What I Learned When My Email Account Was Hacked

I got a text message from my accountant this morning.

“Did you get a bank code? Trying to update bank account.”

That is weird I thought to myself as I touched the icon to call her. It is time to run payroll, but nothing has changed with banking information. “Hi Tia, what’s going on? Last payroll was fine. Why do you need to do anything with the banking information?” She responded by asking, “didn’t you send me an email to update the banking information?” I had not.

It turns out someone used my email account as the messages came from my exact email address, but there was nothing in my sent folder. Here is what I did and learned.

• I changed the password on the email account. Then I noticed I could still access it with Outlook without entering the new password. This was concerning.
• I called my Microsoft 365 service provider and told them what happened. I asked why I did not have to resign into my email after changing the password when using the Outlook application on my desktop.
• They had me access my web-based Microsoft 365 email account using an incognito browser page. After signing in with the new password, I scrolled down to where it says, “sign out of all devises.” I clicked on the link and followed the instructions.
• I was then required to enter my password to sign into my email using the desktop and Android applications.

In my case, the fraud was not completed because the payroll software required a code that was sent to my phone to finish the process of changing banking information. The biggest learning for me was that changing passwords does not always end a hacker’s access. You also have to sign-out of all devices.