Grace Chng Senior Corresondent

In a flash, I became a victim of cyber thieves

According to software security firm Symantec, one in 392 e-mail messages a day in 2013 was a phishing attack. The numbers are rising, a spokesman added. -- PHOTO: BLOOMBERG 
According to software security firm Symantec, one in 392 e-mail messages a day in 2013 was a phishing attack. The numbers are rising, a spokesman added. -- PHOTO: BLOOMBERG 

My Gmail account was hacked last week. Cyber thieves stole my ID and password and then grabbed my list of contacts and everyone's e-mail details.

When I found out, I felt no different than if I'd been told that someone had broken into my home, rifled through my correspondence and taken the names, addresses and telephone numbers of my family members, friends and work contacts. It sent a chill down my spine.

Once I knew, I immediately tried to recall if I had used my Gmail ID and password for online services and applications such as Twitter, Instagram, PayPal, Amazon, Taobao, WhatsApp and Weibo.

It was tedious, but I checked more than 20 online services and apps just in case the hackers could use my personal information to go shopping online, edit my profile or change content. I had to reset my passwords for some digital services and apps that used the Gmail sign-in.

I had to make sure, too, that I had not put my credit card details and other passwords on chat messaging boards such as WhatsApp and Weibo. The crooks could have accessed them and found the information.

I'm told that many people do that, especially if they have children studying overseas and don't mind sharing their personal details so their children can shop online.

I'd been a victim of what is known as phishing, when cyber crooks strike to extract critical personal data to use for whatever their ends might be.

It is so easy to get phished. And even though I like to think that I'm more tech-aware than most people - thanks to having covered technology and digital news for many years - I was caught.

It happened so swiftly. I was browsing through my Gmail account on my iPad when I came across an e-mail supposedly from a dot.com entrepreneur I have known for 20 years.

I opened the e-mail and it had a link to a document I was supposed to download from his Google Drive account. It was nothing extraordinary because Google Drive is a digital cabinet into which Gmail users put documents they want to share.

Since I thought I knew the sender, I proceeded to download the document by keying in my Gmail ID and password. The same prompt appeared again, asking for my ID and password.

Thinking I had made a mistake the first time, I typed my details again. And that was my mistake.

The second time round, the hacker had directed me to a new website from which he could grab my credentials and gain access to everything in my Gmail account.

How could I have been so easily tricked? How could I have let my guard down? Shouldn't I have known better? All I can say is that I suspected nothing unusual receiving that e-mail from that contact.

It's what cyber criminals count on in their phishing raids. They impersonate someone you know, lure you to click on a link to download something and, in a blink, they've got what they want.

Soon after the hackers grabbed my list of contacts, several people I know started receiving fraudulent e-mail, appearing in their mailboxes as e-mail from me.

I was alerted when some of my more tech-savvy friends sent me text messages saying they thought I'd been scammed. Unlike me, they did not fall for the trap, though I don't know if others were tricked.

According to software security firm Symantec, one in 392 e-mail messages a day in 2013 was a phishing attack. The numbers are rising, a spokesman added.

It is one of the most common online scams because phishing tools are easily available in the cyber underworld.

In March last year, Symantec reported phishing attacks on Google Docs and Google Drive in the United States.

It said Google accounts are a lucrative target for phishers as they can be used to access many services such as Gmail or Google Play, the Android app store for buying apps and content.

Once I was alerted to this scam, I immediately changed my Gmail password. Gmail has a provision to let users add 2FA or a second level of authentication to make illegal access more difficult.

Experts tell me my e-mail account is now more secure.

After I stopped kicking myself, I asked myself what lessons I'd learnt from being a phishing victim. There are at least three.

First, it can happen to anyone, and all it takes is a momentary lapse in attention. I'm going to be deleting more e-mail than I should, especially anything I do not recognise. I'll assume that anyone who really wants to get in touch with me will try again.

Second, don't use a single e-mail account for all online services and apps. It may be a bother to remember different e-mail IDs and passwords, but that's a small price for ensuring your loss will be limited if you're a victim.

Third, keep your digital address book separate from your e-mail account. I've de-linked my list of contacts from my Gmail account. Each time I need to send an e-mail, I now have to look for the e-mail addresses separately

A little more inconvenient, perhaps, but safer.

chngkeg@sph.com.sg