The "mugged in London" scam - Prevent thieves from breaking into your email account (5/18/11)

It starts with an email from a friend or colleague asking, "When did you go to London? That's terrible! Are you OK? How can we help?" Since you are not currently on a trip to London, you send a confused reply asking what they're talking about. Over the next few days and weeks you get similar concerned messages from a growing but odd assortment of friends, some of whom forward to you the email they originally received. It's apparently from you, claiming to be stuck in London after being robbed, and asking for money to enable you to get home. Of course, you never sent it.

This is just one example of a wide variety of scams that have been around for a long time. Unfortunately, the internet enables modern thieves to pull this off more efficiently than ever before.

How did this happen?
Email scams aren't new. It's easy for almost anyone to send an email that's been faked to say it's "From" your email address, but that type of scammer sends messages to millions of randomly stolen or made-up addresses.

What's different about this particular "London" scam (and others like it) is that the scammer has broken into your email account, gotten into your online Address Book, and then (if your Address Book isn't empty) sent those fake messages to your friends and colleagues. Because of their relationship with you, your friends are more likely than random strangers to be tricked by these messages (sent from your actual account, but not written by you) into sending money to the thieves.

And, if some of your friends reply with cautious skepticism, clever scammers may also read through your stored email messages, learn more about you, and use that information to send convincing replies, which may improve their chances of conning more of your friends into sending money.

Background
When it comes to your email account, there are generally two ways you can use it:

You can use "email client software" on your computer to compose, send, receive, and store your email messages and manage your Address Book. Common email programs include Outlook Express, Windows Mail, Outlook, Thunderbird, and Eudora on Windows, and Apple Mail, Thunderbird, Eudora, and Entourage on Macintosh. This method stores your messages and Address Book on your computer's hard drive, not on the internet, which means that the only way a thief could get access to this information would be to gain access to your computer.
You can use "webmail" (web-based email) to access your email account using your email server's web page, e.g., www.gmail.com for a Gmail account, www.comcast.net for Comcast, www.verizon.net for Verizon, www.aol.com for AOL, etc. In this case you would use a web browser (or special software like America Online or AOL Desktop) to access your email account via the internet. Common web browsers include Internet Explorer, Firefox, and Google Chrome on Windows, and Safari, Firefox, and Chrome on Macintosh. This method stores your messages and Address Book on your email server on the internet, not on your computer, which means that if a thief acquired your email address and account password, they would have full access to your account.

Security Implications
Here's what all this means:

If you're using an email client program on your computer (Outlook Express, etc.), since your email messages and Address Book are stored on your computer's hard drive, it's less likely (but not impossible) that this type of scam will affect you.
However, if you use webmail, i.e., your email messages and Address Book are stored on your email server on the internet "in the cloud" (i.e., not on your computer). You are at a much higher risk for this type of scam. See below for my advice on reducing this risk.

On the other hand, your friends and colleagues who receive one of these "I'm in London" emails are not at risk of having their accounts broken into just because of the message they received from "you."

If this scam has already occurred, i.e., if your online email account has already been compromised, follow these steps immediately
If you have already been targeted by such a scam, here's what you should do right away:

Immediately change your email account password. Choose a new password that you've never used before, and make it a "strong" password, i.e., at least 8 characters long using a combination of uppercase letters, lowercase letters, digits, and (if permitted) punctuation. Avoid using a single word or anything resembling personal information about you, including names, dates, and street addresses. Although passwords like "HEkd83;Bzi3q" technically fit the bill, I recommend the more manageable approach of combining a few words with digits and punctuation, e.g., "Agnostic23!Sprinter47" or "Ag23nostic!Sprint47er" is even better.
If you use any other computers (laptops and netbooks) or devices (smartphones, iPads, etc.) to access your email, don't forget to update your email password in those devices as well.
Have your computer thoroughly scanned for infections, since one of the many methods they may have used to get your password is a "password-stealing" or "keystroke-logging" infection. You should not only scan for viruses, but also scan for other types of infections (worms, trojan horses, spyware, etc.).
After that, if any infections were found and removed, change your email password again (and update your other computers and devices, again), since a password-stealing infection may have seen you change your password before that infection was removed.

Check your email account for sabotage
In recent weeks I have not only had a number of clients experience this scam, but a few have also had their email accounts sabotaged. Thus, I strongly recommend that you also check all of your online email account settings:

Look for any "reply-to" address the thieves may have set. For example, if your email address is "johnsmith@gmail.com," the thieves may have set a "reply-to" address in your account, for example "johnnsmith@gmail.com" (note the extra letter in the middle), which cleverly prevents anyone to whom you send an email from successfully replying back to you, further isolating you from your friends.
Look for any "alternate email addresses" the thieves may have set, especially ones that will permit them to "reset" your password. I've seen such scammers add their email addresses into compromised accounts, giving them the ability to change your password in the future even after you've changed it to something else, locking you out of your account.
Similarly, look for any changes to your "security questions" or any other settings related to changing your password.
Review all other settings, looking for anything suspicious.

This should keep the thieves out of your online email account. Also, if they didn't keep a copy of your Address Book then the fake messages will probably stop, but you can't be sure of that.

