Monday, March 15, 2010

Go Phish

The other Inkers here and some of our other regular readers already know my Facebook and Gmail accounts were hacked last week. A whiny, poorly written email went out to everyone in my address book saying I'd been mugged in London and needed money.

In fact, you're probably pretty tired of hearing about it. I don't blame you.

Mother necessity is a wonderful taskmaster, though, and after setting things more or less to rights, I did a little research. The first thing I discovered was that I was incredibly lucky.

  • I was online and could respond quickly. When my chat window opened and "I" started chatting with other Facebook folks, I sent out a status update telling everyone to ignore all chat requests and messages from "me" for a while.
  • The scam is well known. Facebook and Google responded very quickly to my reports. Facebook suspended my account before the hackers started sending messages to all my Friends, and only a few people got the weird chat thing.
  • I more or less remembered when I had started my Gmail account. It's one of the things they ask, and if you're way off they won't help you reset your password.
  • The hackers didn't seem interested in actually stealing my identity, just this single-minded phishing scam.
  • My email accounts forward to one another. The hackers put a filter on the hijacked account to hide all responses to the initial phishing email. However, even when I couldn't get into my Gmail account, those emails were being forwarded to another account so I could see everything going on.
  • When I regained control over my Gmail account I checked all the forwarding options and found a new one, to a yahoo account that looked like me -- but wasn't. DELETE.
  • All my financial, banking, paypal and online ordering is done out of totally separate account that has no connection whatsoever to any social networking sites.
  • Everyone was so incredibly nice and supportive.

I also ran across a few things to help avoid hackers in the future -- standard wisdom, things I'd ignored at my own peril, and a few completely new suggestions.

  • First and foremost is have a complicated password, and have a different one for every account. That should go without saying, but it doesn't. Complicated means twelve characters or more, with upper and lower case letters, a number or two, and a symbol or two. Plus -- don't use dictionary words, the names of gods/goddesses or popular fictional characters (sob!). Yes, this makes those passwords really long and ugly and hard to remember. It's worth it.
  • Change your passwords at least every three months. No more twice a year for me.
  • Have a separate email account associated with Facebook, Twitter, and other social networking sites that forward activity to your inbox. This, too is a pain. However, I'm going to pretend that it'll help me compartmentalize online promotion from writing.
  • Of course you should never log into financial accounts from public computers. Key loggers abound for the sole purpose of getting your logins and passwords. But you also shouldn't log into email or social networking sites from Internet kiosks, coffee shop computers and the like.
  • If you see any indication of hanky panky in your email, change your password at once.
  • A lot of phishing scams get your login and password information by asking for it. Never respond to an email asking you to verify login information, or directing you to a site where you can verify login information.
  • Avoid games and apps on Facebook, as they are often gateways for hackers, and spread virally from player to player. Maybe now people will forgive my complete disinterest in Mafia Wars and Snowball Fights.

And yet, despite that disinterest and my refusal to click on links unless I knew what they were, someone weaseled in. It could have been so much worse, but still -- it seems like there should be more we can do.

I'm not alone in this experience. Anybody have stories to share? Suggestions to add to those above?


Elizabeth Spann Craig/Riley Adams said...

I hate that you had to go through this Cricket, but thanks so much for passing along your tips for us and processing your experience in such a useful way.

Mystery Writing is Murder

G.M. Malliet said...

Was the purpose of this scam to defraud people of their money, or was it just to annoy google? Somehow, the first motive, while despicable, makes more sense to me.

Cricket McRae said...

Thanks, Elizabeth -- I hope these tips help someone.

Gin, I'm sure the purpose was to defraud people. I received some very funny emails wondering when I'd be returning the 5K people sent here and there (my sense of humor eventually caught up), but there was one sweet soul who really did try to send a hundred dollars. If I hadn't had access to incoming emails I wouldn't have been able to stop her in time.

Alan Orloff said...

An awful experience, Cricket! Sometimes I think I should disconnect from everything--no Internet, no email, no nothing. Then I wouldn't be a target. Except...the one time my identity was stolen was in the pre-Internet age. (By the way, you don't have to pay me back for a while. I know you're good for it.)

Cricket McRae said...

Your identity was stolen? That is so much worse than my little kerfluffle! I'll certainly be more careful in the future, but the advantages of connecting with folks on the Internet is definitely worth it.

Oh, and the check is in the mail...

Jess Lourey said...

The second worst part of it all (the first being that you had to deal with it) is that these scams only prey on the really, really nice people out there, and there's not too many of them left. I spray hackers and phishers everywhere with the Hose of Bad Karma.

Charmaine Clancy said...

I've never worried about scams before, but that was because I thought they'd only target me, it would be horrible to have a scam go out to your friends and followers from 'you'. I've twittered this post and hope everyone hears of the scam.
Thanks for sharing.

Kathleen Ernst said...

I'm glad it wasn't worse, but geez! What a mess to have to go through. Has anyone written a mystery yet where such spammers and thieves are diabolically murdered?

Cricket McRae said...

You're right, Jess. Btw, I noticed you didn't offer me any money. Hose of Bad Karma -- love it!

Charmaine -- thanks for the twitter!

Kathleen, looks like you have your next book idea ready to go. ; - )

Sheila Deeth said...

Thanks for all the advice. I'm wandering round the internet updating all my passwords now.

Darrell James said...

Cricket- Thanks for the word to the wise. I've had my credit card "borrowed" by an unscrupulous waiter. Before we stopped him he had charged up $2,700 in internet porn (and, no, that wasn't just the excuse I gave my wife.) The banks and police, neither, did little, as their cost to prosecute, in their words, was bigger than the crime. All we can concentrate on is prevention. Maybe we should decide on a "code word" in case you're every truly stranded and need the help of friends.

A.M. Kuska said...

Yipes. I think its time to do a little security maintenance!

Linda L. Henk said...

On March 12, I received an email saying that a wonderful, most gracious and generous person from Benin had paid the reeactivation fee and delivery for $3.5 m US. The email came from Diana Dyer of Zenith International. I was instructed to contact FEDEX Delivery Comany and send them $25 so I could get my $3.5m. Yeah, right! You mentioned you reported your phishing. How did you do that?
Thanks, Cricket!

Cricket McRae said...

I should have included the link to the Internet Crime Complaint Center. It's

Here is another article with more tips on how to protect yourself on Facebook:

And here is something I just found with info on how to report phishing emails on a variety of email clients:

Hope this helps!