Advisor's Gmail Account Is Hacked, Highlighting The Danger Of Using Free Email And Other Free Apps For Business

Thursday, January 13, 2011 21:07
Advisor's Gmail Account Is Hacked, Highlighting The Danger Of Using Free Email And Other Free Apps For Business
I recieved an alarming email from an advisor late yesterday afternoon, telling me he'd been mugged in London and asking me for a loan. It looked legitimate.  

This Website Is For Financial Professionals Only

I had not spoken with the advisor for about a year, maybe even two. But we know each other pretty well and it was not inconceivable that he would contact me in a pinch. So, upon reading the first sentence, I thought it could be real.



Apologies for having to reach out to you like this, am so sorry never inform you about my trip to London, United Kingdom... for a seminar unfortunately i was mugged right outside the hotel where i lodged all cash,credit card, and my cellphone were all stolen from me but luckily for me i still have my passports with me.

I have been to the embassy and the Police here but they're not helping issues at all and my flight leaves in few hrs from now but I'm having problems settling the hotel bills and the hotel manager won't let me leave until i settle the bills..i want to know if i can confide in you by asking for a loan from you, i need the sum of 1,000British pounds which is equivalent to $1,500...i will appreciate any amount you can come up with if not all, I am so confused right now and thank God i wasn't injured because I complied immediately.

I'm freaked out i really need your urgent assistance.


Then, I saw it came from his Gmail address and became suspicious. Could it be "phishing,"  a fraudulent attempt to get me to send money? 


We've all seen phishing emails from relatives of royalty temporarily short on cash, but this was the first time I received a phishing emails from someone I knew! 


I called the advisor's office and when he picked up the phone, I was relieved. First, I asked him how he's been doing and he said everything was fine. So I told him that his Gmail account may have been hacked.

He told me that he used Gmail for personal email and for communicating with his staff. He was not using it for client communications, but it was his main email address. 


I told him that, even though his emails may not go directly to clients, he probably wanted to archive emails telling staff what to do about client accounts. In addition to being a registered rep, he is an IA rep under a BD's corporate RIA. Pretty much all of his business-related emails should be archived--not just emails sent directly to clients, I told him. 


I sent the phishing email to his Gmail account for him to review. I would have sent it to another email account, but he told me this was the only account he checks; all of his emails are sent direclty to the Gmail account or forwarded to it. 


I am wary of using any free apps for client communications or that need to be archived for other reasons. That includes Gmail.


Your control is limited. A free service could be sold (see dimdim's rercent acquisition by Salesforce) or discontinued, and you could be let out in the cold. Also, with a free or minimum-cost app, you don't have much leverage in demanding service. Moreover, huge vendors like Gmail increasingly have become rich targets to hackers. I just have not seen this happen with other email systems that you pay for. 


Th advisor was grateful that I took the time to contact him. I told him that all of his Gmail contacts probably had been compromised and were sent the message about his being mugged and needing cash. I suggested he send an email to all of his contacts saying he had indeed not been mugged and did not need cash, and I emailed him the phishing message to see for himself.

He tried logging into his Gmail account but he was denied access. Whoever hacked the account was in control of it now.


I referred the advisor to a tech consultant who could help him figure out what to do.


As soon as I hung up, I got a response to my emaill to him containing the original phishing message:

Thanks so much for your concern, It's not what you think it is...i mean it's not a hoax i really need your help right now, let me know if you are able to loan me this money, Although I have filed up a case at the nearest police post. and I reported to the embassy but I was told to follow some steps which will take nothing less than 2 weeks before I get any help from them and I can't be here for 2weeks, I need to get back home as soon as possible, I am left here with my passport alone, I will be glad if you can help me out as no amount is too small for my present situation, kindly get back to me as soon as possible.


The episode is a cautionary tale. I like Gmail but don't use it for business for all the reasons cited. Am I being too tough on Gmail? Or do you agree? Please let me know what you think.  

Comments (6)

Hi Andy: I have received about 5 of these in the past year. The strangest one was from a friend who had passed away one month earlier. An LA screenwriter received the same message as you did the other day and his back and forth is hilarious.

I tried to include it, but the message was too long. Suffice it to say, the scammer finally gave up.
Chuck Lowenstein

chuckl404 , January 14, 2011

Does it make any difference to you if the advisor paid for Gmail access through the Google Apps platform as opposed to the free Gmail program?

Free or not, both are subject to the use of weak passwords and careless personal security practices.

With the right hacking skills, nefarious characters can capture login credentials to Microsoft Outlook® Web Access and engage in the same mail scam from a "secure" Exchange server.