I have also seen malicious destruction of account information, including:

The online email Address Book was completely wiped out. Without a backup copy, it might be possible to partially reconstruct it by "harvesting" the email addresses from the remaining messages in the Inbox and Sent folders.
Some or all email messages were deleted from the online Inbox or Sent folders.

No notice of potential breach or suspicious behavior
Given this need for security, I find it particularly surprising that most online email systems give you no notice (nor even the option to be notified) when someone:

Tries to log in but uses the wrong password
Successfully changes the password
Sets a "reply-to" address
Changes a security question
Deletes the entire Address Book

Any one of these could serve as an "early warning" that someone is trying to break into (or has already broken into) your account. Sadly, many other online systems that are more security-conscious, including many online banking, credit card, and investment house systems also lack the ability to warn you. A few systems (PayPal, Facebook, LogMeIn) do give some notice, but overall the concept is sorely lacking.

If this scam has not affected you, follow these steps as soon as you can
Even if you haven't been a victim of this type of scam, I strongly suggest that you:

Change your online email account password to a "strong" one as I suggest above. Don't forget to update your email software, web browser, or smartphone with this new password.
Have your computer thoroughly scanned for infections (not just viruses, but all types of infections), since today's infection may lead to tomorrow's broken-into email account.
If you use webmail, make a backup copy of your online Address Book. Look for an "export" function that will create a text file containing a copy of your Address Book that you can store on your hard drive for safekeeping.
Review your email account's "security questions" that permit you (or a thief) to reset your password, and strongly consider changing them to have the wrong answers, so a thief who has researched your life won't be able to break in, even if they find out "the street you grew up on" or "the college you attended." Note these "wrong answers" on your password chart, since you probably won't remember them.
If you use a wireless network, make sure it's using the highest level of security. See "Wireless is always better, right?" (http://www.kadansky.com/files/newsletters/2010/2010_01_27.html) for more info.

I never type a password, so my email account must not have one
This is a common myth. All email accounts have passwords. I guarantee you that yours has one. If you aren't required to type it in every time, that is a convenience provided to you by the software on your computer:

If you're using email client software, whoever set it up probably typed in your password at the time, and your email software has been using it "behind the scenes" to send and receive your messages ever since.
If you're using webmail, your web browser may have been set to remember your password and type it for you when you sign in.
When you check your email using your smartphone, the phone probably has your password stored along with your other email settings.

How did they get my email password?
There are an ever-increasing number of methods thieves can use to get your password:

You've used the same password for many accounts over many years, and you've accidentally revealed it.
You've used a common password like "1234," "password," "1111," etc.
You've used a simple password based on personal information like your name, birthday, home address, college, etc.
You've used answers to your password-reset security questions that are easily researched online, including your mother's maiden name, the college you attended, etc.
You've been tricked into revealing your password via a "phishing" web site, email, Facebook message, etc.
You've been tricked you into granting access directly into your online email account to a thief (e.g., "third-party access privileges" on Gmail).
Someone looked over your shoulder when you signed into your account in a public place like Starbucks.
Someone electronically "observed" you signing in and stole your password when your computer was on an insecure wireless network.
Your computer has a password-stealing or keystroke-logging infection, which was either delivered by a virus or which you were tricked into downloading and installing.
Your computer has a physical key-logging device plugged into its keyboard or USB port.
You've lost or misplaced your password chart, or someone has stolen it.
Your employer's corporate email system was broken into.
"Slow brute force": Since many online email systems are designed to "lock you out" after a small number of failed password guesses within a given period of time (just like an ATM machine will "eat your card" after a few failed PIN entries), some modern thieves now use "slow brute force," where they try one password guess per day on your account along with millions of other accounts that day. Over time (perhaps after hundreds or thousands of days) they may eventually hit upon your password and get in.

And, since social networking sites like Facebook, Twitter, LinkedIn are growing in popularity and messaging abilities, scammers and thieves are quite active on those sites, too, so all of this advice applies to those passwords as well.

Real-world versions of this scam
This general type of scam long predates the internet. Imagine receiving a phone call from someone claiming to be a relative in trouble and needing money. They may have researched you in advance to find out that you have a nephew named Charles, or use generic opening ploys like "Hi Auntie, I need your help!" and trick you into revealing information they can use to further manipulate you. The best defense is to remain skeptical, ask questions that only the real person would know that are not public knowledge, and to delay sending any money until you contact other friends or family who are likely to have up-to-date information on the person and their actual whereabouts.

Conclusions

Your most valuable password is the one protecting your email account and your Address Book.
The power of this scam comes from the real-life relationships you have with the people in your Address book. Ironically, your closest friends and family probably know when you're traveling and when you're at home, so they're presumably less likely to be fooled. It's your other contacts that don't know your travel plans or habits but who care about your safety and well-being who are more likely to be taken in.
Any information you store online ("in the cloud") is only as secure as the password protecting it. You should choose a strong password, and take all reasonable measures to keep that password secure.
Gently warn your friends and colleagues about this potential scam.

Where to go from here
More on this scam: