NEVER Give Out Your Password

IF support staff for a service you are using need access to your account or information within it, they can get that access without needing your password. Nobody should be asking for your password.

This applies to email (e.g. Hotmail/Windows Live, Yahoo, Google and many others), social networking (Facebook, LinkedIn, MySpace, etc.), online photos (Flickr, etc.), and especially applies to your banking and finances. NO bank or financial services employee should ever ask for your password – bank policies generally prohibit them from doing so as a firing offense.

Think of someone asking for your password the same way you’d think about a stranger walking up to you on the street and saying “Hi, I’m with the village. I need your home address and your house keys.” No matter how friendly and professional looking, would you just give your keys to a stranger like that?

I had a situation recently where a friend using a free email account ended up with his login credentials stolen. The thief then proceeded to send email to his contacts telling them that he was in England for a conference but needed $2000 as well as making other changes to his email account to try to get into other accounts.

In this case nobody fell for the scam and we were able to get him back into his account, but looking at some of the changes that were made to his account was informative.

  • The scammers had changed his default signature (which appears at the bottom of messages he sends) to look like an “official” communication from the email provider requesting the recipient’s username and password. Every email he sent included an attempt to get passwords from people.
  • The scammers had set the “reply-to” value for messages to another account they controlled. That means that any replies to his messages would go to the scammers instead of to him. This was also part of the “official” request for login information.
  • The scammers had deleted all of the messages they sent from his account from the Sent Items folder, so there was no way to see exactly what had been sent or to whom.

There wasn’t any sensitive or financial information in his email account, but in many cases there would be. Consider your email – do you have messages from utilities? Electronic bills? Account registration confirmations from websites that include your password? An account that has been broken into can be worth thousands of dollars to thieves if they can get into your banking information or just get your friends to send them money. Don’t let the victims be you and your friends.