The next day I received the notification I was waiting for to renew my password. It was a typical Microsoft Exchange notification to click here and type in my current password which I duly did, followed by a web screen asking for my new password, which it confirmed had been changed. Now all I had to do was change the password in all my other devices which I would get around to doing later. Total pain in the whatever.
The next thing that happened was a call from my CEO asking if I'd requested a payment by our Financial Controller to a building company for several thousand pounds. Apparently I'd sent her an email asking if she'd rush it through.
I'd been hacked.
The password changing routine had obviously been a phishing exercise that thanks to my being alert (and still angry), I had reluctantly been waiting to happen. Of course I had received emails like this before, but this time the timing was unfortunate + the email and website it took me to were very convincing.
Luckily my team were on the ball - quite apart from them knowing I would never ask for personal expenses to be passed through my company. So we didn't lose any money. My email account was frozen and my password was immediately changed by our IT chaps, so no lasting damage done... except for one thing...
A few days later I received an email from the CEO replying to an email sent to the whole board by our Financial Controller - including me, but which I hadn't received. In fact after a number of tests, although I could send her emails, none of her replies came into my inbox.
The IT took a few days to find out what was going on but eventually they discovered that the Phishers had:
- Captured my password and logged into my email account through webmail
- Read enough emails to discover who controlled our payments
- Sent her an email from me requesting a payment
- Even more cunningly, they had also set up a rule that automatically forwards all emails to me, from her, into my RSS inbox (which no-one ever reads). So if she replied "OK" or something like that, which most people would have done to acknowledge they'd done what they were asked, I wouldn't be alerted to the fraud.
Until I looked at the small print right at the bottom of the Outlook dialog window which said something like 'rules set up through webmail won't appear here'. Sure enough when I logged into my email account through webmail rather than Outlook on my laptop, there was the rule.
Microsoft had assisted the fraud by ensuring I would be oblivious to the rule the fraudsters had set up. Who goes into their webmail? I only ever use it if I'm at a public terminal and I don't have one of my many devices at hand ready-loaded with a logged-in, and password-enabled email manager.
This does seem a daft state of affairs where rules in one version of Outlook aren't the same as the rules in Outlook.com - for the same email account. And dangerous for exactly the reason I had discovered.
Turns out, this constant password changing ritual is more of a danger to security than sticking with a sensible one in the first place. I would love to wake up in a world where passwords have been consigned to history and tech has found an easier and safer way to ensure I am who I say I am.