Weighing the Risks of Using a Free Email Account for Business

by Bill MacLennan, CEO of Your Computer Hero

In 15 years of serving business clients, I have seen free email accounts such as MSN, Yahoo and Gmail get hacked dozens of times.  So much, that I do not recommend using free email accounts for business purposes.  Having said that, some of my clients choose to use these accounts because of the obvious upside: it’s free.  All business owners have to make hard choices about where they are going to spend money and free email can be very alluring.  I respect that-just go into it with eyes wide open.  Know the risks. I want to give you an insider look into why these email accounts are an attractive target for hackers, explain common tricks that we see hackers use to exploit these accounts, and share best practices for decreasing your risk if you choose to use a free email service.

Why Free Email Accounts are an Attractive Target for Hackers

Ironically, the thing that makes free email accounts a hot target for hackers is the same thing that makes them attractive for consumers: they are free.  Hackers know what good data security looks like on the back end and they know very well that it’s not free.  Manpower and sophisticated firewalls are necessary to protect sensitive business data. In this model you are getting what you pay for, so those resources are slim at best.

Tricks that Hackers Use

 Before we go into a recent example from one of our clients, I want to give you a couple definitions:

Phishing: the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.

Spoofing: the act of disguising a communication, usually email, from an unknown source as being from a known, trusted source. You can usually identify.

a spoofed email by looking at the header of the email.

We recently had a business client with an MSN account that got hacked. The hacker attempted to steal to both money and credit card information by reroute the payment of invoices.  This is a common phishing scheme with hacked email accounts.  First, they identified where legitimate invoices were being emailed out by the company.  Then, followed-up with illegitimate emails explaining a change in their payment processing and requesting that the payer simply “click this link” to pay the invoice. Scary! The hacker’s follow-up email was spoofed so it appeared as though it was coming from the business owner.  The emails could not be found in the account’s “sent items” folder so the business owner had no way of detecting this activity until they were alerted by a payer who called to confirm the change in their payment process.

Best Practices for Decreasing Your Risk of Being Hacked

I want to reiterate that I do not recommend using a free email account for business purposes.  I include this discussion, not to endorse their use but because I know many small businesses use these types of accounts and there are a few ways to decrease the risks.

Password is king! Your password MUST be very strong and unique to the email account! It should not include your dog’s name, your brother’s name, your old phone number, social security number, birthday or any other name or number that is or has ever been associated with you.  It should not even include any word that can be found in the English dictionary.  See below for how to generate long randomized passwords that are easy to remember.

Keep in mind that free email servers are a hot target for hackers, so making sure your password is unique to the email account adds another measure of security. If this one gets hacked, you will minimize the damage to your other accounts and the headache of having to change all passwords for all accounts.

If you get hacked and lose control of your password there are no deep pockets for customer service with free email accounts, so recovering your email is an impossibility.  The only option is to abandon the hacked account and create a new email.  As for the money lost to hacker schemes and headache of notifying your clients to the change in email, you are on your own.

Tech Tip: Generating Strong Passwords-Randomized, Long, Memorable.

An easy way to generate long secure passwords that look random, but are memorable, is to think of a sentence that means something to you, then use it to generate a password.  For example, the key sentence “I ate ice cream daily in Rome in June 2000,” easily generates a 14 digit password: “I8icdiRi6.2000.”  If you can remember or write the sentence, you can remember the password.

If you are using a free email service such as MSN, Yahoo or Gmail for business purposes such as sending invoices, there are more secure options. Your Computer Hero has been providing IT consulting  to small businesses in the Twin Cities since 2004, we have expert technicians on staff to answer your questions and facilitate a smooth transition.  Call our shop at 763-229-4467 today to discuss options.