Last Sunday, Jacinthe Dupuis knew something was off when she noticed hundreds of emails had flooded her inbox in just a few hours.
All of them appeared to be spam.
After an online search, the woman who lives in Léry, Que., on Montreal’s South Shore, realized that she’d likely been the victim of something called email bombing. It’s a technique used by hackers to overwhelm someone’s inbox with useless emails to take their focus away from the one message they should be paying attention to.
By the time she realized what hackers were up to, it was too late.
Buried in that pile of emails was a warning from Aeroplan, Air Canada’s loyalty program. It was alerting her that changes had been made to her account. When she checked, more than 100,000 Aeroplan points had disappeared.
Someone had already booked a flight from Malaysia to Abu Dhabi, and she had only about 12,000 points left.
“I know it’s a little bit superficial because it’s just points, it’s not actual money. I still feel a bit violated,” said Dupuis, who was looking forward to book a trip using points she had spent years accumulating.
Even though Air Canada was not at fault, it quickly restored Dupuis’s lost points.
She’s hoping to get the word out about her experience so that people can act quickly if ever they’re the victims of email bombing and fraud.
“I think it’s important to know that it’s happening right now and it can have an effect. I mean, this was only my Aeroplan account. It could have been something else like my bank accounts,” she said.
Protecting yourself from a ‘false flag’
Claudiu Popa, a privacy and cybersecurity consultant, says email bombing is known as a “false flag.”
“It’s trying to draw your attention to one thing while criminals are doing another,” he said.
“It allows criminals to operate with impunity and to delay detection. And that’s key because when you’re delaying detection, you’re also delaying reporting.”
He said email filters can help guard against email bombing and popular email services usually come equipped with those. Popa also recommends people customizing those filters to make sure certain keywords commonly used in emails you don’t want to receive are detected.
The most important step people can take to guard against hackers getting into their accounts after being email bombed, Popa said, is to make sure none of them can be accessed without a two-step verification process.
“No one should ever access their bank account without two-factor authentication. No one should ever access any government account or Revenue Canada account or financial account without multi-factor authentication being turned on,” he said.
“Nowadays it’s also very important to enable it on social media accounts. Facebook, for example, and LinkedIn accounts are being stolen.”
Dupuis plans to make sure all of her accounts have that level of protection “even if it’s really annoying,” she said with a laugh.
“I need to be really careful.”