In the beginning of August, one of my clients began renting a property to a new tenant. We set up a system where the rent would be deposited into a certain account at XYZ Bank, and my client proceeded to go back to her home in Europe.

Not long after this, the tenant received an email, supposedly from my client. The tenant was instructed to deposit the first and last month’s rent, along with the security deposit, into a bank account in Ohio. At first, I didn’t understand; I didn’t know my client had an account in Ohio.

And that is when I came “face-to-face” with pure evil.

After emailing my client to relay my conversation with the renter, I asked about the wire transfer to Ohio. “Yes, I did set this all up,” the reply said. It was just a temporary measure; the rent would eventually go directly to her account at XYZ Bank, but she said she had yet to set up that account to receive deposits.

I noted that the closing salutation in the email said “xs.” My client usually wrote “xx.”

Whenever bank accounts are involved, I don’t trust email as a valid means of communication. I reached out to my client over the phone and asked if she set up an account in Ohio for the first month, last month, and security deposit, and she said no. She was under the impression that we had her money, and we said no.

While we were on the phone, she happened to be sitting with the same realtor who had found the tenant for her. According to him, this sort of thing had been happening a lot to his company.

And so the puzzle pieces began to come together: the correspondence I had received from my client was actually from a hacker. After gaining access to my client’s account, they had read her old emails enough to identify the tenant and understand the previously worked-out arrangement of depositing funds to XYZ Bank. They imitated my client’s writing style and temperament—but they messed up by finishing the email with “xs” instead of “xx.”

As it turns out, Gmail accounts are getting hacked more frequently than others, but unlike hacking an Outlook account, the only way to get into a Gmail account is to discover the password. And there is a multitude of ways that can happen:

  • A keylogger can be installed on your computer physically or over the web. It works by recording every single letter you type. That means a hacker has to sift through all of your personal business before honing in on your password.
  • Your browser’s password manager can betray you. With a few clicks in front of your computer, a hacker can uncover all of the passwords for all of the sites that it has on record. No hacking degree required.
  • A packet analyzer examines all information sent to your device over a wireless network. All that is required is that the hacker be on the same wifi network as you—so beware of networks with open access and short passwords! If possible, use the personal hotspot on your phone instead (and secure that with a long password).

Given the above information, it seems clear that my client’s information could have been hacked in any number of locations, both in the US and abroad.

In my business, security is our number one concern. That is the reason we change passwords every month on all client accounts. We make use of password generators that spit out the most random collection of letters, numerals, and symbols that I have ever seen. And we never, ever do telephone banking, banking by app, or take important instructions via email.

For more tips on how to protect yourself and your loved ones from the rogue’s gallery of scammers, spammers, and thieves, contact me today!