Email access in the wrong hands can spell trouble: Hackers move $35,000 of woman’s money

Betty Lin-Fisher, Akron Beacon Journal
·7 min read
2
It's a good idea to remember that your email can provide the keys to your online accounts for would-be scammers.
It's a good idea to remember that your email can provide the keys to your online accounts for would-be scammers.

A Richfield woman's recent experience losing access to her email to hackers is a good example of the importance of email security. It’s also a reminder that your email provides the keys to your online accounts.

Anita Gantner thankfully hasn't lost any money at this point, but the hackers moved nearly $35,000 from her retirement IRA to a different company and also tried to move $350 from her bank. She’s spent countless hours trying to regain access to accounts and cleaning up the identity theft mess.

In early June, Gantner stopped getting new mail to her Windstream email account, which she accesses on her phone and computer. She thought that was odd. It wasn’t prompting her by saying her password was wrong or asking for a new password. She just wasn’t getting new email.

She waited a day and tried again. Still nothing.

She searched online to see if there were any reports of a Windstream hack. She didn’t see anything. She phoned Windstream. After waiting on the phone for about an hour — and getting disconnected four times –— Gantner got a representative who said she wasn’t alone and there had been an email hack of the system and someone would get back to her when the problem was resolved.

About a week later, Gantner called Windstream and asked to disable her account. But a week later when her husband sent a “test email,” it went through. She called Windstream again and was told the account wasn’t disabled, but would be now.

In the meantime, Gantner started getting letters thanking her for opening new accounts. She also got locked out of her Amazon account and still hasn’t been able to get into her Facebook account.

Betty Lin-Fisher
Betty Lin-Fisher

Why? Because when you “forget your password” or need to reset it — it goes to your email address on file.

She notified her financial adviser to watch for fraud. About 2½ weeks after she lost email access, the adviser called to say someone had moved nearly $35,000 from her retirement account with one company to another company.

The hackers got her Social Security number to open the new account.

Between calls the financial adviser and Gantner made, they were able to stop the transfer.

She also turned off online access and transfers on her account to anyone — including herself and her financial adviser.

Gantner has been annoyed by all of the trouble, but she is most annoyed with Windstream, which she said isn’t taking responsibility.

“What really just got under my skin about this is Windstream never reaching out to me or and I assume anybody and this is going on and it's just outrageous,” she said. “I've gotten a dozen things in the mail from banks and whatnot about credit card or credit that they tried to open."

Gantner froze her credit after the breach.

ID Theft: State officials issue warning about identity theft scheme targeting Ohio BMV accounts

Windstream responds to allegations of a breach

In several email correspondences, Windstream spokesman Scott Morris said there has been no hack of Windstream’s network or systems.

“Windstream is aware of an email that customers received claiming to have access to their personal devices and Windstream email accounts. We immediately launched an investigation, and there is no evidence of a compromise or breach of Windstream’s network or systems that would allow access to customer email accounts. However, we did identify a phishing campaign against some of our customers. As you know, phishing uses authentic looking but bogus emails to request information or send users to fake websites that request information,” Morris said.

“We took immediate steps to protect any potentially impacted email accounts to include proactively notifying customers via email and text messages to change their passwords and update their security questions.

“To help customers protect their email accounts, Windstream recommends the use of strong passwords, regular password changes and the addition of security questions. Also, customers should use different passwords for each of their password-protected accounts. We recommend email users also protect their passwords by installing anti-malware and anti-virus software on personal devices and keeping personal devices up to date.”

Gantner bristled at Windstream’s response. She knows about phishing emails and says she did not click one. She also said numerous Windstream representatives have told her there was a hack and there are many other frustrated consumers online with similar issues.

Learn from her mistake: Grandma got ripped off buying concert tickets from a reseller

Email can be key to access to other online accounts

When Gantner originally lost access to her email, she started alerting her various accounts of a potential problem. She was met with a variety of responses. One bank immediately shut down online access to a CD account and said she couldn’t have online access again until she showed that her computer had been scrubbed by computer specialists.

When the hackers tried to move $350 from a checking account to a new account at one of her banks, Gantner was told by people at the bank that when you set up automatic payments for your utilities or other accounts, you are also giving potential hackers other ways into your account, if those companies have a breach.

Gantner acknowledged that she had some “pretty weak” passwords on some of her accounts.

Eva Velasquez, the president and CEO of the San-Diego based Identity Theft Resource Center, a nonprofit that offers free consumer assistance for ID theft victims, said email access is just as important to protect as other information.

Unemployment fraud: Ohio sees increase in fraudsters using fake credentials to access unemployment accounts

“The message here is your email is not innocuous,” she said. “It is the keys to the kingdom because of that password reset function. And because of multifactor authentication, a lot of folks choose the email version rather than having a text sent to their phone.

“Think about it. Look at somebody's inbox, you've got a pretty good blueprint of their life,” she said.

It can be unclear where a hacker got email account information or other account access.

“There are so many different ways to compromise an email account,” she said. It could be from phishing, or smishing (a fake text message). It could be a breach or a vulnerability within the system or unrelated a breach in another system.

Tips to protect your email

Here’s some tips from Velasquez:

  • Email passwords should be unique and should not be used on any other accounts. “It should be complex and 12 characters or longer or a combination of uppercase lowercase and characters,” Velasquez said. “It doesn't have to be gobbledygook that you're never going to remember... it can be kind of a passphrase,” which is a unique series of words strung together.

  • Don’t use the same password or passphrase and your email address for all accounts. Oftentimes, hackers will make brute-force attacks and try to compromise systems to get usernames and passwords on accounts that people think are throwaway accounts, like an online exercise account or a subscription account, Velasquez said. Make sure you take similar password precautions on all accounts.

  • Restore access to your email as soon as possible. Contact the provider directly at a number you know is correct. You will likely have to go through a robust authentication process “because you don't want the hackers to be able to just call customer service and say I lost access.” As much as you might want to disable the account, it will make it easier to get access to your other accounts if you get access back to your email, she said.

Reader is worried about other accounts

Gantner said she doesn’t re-use passwords on other online accounts.

“I change up my passwords on different accounts — especially ones I don't care about as I'm suspicious that they are more likely to get hacked,” she said.

But the recent experience has been a wake-up call.

She’s has now created multiple emails (with different passwords) for various accounts — just in case there’s another breach.

Everything now has a really strong password, she said.

"Even simple stuff, like airlines, and wherever I can, I set up two-step authentication,” she said.

"It makes me take this security thing much more seriously," she said. “I never thought someone could get that far into our accounts.

“Does it make me paranoid going further? No, it makes me cautious. It makes me more careful. I’m putting into place practices that I think will make me safe going forward.”

Consumer columnist Betty Lin-Fisher can be reached at 330-996-3724 or blinfisher@thebeaconjournal.com

This article originally appeared on Akron Beacon Journal: Email security is important; hackers can get access to other accounts