Last week, an acquaintance had his e-mail hijacked and phishing emails were sent to many (all?) of his contacts, including me. Gmail alerted me with This message could be a scam. Before I could view a link (to a phishing page) in the email, I had to click Ignore, I trust this message. Supposedly a Google Docs document was being shared, and I was prompted to supply credentials to access the document. The (off-Google) linked site was an obvious attempt to phish for various (Google, Yahoo, Windows Live, AOL) account credentials.
The acquaintance contacted me for advice. I asked him to change his account password immediately, selecting a strong password, and made a few other suggestions to improve his account's security. By the way, if your Gmail account has been hijacked, and you are able to access the account, see this checklist of steps to secure your account. He asked whether he should send a follow up e-mail to his contacts to inform them that the phishing emails were not sent by him. I recommended not sending a follow-up e-mail for the following (unvoiced) reasons:
- Recognizing this phishing email as such should be within the skill level of any competent netizen.
- Spoon-feeding newbies (beyond some reasonable point) only perpetuates their ignorance (lack of Internet smarts in this case).
- I would welcome a follow-up, I-didn't-send-it e-mail about as much as I welcome "thank you" responses to "ticket closed" notifications, which re-open the ticket. They're useless at best and annoying at worst.
- Many (most, all?) of your contacts have already received an unwelcome e-mail, and have probably determined/guessed that it's malicious and that you didn't actually send it. Don't add insult to injury.
A few days later, the acquaintance reached out again and asked if he should send a follow-up e-mail to all his contacts. Again, I advised against doing so. He indicated that some contacts had sent replies to inform him of the e-mail they received.
I would prefer that contacts with hijacked accounts focus their energies on securing their account and doing everything possible to prevent it from happening again. If you absolutely must send an e-mail to all of your contacts to plead your innocence/ignorance, include as much detail as possible to describe how your account was hijacked and what you've done to prevent it from happening again.
Here is what I recommend doing if you find yourself with a hijacked web e-mail account:
From a known-clean computer
If you use Gmail, follow Gmail's security checklist, otherwise:
- Change your password immediately if possible, and use a unique strong password (see RWoodards HowTo for some good suggestions).
- If your account has a Sign out all other sessions feature similar to Gmail's, use it immediately.
- Change your password again, using a unique strong password, immediately (consider it penance).
- If available, enable and configure 2-Step Verification/Authentication. Your provider may use different terminology. If you're unsure, explore your provider's documentation/help on security-related topics.
- Check if your account provider has recommended procedures for recovering from account hijacking and follow them.
- Change your password once again, using a unique strong password, immediately (for good measure and additional penance).
- Use LastPass or a similar service to mantain your passwords. Use a very strong, unique password/passphrase for your LastPass account and commit it to memory. Enable and configure LastPass two-factor authentication! Take the time to sign on your accounts and change passwords, using LastPass to generate random/strong/unique passwords of 16 characters or more if supported.
- Suppress the urge to send an e-mail blast to all of your contacts to inform them that you didn't send the e-mail they received from your address. When contacts e-mail you, send individual responses, and include the steps taken to secure your account.
- If you ignore the advice in the first sentence of the previous bullet, pray I'm not in your contacts. :P If you insist on pulling that stunt, at least have the sense to use blind carbon copy (Bcc) or mail merge.
I would like the community's perspective on this. Would you recommend that someone with a hijacked account send follow up e-mails? Why/not, and in what circumstances? Other insights?