I'm hearing this more and more frequently:
- "I got an odd email from a friend the other day. It just didn't sound like something she would have written."
- "I received an email from a colleague that didn't say much, but he wanted me to go to some strange website."
Such email messages can indicate that your friend's or colleague's email account has been "hacked" (broken into), and now the hacker is using your friend's email address book (which includes your address) to try to take advantage of their relationship with you. The idea is to trick you into doing something that may compromise your security or personal information.
Here's my advice on what you should do:Suggestion #1: Don't click the link in that message!
If you haven't learned to be careful or suspicious, email messages like these from a trusted friend or colleague can fool you:
- "Take a look at this" or "For you," followed by a link to a website.
- Some have an obvious advertising pitch like "Weight loss made easy" or "Make money with this stock" or "Improve your life with this!"
- Some have a compelling or upsetting pitch like "Someone's posting bad (or funny) stuff about you online" or "I'm stranded! Help me get home!"
- Some might be from a colleague who needs your social security number, date of birth, credit card number, or some other personal data in order to finish that important project or help that big client.
- Others only have the link and nothing else.
The subject may or may not match the body of the message, or it may just be blank. Sometimes there are a few other recipients in the TO or CC fields, sometimes the only recipient is you.
I've also looked at the websites where the links take you. I've seen a range of destinations, including Canadian pharmacies, "rolex" watches for sale, and other fake or suspicious sites. I've also gotten "server not found" errors, indicating that the websites were already gone and the hackers had moved on.
What's the harm in clicking the link and just taking a look at the website? Well, technically speaking, any website you visit can not only download the visible elements you see on your screen (text, still pictures, animations, etc.) but it can also quietly attempt to download software onto your computer that you don't
see in order to try to infect your computer with a virus. Whether this infection attempt succeeds depends on your web browser's settings, your antivirus software, and more.
Yes, it's possible
that your friend actually sent this message, trying to share something interesting with you in a terse or unusual way. But is it likely
? Instead of spending a lot of time wondering or second-guessing, you could....Suggestion #2: Tell your friend about this suspicious message
Either your friend sent this message, or they didn't.
If they did send it, there's no harm in confirming that.
If they didn't, then you could really help them out by telling them about this message, since they probably have no idea that the hacker has broken into their account and done this.
There are some simple ways you can let them know:
- Compose a Reply to the suspicious message. This is the quickest, most convenient approach. However, one suspicious message I received from a client contained a special option called a "reply-to" address (an alternate return address) that resembled my client's real address, but it had an extra letter in the middle. This means that anyone who simply clicked Reply would be sending a message to that other (probably nonexistent) address, and my client would never see it, preventing (or delaying) them from learning about all this and getting help.
- Compose a new message from scratch, and address it to your friend yourself. This is less convenient than using Reply, but (assuming you're using your own email address book) a much more reliable way of contacting your friend, especially if the suspicious message contains a bogus "reply-to" return address. Since this method won't copy the subject or body of the suspicious message, if you wanted to show your friend exactly what you received you'd have to Copy and Paste those elements into your new message yourself.
- Even better, click Forward, and then address this new message to your friend yourself. Since Forward usually copies the Subject and Body of the original message into the new message, if you want your friend to see a copy of what you received, this saves you the effort of Copying and Pasting.
- Call your friend on the phone and tell them about this email. If you know that they have more than one email account, be specific about which account the suspicious message came from.
- Send a text message to your friend's cell phone.
What should you say? I suggest combining the following ideas:
Suggestion #3: Advise your friend to change their email account password
- "I just received an email from you (see below for an exact copy)" or "I just received an email from you that said X and asked me to visit the Y website."
- "I'm wondering if you sent this, since it didn't sound like you / was very terse / didn't say anything. If you did, I appreciate the thought, but if you didn't, then I think that someone has broken into your email account and is sending out these emails pretending to be you!"
Notifying your friend is great, but chances are they may never have experienced this before. Should you give them additional advice?
Certainly the most important first step for someone whose account has been hacked is for them to change their email password to try to prevent the hacker from exploiting their account further. Ideally, the new password should be different from all other passwords, and be "strong" (at least 8 characters, a combination of upper- and lowercase letters plus numbers, and punctuation if possible). I wouldn't go into detail on exactly how to do this unless you know they would need (and appreciate) your help.
However, changing their email password creates additional things they need to do, since most people have multiple ways they access their email account:
- They'll need to update the password that their computer's email software has probably stored internally for their convenience, since they probably don't type the password every time they send or receive email.
- They'll need to update the email password that their various devices have probably stored, including their cell phone (smartphone), iPad, etc.
- They may also need to update the email password that other software on their computer has stored. For example, some backup programs can send an email when they're done, and they usually need the user's email password to make this work. When the password gets changed, the backup software's email notifications will stop unless the user puts the new password into the software.
Without getting into all this detail, you might limit what you say to "I suggest you change your email password right away, and don't forget that there are other things that will also need that new password like your email software, cell phone, etc."Suggestion #4: Discourage them from "changing" their email address
Some people who experience this may panic and (perhaps with the unthinking advice of customer service personnel) decide to "change" their email address. This is completely unnecessary and has drastic and negative consequences.
It's never as simple as "changing" their address:
- They would have to stop using their old email account, either abandoning it or closing it. Either of these approaches will cause all sorts of problems, including cutting off friends and family and coworkers and clients who can no longer contact you by email, missing out on email notices and newsletters from membership organizations and stores, losing the ability to use the "Forgot your password" mechanism on other accounts you've created, etc.
- They would have to create a new email account, which will cause more confusion among their friends and services, and create the need to update their email information in their subscriptions, memberships, email software, smartphones, etc.
So, depending on your relationship with them, you may want to gently suggest that they not
change their email address, but stick with the one they've got. You don't deal with a compromised email account like you would with a bank or credit card account!Suggestion #5: Consider giving your friend additional advice on what to do next
There are additional things that should be done after one's email account has been hacked:
- Have their computer scanned for infections.
- Have their email account settings checked for sabotage, as well as ways the hacker may have "left open a back door" so they can break in again, even after the password has been changed.
- Send out a notice to their contacts that their email has been hacked and to ignore the suspicious message(s) they may receive.
- Learn more about protecting themselves, including spotting ways they could be tricked into revealing their passwords, or tricked into downloading infected software.
Again, you should decide how much advice you want to give, depending on your relationship with your friend.Suggestion #6: Learn more about this yourself
It's natural to be sympathetic that this happened to your friend, and perhaps a little relieved that it didn't happen to you. We all like to think that this couldn't happen to us. The reality is that everyone's email account may be vulnerable. There are many ways hackers can break into your account, whether they guess your password, trick you into revealing it, figure out the answers to your security questions, or exploit some other weakness in your security. Learn more about this and improve your own protection and vigilance.Conclusions
Where to go from here
- When you receive a suspicious message from a friend, protect yourself first. Don't click any links in that message!
- Tell your friend about it right away.
- Educate yourself about this, since your account may be next!