A Richfield, Ohio, woman's recent experience losing access to her email to hackers is a good example of the importance of email security. It’s also a reminder that your email provides the keys to your online accounts.
Hackers nearly transferred $35,000 from Anita Gantner's retirement IRA to a different company and tried to move $350 from her bank. She has spent hours trying to regain access to accounts and cleaning up the identity theft mess.
In early June, Gantner stopped getting new mail to her Windstream email account, which she accesses on her phone and computer. She thought that was odd. It wasn’t prompting her by saying her password was wrong or asking for a new password. She just wasn’t getting new email.
She waited a day and tried again. Still nothing.
She searched online to see if there were any reports of a Windstream hack. She didn’t see anything. She phoned Windstream. After waiting on the phone for about an hour − and getting disconnected four times – Gantner reached a representative who she said told her there had been an email hack of the system and someone would get back to her when the problem was resolved.
About a week later, Gantner called Windstream and asked for her account to be disabled. But a week later when her husband sent a “test email,” it went through. She called Windstream again and was told the account would be disabled.
In the meantime, Gantner started getting letters thanking her for opening new accounts. She also was locked out of her Amazon account and still hasn’t been able to get into her Facebook account.
Why? Because when you “forget your password” or need to reset it, a reset link is sent to your email address on file.
Avoiding fraud:An elderly man was scammed out of millions. Could the bank have done more to prevent it?
She notified her financial adviser to watch for fraud. About 2½ weeks after she lost email access, the adviser called to say someone had moved nearly $35,000 from her retirement account with one company to another company.
The hackers got her Social Security number to open the new account.
The financial adviser and Gantner made were able to stop the transfer. She also turned off online access and transfer ability on her account to anyone, including herself and her financial adviser.
Gantner has been annoyed by all of the trouble, but she is most annoyed with Windstream, which she said isn’t taking responsibility.
“What really just got under my skin about this is Windstream never reaching out to me ... and this is going on and it's just outrageous,” she said. “I've gotten a dozen things in the mail from banks and whatnot about credit card or credit that they tried to open."
Gantner froze her credit after the breach.
In several email correspondences, Windstream spokesman Scott Morris said an investigation found no evidence of a hack of Windstream’s network or systems, but the company did identify a phishing campaign against some customers.
“We took immediate steps to protect any potentially impacted email accounts to include proactively notifying customers via email and text messages to change their passwords and update their security questions," Morris said.
“To help customers protect their email accounts, Windstream recommends using strong passwords, regular password changes and the addition of security questions. Also, customers should use different passwords for each of their password-protected accounts. We recommend email users also protect their passwords by installing anti-malware and anti-virus software on personal devices and keeping personal devices up to date.”
Gantner bristled at Windstream’s response. She knows about phishing emails and says she did not click on one. She also said numerous Windstream representatives have told her there was a hack.
Gantner acknowledged she had some “pretty weak” passwords on some of her accounts.
Eva Velasquez, president and CEO of the San-Diego based Identity Theft Resource Center, a nonprofit that offers free consumer assistance for ID theft victims, said email access is just as important to protect as other information.
“The message here is your email is not innocuous,” she said. “It is the keys to the kingdom because of that password reset function. And because of multifactor authentication, a lot of folks choose the email version rather than having a text sent to their phone.
“Think about it. Look at somebody's inbox, you've got a pretty good blueprint of their life,” she said.
It can be unclear where a hacker got email account information or other account access.
“There are so many different ways to compromise an email account,” she said. It could be from phishing, or smishing (a fake text message). It could be a breach or a vulnerability within the system or an unrelated breach in another system.
Here are some tips from Velasquez:
◾ Email passwords should be unique and should not be used on any other accounts. “It should be complex and 12 characters or longer or a combination of uppercase lowercase and characters,” Velasquez said. “It doesn't have to be gobbledygook that you're never going to remember. ... It can be kind of a passphrase,” which is a unique series of words strung together.
◾ Don’t use the same password or passphrase and your email address for all accounts. Oftentimes, hackers will make brute-force attacks and try to compromise systems to get usernames and passwords on accounts that people think are throwaway accounts, like an online exercise account or a subscription account, Velasquez said. Make sure you take similar password precautions on all accounts.
◾ Restore access to your email as soon as possible. Contact the provider directly at a number you know is correct. You will likely have to go through a robust authentication process “because you don't want the hackers to be able to just call customer service and say I lost access.” As much as you might want to disable the account, it will make it easier to get access to your other accounts if you get access back to your email, she said.
Gantner said the experience has been a wake-up call.
She has now created multiple emails (with different passwords) for various accounts − just in case there’s another breach.
"Even simple stuff, like airlines, and wherever I can, I set up two-step authentication,” she said.
The experience "makes me take this security thing much more seriously. I never thought someone could get that far into our accounts."
Consumer columnist Betty Lin-Fisher can be reached at 330-996-3724 or [email protected]