Tuesday, August 4, 2009


Joe has an email account he has had for over 10 years. He emails coworkers, friends, and family from the account regularly. His mother still sends him e-birthday cards every year. It is used for Turbo Tax, his online banking, and he often emails projects from his work email to his personal email so he can work on the finishing touches from home. His order confirmation emails for Ebay, Amazon, and Travelocity all go to the same email. His doctor’s office and insurance send him appointment reminders and paperless statements to that address. Recently, when he requested an address change online with his bank, the DMV and the Post Office and he was pleased to find he could do it all paperless. He’s very environmentally conscious, and keeps meticulous records. Joe, in fact, is pretty average.

This email address for Joe is about as firmly established as his identity as a credit report- it contains details of his finances, his address history, and his birthday just as a credit report would. His address book reveals his mother’s maiden name, and a compromise of the account could easily result in his tax information and social security number being revealed. A compromise or lockout of this account could be devastating. He doesn’t have a paper copy or other access to those email addresses. In some cases, the only contact information he has for people is email. If someone were to gain access, he would not be the only target. All those individuals in his address book would be contacted and extorted for money. It will take Joe a long time to try to track them all down and warn them, and by that time it is probably already too late. His company might be blackmailed based on intellectual property gained from the compromise. His accounts could be taken over and emptied, his identity stolen and used for credit cards, utilities and medical services. A routine traffic stop might result in jail time while law enforcement figures out that there was a fake ID provided during a DUI stop. With the information available in that email, Joe’s life can be stolen lock, stock and barrel.

If your email is this tied up with your identity, it is important to protect it. When you use your email address to sign up for services or profiles, you are adding another avenue to attack your account. How do you quarantine an email?

  • Security experts actually recommend that, “A good rule of thumb for the average email user is to keep a minimum of three email accounts. Your work account should be used exclusively for work-related conversations. Your second email account should be used for personal conversations and contacts, and your third email account should be used as a general catch-all for all hazardous behavior.”
  • Take inventory. Make a list of all the websites you have attached to your email, all the contacts in your address book and anyone you regularly contact via that account. The average user has about 12 online accounts registered with their main email. Then, go through your folders and archived emails and scan them so you have a good idea exactly what is in your account.
  • Make sure you have a disaster plan. After you have taken inventory, think about what you would do if you were to suddenly loose all access to that email. Are your documents backed up? Do you have phone numbers for your contacts so you can warn them? Do the websites attached to your email account have a 24/7 toll free line for assistance? Do you have any of this contact information for the companies or persons in a non-technical format in case your entire computer is compromised?
  • Never use the trusted email or part of the email address as a username. Never use the same usernames and passwords for all accounts. Also, many services are now offering an option to force your password to expire periodically (live.com has an option for 72 day expiration, for example). Find your security settings and use them.
  • Many websites now offer the ability to register two email accounts with your profile. If the option is available, use it. Create an isolated, secure email and keep it safe. This way, if your email is compromised or the profile hacked you still have a second account you can communicate the issues with the company or retrieve a password.
  • When signing up for social networking sites, use an email account just for that site or your “catch all” email. This prevents hackers from gaining access to your trusted email through the site or from scammers spoofing your email to try to extort money from your list of contacts. People will be more suspicious of an email coming from FacebookJoe@domain.net than from youtrustedemail@sinceforever.com and it will give you time to contact them to tell them of the fraud.
  • Never use your trusted email for comments, blogging, chatting, or any online forms. Your trusted email should be for communicating with real people only. There are plenty of services out there that will set up dummy email addresses for free. This allows you to keep your email address secure but still give contact information out and receive communication at the same inbox. If the dummy email address becomes tainted, you can easily amputate by shutting down the address entirely. Just Google “disposable email address” or “temporary email address” and you will find plenty of services to choose from.
  • Don’t unsubscribe from mailing lists you suddenly find yourself on. Clicking on the “unsubscribe” link or hitting reply could verify your account as “live” to a scammer. Instead, block the email address you are receiving the subscription from.
  • Determine if mobile banking risk is worth the convenience. Does your phone have antivirus? Can you get an antivirus? Contact your service provider and determine if there are additional security settings you can select. For more information on cell phone and smart phone security from the US government, click here.
  • Be cautious of wi-fi. There are plenty of cyber criminals out there who set up unsecured wireless connections in common hot spots to try to catch someone doing a little online banking or email while sipping their coffee. Check your wireless connection at home and in the office- is it secure? Encrypted?
  • When sending highly sensitive information, consider using encryption or stenography for the message and data.
  • Be discriminating about sending forwards. If the email were to fall into the wrong hands, a crook can use the contacts in the email to try to scam everyone included on the communications.
Don't let embarrassment keep you from doing your part in reporting the incident to authorities. Remember that cybercrime is serious, and should be reported to the FBI's Internet Crime Complaint Center at ic3.gov and to your email provider, typically at abuse@[yourdomain.com].