Hacked Email

In My Humble Opinion
1

At work, we have been using Yahoo for email for many, many years. I have had this issue arise twice now, within a few weeks of one another.

I sent an email to a customer regarding a past-due invoice. I asked if there was a different email I should send the invoice to for it to be paid. After a few weeks with no response, I sent another email. This time, I received a reply. She said that it had been paid through Zelle. I replied, telling her that we don’t have a Zelle account. She then called me. She said that she received Zelle instructions from me. I told her I wouldn’t have done that because we don’t have a Zelle account. As I was arguing with her, I started looking at other folders in my email account. There was nothing in the spam folder. I looked in the unread folder, and there were a bunch of emails from her. I have never used that folder and never looked in it. None of those emails ever showed up in my inbox. One of her emails stated that she would send a check right away. Then there was a reply supposedly from me stating:

Could I please confirm the status of the invoice? I’d like to clarify something, as we recently received a bad check, which prompted my bank to place a ‘No Check Deposit’ restriction on my account. To avoid future issues, I’d like to inquire if your company offers payment options such as ACH, direct deposit, or wire transfer. Any associated fees can be deducted from the invoice. I apologize for any inconvenience this may have caused and appreciate your understanding.

It had my signature line on it and it came from my email account. I did not send that email.

Then another email with my signature line was sent, giving the Zelle instructions - an email address and a transaction number.

The customer followed those instructions, thinking they were from me. So now we’ve been scammed out of $3000+. The customer claims that since the email had my signature line on it and it came from my email address, they’ve paid the bill.

Two days ago, it happened again, but luckily, I caught it right away and contacted the customer (a different customer). This time, the customer sent me an email in the evening requesting a W9. The next morning, when I went to reply to the customer and send the W9, I saw the same email reply as I showed above, only it says at the beginning of the email that the W9 is attached. Which of course it wasn’t.

Should I shut down my email account? Should I get a computer repair company involved?

UGH!!!

2

First thing you should do is using a different computer, change your Yahoo password, and turn on multifactor authentication. Once that is done, then you can spend some time investigating how someone else used your account to send emails.

My guess is that the most likely cause of the breach is that your yahoo username and password were compromised. Other possibilities are remote control software on your computer, or an inside job. Does anyone else have access to your computer who could’ve sent the emails?

3

No one else has access.

Thanks so much for your advice. I will use my laptop to change my credentials.

4

I would make sure that the email actually came from your account, and wasn’t just return-addressed spoofed.

5

Also echoing what echoreply said already :slight_smile: In your situation, I’d go so far as to get a physical security key (like a YubiKey) and attach it to your Yahoo mail account: https://help.yahoo.com/kb/enable-security-key-sln35380.html

If you make that a requirement of your account and practice unplugging it and logging out of Yahoo completely after every session, it would be much harder for hackers to access your email — even if they have remote control software on your computer. A password is easily stolen, especially if you have malware on your computer. 2FA makes that much harder — they are very difficult to “steal”. Physical 2FA with a security key makes it even harder.

One caveat is that you will also need to safely print out some one-time-use recovery codes in case you ever lose your key. But given that you’re not sure about the integrity of your computer, I wouldn’t do it there… if there were indeed malware on your computer, it could capture those codes and completely bypass 2FA. I’d find (or buy) a known-safe computer — or a library kiosk if they have good IT practices at your local library — and do it there, out of the attacker’s sight.

It does add a bit of inconvenience (you have to plug it in and touch a button on it to login), but it adds quite a bit of security. Given that you have a history of being hacked, it would make sense to add that, IMHO.

Additionally, though, something isn’t quite clear in your posts… originally you said:

we have been using Yahoo for email for many, many years

Who is this “we”, especially if:

No one else has access.

?

I mean, is this a sole proprietorship where you are the only person in the company, and the business email is your own? Or is that email account shared by more than one user (on different computers)? Or do you have several Yahoo email accounts used within the same company… are they in your own domain name, like @yourbusiness.com, or @yahoo.com?

I’m asking because separate from — and perhaps more important than — the physical security of your own individual laptop, you might want to consider getting a more thorough cybersecurity audit of all your critical business systems, not just emails but payments and invoicing systems and such. If this is a very small business and you don’t have the resources to hire a consultant, it could even just watching some YouTube videos or reading some books and implementing some basic best practices (such as enforcing two-factor authentication for everyone, maybe even requiring a physical security key).

It is generally not a good practice to handle payments through email like this, vs an online dashboard at yourcompany.com where each customer can securely log in to, look at their invoices, pay by credit card or wire transfer if possible, etc. That’d also be a good place to say which offline (well, off the web) payment methods you DO accept, like where to send checks to. It’d also be a good place to clearly say what you do NOT accept, like Zelle, and link to warnings about scams, etc., etc.

Unfortunately Zelle scams are really common, especially among users who aren’t especially tech-literate. Several of my immediate friends and family members have fallen prey to them, losing from hundreds to tens of thousands of dollars — and these were not rich folks. Usually, the outcome of that is “too bad, so sad”. The banks will usually not help at all, nor will law enforcement. So prevention and education (of your staff, if you have any, or yourself) are really the only solutions…

I’m sorry that you lost the $3k already :frowning: Hopefully you can prevent any further such incidents before they critically affect the business. It doesn’t have to take a lot of time, effort, or money — really just a few hours learning and tweaking settings — to go from “horribly insecure” to “safe enough for a small business”.

6

It’s critical to have two-factor authentication enabled as well in case of a stolen or hacked password. Out of curiosity, did you have this enabled when the breach occurred?