I think you're being too tough on Gmail, and therefore most web services with web logins. Users of web services, myself included, need to take care in protecting and guarding login credentials and not be an easy target for hackers looking to exploit unsuspecting users.
billwinterberg , January 14, 2011
You're not being too tough on gmail. What you're telling is a belated cautionary tale: when gmail came out, I realized it stored email on its server, not on your own machine, and that inevitably someone would hack into what is now called the "cloud." You need a physical web address backed up onto your own hard drive. Plus, if someone as tech-phobic as I managed to arranged automatic backup to a Canadian server years ago, for compliance reasons, those who have joined the 21st century tech-wise have no excuse for not doing the same.

To this day I am stunned that any client will scan a 1040 into a PDF without removing the related social security number -- I have to remind people to cross out all account numbers and so forth before sending it to me through what has the security of an AP wire.

Why invite trouble? One of gmail's selling points is its seductive ease of use; however, I wouldn't trust any advisor who admitted to storing compliance related emails on its server. That's not compliance; that's laziness.
nefnyc , January 14, 2011
I've been giving this some thought and need to do more research. Both of the preceding commenters make the the same point. The security precautions an advisor takes in using a system to guard against threeats is as important as how the system itself works.

However, it seems that advisors using consumer services instead of business services are more prone to security issues. That's partly because when you get an Exchange server or hosted Exchange, you're going to get outside help--a consultant who understands you're security issues.

When you use a free or super-cheap service, you won't get any help or the help you get will be limited and not tailored to your security profile.

The other factor is that the consumer services, even the ones charging $50 or $100 a year, are created to be as simple as possible for users. So while tey may have adequate security protection in, you have to yourself be fastidious to make sure you use it. For instance, something I saw a year ago and have not checked lately was that Google allowed you to create "strong" passwords with non-alphanumeric characters but did not require it. Strong passwords is a key security measure.

I'd like to hear from advisors using hosting Exchange servers about their experiences, since I think that will be a growing way for advisors to do business.
agluck , January 16, 2011
Chris Winn
There are many great points being made here.

I believe the issue comes down to the appreciation for data security and privacy. I strongly recommend that Advisors utilize paid services where the firm engages in security audits and ideally a SAS70 review from a major assurance firm.

That said an on-premise exchange can be as vulnerable as a hosted exchange, Google Apps for Business and even an account at a major email archiving and security vendor. I have experienced Advisors that have had breaches and weaknesses across the board.

First and most basic is having complex passwords. Virtually all paid and free services give you the ability to have complex passwords, but not enough people are implementing. They use one simple password or everything. (email= This e-mail address is being protected from spambots. You need JavaScript enabled to view it , password=jdoe123). A simple script can be used to try these combinations.

Second is changing the password regularly. I don't mean changing jdoe1 to jdoe2 to jdoe3.
You need a monthly or quarterly routine to change passwords to a complex string that includes a mixture of letters, numbers and other characters. The longer and more complex the better. Have a methodology that does not use anything in your username in your password. Also have a method for replacing some but not all vowels with numbers. Include a mixture of Caps and lowercase and finally, implement a non-alphanumeric character. Ideally, have that character within the string and not the last character.

Second, stop using POP mail with no SSL connections. If you do not have a secure connection to the server, you increase the likelihood of hacking or spoofing exponentially.

Next, consider that most paid services now use advance security protocols, like SPA ("Secure Password Authentication"). This is available on Google Apps for Business ($50 per year) through more expensive Exchange solutions.

Last point, keep business and personal separate!! Every advisor should have a free Gmail, Yahoo or similar account. You need somewhere to capture the junk!! However, you should not use this for your business and should not communicate any client information through these free accounts. Further, to Andy's point, do not have client contact info in these accounts either. If someone hacks your free account, they will be limited to spamming all the people that are already spamming you.

As you can see this is a huge topic. Advisors in general need to put more effort in here. Also, as the "Trusted Advisor" to their clients, they need to be guiding their clients through these risks.

Chris Winn , January 17, 2011
All good points,
We see many advisors that are using secure encrypted email and client vaults as a marketing opportunity while discrediting competing advisors that are using their personal email services like Gmail, Hotmail and Yahoo without encryption for professional purposes.

There is no question that sending any confidential personal information without email encryption is not secure.

In todays world, advisors should be doing everything they can to protect their clients confidential personal information.
BrianEdelman , January 17, 2011

Write comment

You must be logged in to post a comment. Please register if you do not have an account yet.