Phishing emails can easily catch you unawares
A few days ago, towards end of the working day, I checked my email and found a message from my internet provider. It said that I needed to log in to my account in order to upgrade the options on my account. I was a bit puzzled about which password it wanted and entered my email password for the email account provided by my ISP.
For some reason that – with hindsight – I really don’t understand, I was taken to the genuine login page for my ISP and told that I had entered an incorrect password. After trying the account password and the email password a couple more times, I realised that the email was a phishing scam. This was immediately obvious when I looked at the email address of the sender – nothing whatever to do with my ISP. Here is the email:
In these circumstances, it is important to act quickly before the bad guys can take advantage of the information you’ve just stupidly given them. So, I called my ISP (who, being Zen, answered almost immediately and were able to direct me to my password-changing options quicker than I could have found them myself). Just for good measure, I changed the password for both the account and for the email.
Nasty scam emails can have more than one “payload” in each message, so I also ran Malwarebytes and a full antivirus scan. These came out clean.
Now, the morals of this tale are twofold:
- Over 30 years professional IT experience don’t entirely protect you from doing something daft occasionally – especially, I suppose, towards the end of the day. This is also a good reason for making sure that you take data backups. Some mistakes can be rectified by fishing something out of the recycle bin, but not all.
- Do not EVER use a password in more than one place. The email password I gave away had been allocated by my ISP when I joined them 14 years ago. I am absolutely sure it has never been used for anything else. Therefore, as soon as I had changed the email password in my Zen account, I was completely confident that I had not exposed any other accounts.
Just imagine the grief I’d have been in for if I’d used the same password for Amazon, Youtube, Norton, Apple, Microsoft, Google, etc. It could have taken hours to find all the places where I might have used the same password, and taken corrective action. Indeed, one of my clients had an incident a year or so ago, following which I recommended that she change her passwords, and she later told me that it took more than a day.
I know I keep finding new excuses for making passwords the subject of these blog posts, but the truth of the matter is that this is the area of computing that causes my own clients the single biggest problem. Being rigorous in using unique, strong passwords, and being equally rigorous in knowing where to find your passwords and which one refers to which account, can save a great deal of trouble in the long run. It can also minimise the risk and the hassle if you should happen to have a senior moment late in the afternoon.