First before I go into the details:
1. If your email password is the same as any password you use anywhere else online, change it RIGHT NOW!
2. If your credit card company offers a fraud alert service, sign up for it, that's how I found out.
There's a new twist in phishing. The latest in state-of-the-art "phishing" is to pop up a dialog that LOOKS EXACTLY LIKE the one in your email application with a convincing error message about a dropped connection requiring you to re-login.
If you get such a dialog DO NOT enter your password. Shut down your computer and restart it.
If you do enter a password, you may be f*ed.
Here's how it went for me:
- A Mozilla Thunderbird (my email app) dialog popped up on a day when, coincidentally, we were having network issues asking me to log back in. It popped up again after I entered the password the first time, but given the issue we were having, I didn't think anything of it. Until...
- I tried to check my email and couldn't.
- I got suspicious, figuring I'd been hacked (good guess).
- I immediately went to my ISP's web site, logged into my account there and changed the password to something new.
- I then went to all the places I could think of where I could have used that password, and changed them.
- I missed one, but didn't know it: a credit card site.
- The hacker didn't miss it... They used the phished password to request a new user ID, logged in, and got all the info in my account. ALL of it.
The result?
There are now bills being sent in my name to a fake address in Colorado. The hacker has a lovely new piece of something expensive from an online company that sells jewelry and watches. I don't know what else, yet.
Today was a maddening day of calling credit reporting agencies (and sitting through interminable automated phone help-lines), the credit card company, and the police, filling out forms and writing letters.
Monday, I get to request credit reports, and probably sign up for a monthly credit reporting service. I get to put a 7-year fraud block on my credit report, which will mean extra time and information any time I try to apply for any credit during those years.
The one positive effect:
No more of those freaking pre-approved credit card offers.