, a hacker will need some kind of known incentive to make sure that investing the time needed to hack an email password will be worth it. If your email is associated with your business, or it contains account information for a valuable website, or online accounts, then your email account has a big bullseye right where the “@” symbol normally goes.

The thing about hackers is that they can get extremely creative when it comes to accessing accounts. In fact, hackers are not limited to guessing passwords through the login page, and they are not even limited to simply trying attacks over the Internet. Inside the hacker’s bag of tricks is a social engineering tactic that’s totally outside of your control, it’s called “the telephone.”

If a password is too complex for a hacker to crack, then they can pick up the phone and call your email hosting service pretending to be you. If the hacker can trick the technician over the phone that they are indeed you, then the operator will relinquish a new password to the hacker under the guise of, “I forgot my password.” You may think that email hosting services have policies that will prevent something so obvious, but you’d be surprised to learn that this isn’t necessarily the case across the board.

For a hacker to trick an operator into giving them your email password, they will need some form of sensitive information. Hackers are pros at harvesting sensitive information, and the wider your digital footprint is, the more information that a hacker can use to get what they want. For example, if a hacker were to get a hold of your credit card number, or even part of your credit card number, and this happens to be the credit card number associated with your email account, then this may be the key (along with other personal information harvested from social media) to get the operator to hand control of your account over to a hacker. In one case, a email hosting company is accused of actually allowing the hacker to guess a two-digit password code over the phone after they successfully gave the operator stolen credit card information.

Once a hacker has control of your account the game is over. One of the first things that they will do is reset the password and lock you out. They will then have free reign to collect as much personal information as they can from your email account, which would include the ability to gain passwords to all of your other online services using the same social engineering tactic that originally gave them access to your email account. Of course, if your email is hosted internally, then your network administrator can easily wrestle control back from the hacker. However, if an impersonal third-party hosting service manages your account, then it will be much more difficult to convince them that you are in fact, you.

There are a few precautions that you can take to stop a hacker that’s this determined to get ahold of your sensitive information. You can implement multi-factor authentication to access your email, which will require possession of your cell phone to log on. You check the security policies of your email hosting company and have them tightened in order to close the back door for hackers, and a big thing you can do is to be careful with how you share your personal information online.

By training yourself on how to safely do things like making online purchases, posting to social media, creating complex passwords, switching out passwords on a regular basis, securely storing your passwords using encryption services, and much more, you can significantly lower the risk of a hacker breaking into your account. To learn about these best practices for email security, and to equip your business with other enterprise-level security solutions like a Unified Threat Management tool for your network and a bulletproof spam email solution, then give 4it a call at (305) 278-7100.

Share this post