How to avoid your email contact list being hijacked...
Recently, we came across a rather interesting case. A user, whom we’ll call “Mary Smith” was contemplating changing job. She came across an interesting article on the website of an Irish regional newspaper on career changes. However, the article required registration to view. The newspaper site site allowed users to register with their Google (Gmail) username and password. So, she entered her Google credentials and got immediate access to the article. Happy days or so she thought.
Fast forward to one week later and some friends and work colleagues unexpectedly broached the issue of career changes. She was mystified why so many of her acquaintances were bringing this topic up. To most of them, she had never even mentioned it before.
It transpired that the newspaper website hijacked (for want of a better word…) her Gmail address book and boldly sent the article to all her contacts. They all received an email message along the lines of “Mary Smith was recently very interested in this article…” Inadvertently, she probably did authorise this action and probably hit that “agree” checkbox a little too hastily without reading what she was letting herself in for. She felt totally duped. She felt that the broadcast of her reading material to all her email contacts was way beyond the pale.
A key tenet in IT security is lowering the “attack surface”. When it comes to email privacy and security, it’s strongly advisable to direct your work-related emails to your work email account and personal-related emails to your personal email account. Sounds simple, but you would be surprised at how many users use their work email account for everything from registering for online shopping sites to registering for smartphone weather apps. The Ashley Madison breach of 2015 showed just how many people used their work email to register for an illicit dating site.
Avoid your email contact list getting hijacked by using a "junk" email account.
Here at SecureClick we recommend taking this email segregation a step further. We advise that users’ setup a “disposable” or “junk” email account. This account can be used to subscribe to newsletters or register for those weather apps etc. If this account does get breached, there will be no contact list to hijack. If an over-zealous or nefarious website or app-owner has designed their product to steal contacts, there will be none to steal. Moreover, there will be no email conversation threads from work colleagues, family members or friends to hijack. Moreover, phishing emails which will inevitably arrive in your work or personal email accounts are more likely to stand out.
- Setup up a "junk" email account. Use it for single-sign on websites and app registrations.
- Don’t use your work email account for personal online shopping, newsletters or app-registrations. Your work email account is for work-related activities only
- While signing-in with Google or Facebook credentials might be very convenient, always remember that you’re essentially granting a third-party access to your data. For example, signing in with your Google username and password potentially gives a website or app owner access to your Gmail, Photos, Drive, Calendar and Contacts. For this reason, SecureClick recommends that you never use a work or personal email account for single-sign on services offered by Google or Facebook. A “junk” email account should be used instead.
- Your work, personal and junk email accounts should all be using unrelated passwords.