Canada

Hackers stole 100,000 of her Aeroplan points. She wants to warn others about how they did it

Last Sunday, Jacinthe Dupuis knew something was off when she noticed hundreds of emails had flooded her inbox in just a few hours.

All of them appeared to be spam.

After an online search, the woman who lives in Léry, Que., on Montreal’s South Shore, realized that she’d likely been the victim of something called email bombing. It’s a technique used by hackers to overwhelm someone’s inbox with useless emails to take their focus away from the one message they should be paying attention to.

By the time she realized what hackers were up to, it was too late.

Buried in that pile of emails was a warning from Aeroplan, Air Canada’s loyalty program. It was alerting her that changes had been made to her account. When she checked, more than 100,000 Aeroplan points had disappeared.

Someone had already booked a flight from Malaysia to Abu Dhabi, and she had only about 12,000 points left.

“I know it’s a little bit superficial because it’s just points, it’s not actual money. I still feel a bit violated,” said Dupuis, who was looking forward to book a trip using points she had spent years accumulating.

Even though Air Canada was not at fault, it quickly restored Dupuis’s lost points.

She’s hoping to get the word out about her experience so that people can act quickly if ever they’re the victims of email bombing and fraud.

“I think it’s important to know that it’s happening right now and it can have an effect. I mean, this was only my Aeroplan account. It could have been something else like my bank accounts,” she said.

WATCH | Tips to avoid being defrauded: 

Your accounts should never be accessible without 2-step verification, expert says

Claudiu Popa, a privacy and cybersecurity consultant, says to reduce the chances of being defrauded, people should make sure each of their online accounts can only be accessed through a two-step verification process.

Protecting yourself from a ‘false flag’

Claudiu Popa, a privacy and cybersecurity consultant, says email bombing is known as a “false flag.”

“It’s trying to draw your attention to one thing while criminals are doing another,” he said.

“It allows criminals to operate with impunity and to delay detection. And that’s key because when you’re delaying detection, you’re also delaying reporting.”

He said email filters can help guard against email bombing and popular email services usually come equipped with those. Popa also recommends people customizing those filters to make sure certain keywords commonly used in emails you don’t want to receive are detected.

Jacinthe Dupuis’s inbox was flooded in a matter of hours on Sunday. (CBC)

The most important step people can take to guard against hackers getting into their accounts after being email bombed, Popa said, is to make sure none of them can be accessed without a two-step verification process.

“No one should ever access their bank account without two-factor authentication. No one should ever access any government account or Revenue Canada account or financial account without multi-factor authentication being turned on,” he said.

“Nowadays it’s also very important to enable it on social media accounts. Facebook, for example, and LinkedIn accounts are being stolen.”

Dupuis plans to make sure all of her accounts have that level of protection “even if it’s really annoying,” she said with a laugh.

“I need to be really careful.”

See also  Threads collects so much sensitive information it's a "hacker's dream," experts say

Related Articles

Leave a Reply

Back to top button