I dodged a bullet … and a big one too!


I had just arrived home when Mike (not his real name) called. Mike manages my Self-Managed Super Fund for a large fund manager.

He rang to double-check on the payment … the urgent transfer of a very large amount of money from my super into my personal account. My Westpac account.

Only, I don’t have a Westpac account … in Broadmeadows!

It would now seem that Mike and I have had an email conversation about withdrawing the money. Because this was an account that had not previously been used, Mike’s protocols demanded a withdrawal form to be signed.

Again, I appear to have duly complied and provided Mike a correctly signed and scanned form … again via email.

Only, I had nothing to do with this conversation. This was the first I had heard of it.

Someone had hacked into my old email account and purported to be me.

They had taken the time to copy my style, language and even my signature from a previously scanned document.

But Mike thought this conversation was with the real me. Indeed, it was only his instincts that made him pick up the phone. He had already followed the right protocols and he was now permitted to release the funds. He just wanted to be sure.

Thank you Mike!

So close to that money vanishing forever. And then a squabble about who was ultimately responsible … the fund manager who might have accepted a fraudulent document … or the client that let their email and identity become compromised?

How could this have happened? How could my Exchange 365 account be hacked? What types of people go to this much trouble? How do I protect myself after this invasion? How could I have prevented it? This was not some obvious Nigerian Billionaire scam.

It turns out that I was very vulnerable. So are most people. I even heard Ross Stevenson on Radio 3AW say that he doesn’t worry about email security because he has nothing to hide. He could also fall into the same trap.

Why? I like shopping on-line. Most sites ask you to join with a login (usually suggesting your email address) and password. There must be well over 100 places that have asked me to join. Maybe 200? I probably got lazy at some point and used my mail password a few too many times. And everyone I have spoken to seems to confess to doing that.

Somewhere along the way, one of these on-line vendors has compromised their security (or gave the log-on files to an unscrupulous colleague). A little bit of work by some bad dudes and they eventually found a combination of a password that matched the actual email address. For me, this combination let them into my account. They looked through my email history for something interesting to replicate … only in their favour this time.

Who would have thought an email password could expose you like that?

This was a serious attack. I needed to protect myself … fast. I began by cancelling all my credit cards. I decided to always make on-line payments using PayPal from now on, as the credit card details are never disclosed to the vendor.

Then I looked on-line for the best password manager app with full encryption, random password generation and site pass-through.

I changed every site and account that I could think of and gave each one its own unique complex password. It took me hours and hours. But the app made it easy. I was finished by 1.00 am but I still felt violated. I still wonder if I have done enough to protect myself.

Funny actually. I had previously realised that I needed to do this a couple of years ago and started making lists of sites and passwords to change. At around 100 sites, I decided to do it the next day.

That list is probably around the house somewhere. Sadly, I never quite finished the job off.

And I almost paid the ultimate price.