A colleague got an odd email from you, but you didn’t send it. … How did this happen? Were you hacked?
With the right IT security measures in place, successful attacks on corporate email systems are rare, but they do happen.
So what should you do when you think you’ve been hacked?
1. Have your IT support team determine the scope of the breach.
It’s possible that the hacker only spoofed your email address (sent an email that LOOKED like it was from you, but wasn’t actually from you.) Spoofing emails can be surprisingly easy for hackers, and they don’t need to get into the email system to do it.
But if your login credentials were compromised, that’s a much bigger deal. Once your IT team investigates how the hackers got in, they’ll usually be able to trace what they did while they were in there and get their arms around the scope of the breach.
2. Review every service that uses that email address and change your passwords.
Think about all of the places that you log in to on a regular basis – your bank account, social media accounts, online software applications, etc. Because most online services use your email address and password as the way to verify that it is in fact YOU trying to get in, the problem can leapfrog to other systems and services.
If you use the same email and password for all of them, now the hacker has access to ALL of those accounts too.
If you don’t change your passwords, you’re leaving yourself open to future breaches. Hackers may not immediately go after all of your accounts. It’s more likely that they’ll save the data they found and will go back at a later date. That’s why changing your passwords as soon as you learn about the breach is so important.
3. Notify the appropriate parties right away.
Depending on the kind of breach that occurred and what was accessed, the parties you’re obligated to notify will vary. Consult with your lawyer to see exactly what type of communication you need to provide to clients, employees, and/or vendors.
If your personal email address or social media accounts were compromised, let your friends and family know as soon as possible, that way they don’t accidentally interact with a malicious email or Facebook post.
4. Look into identity theft services.
If you think any personal information was compromised, consider identity theft services. There are many options available and it doesn’t hurt to protect yourself.
The best defense against these types of attacks is to use strong, complex passwords. One of the best tricks is to use a passphrase (a sentence with punctuation) instead of a password. Not only will it be easier to remember, but it will also be much more difficult for hackers to crack if you use a long passphrase with a mix of lower-and-upper case letters, spaces, numbers, and special characters.
There are also many enterprise email systems that offer multi-factor authentication for added security. You may have experienced this with online banking or credit card accounts. These systems send you a text message or call you with a code so they can verify your identity.
If you think your email and IT security isn’t as secure as it should be, talk to a trusted IT support professional.
As featured in the November 27th issue of The Press-Enterprise