I've been mugged!
At least that's what the e-mail message said that was sent out to everyone on my Google contact list. The request for financial help did actually originate from my Gmail box and claimed that my family and I were in Spain, had been mugged, and had everything stolen except for our passports. That last detail, as it turns out, is very important. You see, in order to receive a wire transfer of funds, you have to have some form of identification. Had the passport been stolen as well, it would be impossible to scam my contacts out of their money.
The truth is, I've never been to Spain.
Yet the hackers message was true in one respect: I had been mugged. No, not at the train station in Madrid, and no money was stolen – to my knowledge. Instead, it was my identity that was taken away from me. In some ways, it would have been easier to have my wallet stolen, call up the various credit card companies and cancel my cards. Since it was my Gmail box that was stolen away from me, I probably spent about four or five hours yesterday going to all of my online sites and changing my passwords.
It all started at 620 in the morning when I received a call from my sister-in-law. She had received the request for funds, and knowing that I was not in Spain wanted to warn me to fix the problem before people started getting scammed out of their money. I jumped out of bed and sat down in front of my computer but when I went to log into Gmail, my password was no longer accepted. That's the moment when I knew I had been mugged. Somehow, the hacker had gotten my password. It's not one that someone could guess either, so that means that one of the sites I used that same password on, had lost track of it, so to speak.
Fortunately, Google has a process that you can go through to reestablish your account. I needed to give certain information like my phone number in several addresses that I e-mail frequently, and a secondary e-mail address that had been linked to my account. With this information, Google sent me a link to reset my password and regain access to my account. But the damage was already done. My entire e-mail history and contact list were wiped clean. Being an android user, I had all my contacts on my phone and were able to sync them back later in the day. But the e-mail is all lost. As I checked the settings in my account, I noticed right away that the hacker had set all incoming mail to be forwarded to a Yahoo account in my name. In addition, the reply to address on the e-mail that was sent out was set to the same Yahoo mailbox. The message came from my Gmail account, and this could be verified beyond a doubt. However anyone who clicked reply might not notice that their reply was redirected to a Yahoo account. Even after I regained control of my account, people replying to the original message would be communicating with the scam artist rather than yours truly.
I know of a couple people who engaged with the scammer, and I'm still hoping and praying that no one actually wired the money.
Lessons learned
I've always been very careful about my passwords that are used on websites that allow financial transactions. But I've not paid as much attention to passwords on social networking sites, and e-mail boxes. Those sites seemed rather harmless, until yesterday. Now I will take the advice of my friend Ed Bussa, and I will use a randomly generated passwords for all my online activities. He uses a software tool to store his passwords, and I have been using one too, but now it is time to up the ante and get more serious about passwords.
Google has a 2 step authentication process that would have prevented this hack from taking place. I will be setting this up today. He