7

Yeah, that’s a good point…

OP, in your Yahoo mailbox where those messages are… is the first one in a thread there from you, or a reply from them? (i.e. does it look like you sent the first message, or is the first message a customer reply?)

8

I do not have multifactor authentication, but I will be setting that up now.

I have co-workers, but they all have their own email accounts. They are all yahoo.com addresses.

We don’t handle payments through email. We’re old school here. Invoices are either mailed or emailed, depending on what the customer requests. Payments are either ACH or check.

How can I tell if it was return addressed spoofed?

9

At a quick glance, you can generally see if the first message in a thread was outgoing (i.e., it was sent from your inbox to the customer) or incoming (i.e., a third party spoofed your email, your customer received it, and then replied directly to your actual email via reply-to).

To be more certain than that, you have to view the “raw” message with all its headers: Find delivery delays and identify sender in New Yahoo Mail | Yahoo Help

If you trust us enough, you can post the full raw message here… it won’t include your password or anything, but it will identify you and your customer (at the very least), along with anyone else in that convo.

Otherwise, you can try tools like Email Header Analyzer, RFC822 Parser - MxToolbox and see what they say.

It’s a bit complicated because there are several email security systems that work with each other to try to prevent this sort of thing, but they add a lot of complexity. You can look up terms like SPF, DKIM, and DMARC if you want to better understand that part of it… (but they are confusing, even for people in the field). Here’s a couple of random primers: Understanding email authentication headers - Valimail is more readable, and https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/ has more details

10

If I were you, I’d consider working with a web agency to set up a very simple @yourbusiness.com website and email service for your company. When you own your own domain name and use it for email, you can set stricter security measures like “tell other email servers that I am the only legitimate email sender for @yourbusiness.com, and anyone else is a spammer or phisher”. That will make it harder (not impossible, just more difficult) for scammers to impersonate you and affect your customers.

When all your legitimate emails come from @yahoo.com, anybody can make a lookalike email pretending to be you (like sales_yourcompany@yahoo.com) and phish your customers, even if they never actually breach your accounts. I’m not saying that’s what happened here, but that it’s another security risk for you and your customers. They have no way to validate that an email actually came from your company.

Having your own domain name makes that safe-R, but still not completely safe. Email is just insecure by design (unfortunately), and decades of band-aid fixes (like those acronyms above) have somewhat improved the situation, but didn’t actually fix it.

I guess it’s a cost-benefit analysis for you to see how much time or money you want to spend improving the cybersecurity vs how much risk you’re willing to take on… consultants are expensive, but getting a company website and email domain are not (maybe a few hundred dollars a year, at most?).

11

Oh, and does that mean you’re not an owner/manager/admin type there? I just assumed you were, sorry.

If you have an IT dept, this is definitely something to bring up with them. They will want to know. If this is affecting your emails, it’s possible it’s affecting other coworkers too, whether they know it or not. Once a scammer identifies a company as easy prey, they will often double down and keep trying to breach your systems or social engineer your people. You’ve got a bright red target on your backs now and the $3k may just be the beginning…

Even if you don’t have a proper IT dept, I’d at least bring this up with management and let them know to deal with it holistically. It shouldn’t be up to you, an individual employee (if that’s what you are), to fix company email security.

12

Does Yahoo Mail have a way to show the IP addresses of the last sessions?

It sounds like a hacker is logging into your emails. Check if any unknown forwarding email addresses are configured. If they are, that would allow the hacker to get a copy of your emails. Also check for POP/SMTP configurations. Those protocols allow remote access of your mail. Change your password.

13

I just looked, because I needed to do my annual “keep alive” login to my Yahoo account anyway.

Log into the Yahoo website, then click your initial or picture in the top right corner, then manage account, and then view current sign-ins. Or maybe even better, click the “security” tab at the top of the account management page.

Either way should show you where you are currently logged in from. Perhaps the desktop and laptop. Don’t worry if the location isn’t exactly correct, only if it is really wrong.

14

I would like to do that, but the email that I’ve been using is attached to so many things. I don’t even know how I’d start untangling that.

I changed my email on my laptop and added 2 factor identification. Hopefully this will help.

Thanks for all of your words of wisdom.

15

It’s up to you… without knowing any specifics of your business, industry, or target customers, it’s hard to say whether the trouble would be worth it. If you’re a small family biz with a bunch of regular customers who’ve been with you forever, change for the sake of change would probably just annoy everyone. In that case, maybe good enough is good enough, and you make small tweaks here and there and occasionally eat the cost of a scam as just another business expense? Not every business needs top of the line security…

If you decide you do want to change things up, I do think it would benefit you to have someone either on staff or on call who can help you sort through these sorts of issues. Changing your business email isn’t trivial, but it’s not impossible either. You could take a phased approach where you have both addresses for a year or however long, with the old one telling people to switch (via a signature, for example). After a while, you add an autoresponder letting people know, but also have the old one automatically forward to the new one. Then a while after that maybe you stop using it altogether, hoping that enough people have switched over to the new one.

But I dunno if that’s necessary for your line of work. Certainly there are many small businesses with questionable security practices that still do just fine. Maybe adding the 2FA will be enough, at least for now…?

I think the biggest deal is making sure that your customers don’t pay someone else pretending to be you. Whether that’s a personal conversation you have with some of them, or some technological measures you choose to take, or some combination of both… really depends on how your relationships are set up. I don’t know your business enough to say what would improve security without also annoying existing customers.