If you think user names and passwords are sufficient to protect you from someone hijacking your email, bank accounts or website, think again, police say.
At least one Dunedin businessman has a story to prove it.
David Myers said he thought he had good security measures in place, but has never felt so vulnerable on the internet since someone hacked into his email account, sent a desperate email to all his contacts seeking money and then deleted his address book.
A few months ago he found he was blocked from accessing his Yahoo email account, which he used to run his marketing business.
About 45 minutes after the discovery, he received a call from a client who told him it appeared he had been scammed.
Everyone in Mr Myers' address book had been sent an email, apparently from him, which said all his cash and valuables were stolen when he was mugged during a trip to England and he urgently needed 2250 ($NZ4560).
It then gave his name, his work telephone number minus one digit, and a UK telephone number to contact.
He had not been to England and had not sent the email.
He said some of his clients called him and offered to help, some immediately recognised it as a scam, while others - surprisingly many - responded to the email and offered help, corresponding with the hacker.
As far as he was aware, no-one had handed over any money.
He said he still had to do business over the internet, but he no longer trusted it and was suspicious of most emails.
"I felt violated. I didn't trust anybody for a while. I've gone back to doing business the old way, on the landline. I won't negotiate over email, I won't open attachments away from the computer at my office. You just get so paranoid. I wouldn't wish it on anybody."
He learned he was the victim of a relatively common hijacking scam where a hacker breaks into a person's Yahoo, Gmail, Hotmail or Facebook account, wipes out passwords and deletes all the emails and contacts.
Mr Myers also discovered he could no longer access his business website, his Facebook account and an overseas bank account, despite them all having exclusive and unrelated passwords.
Logos, email addresses and telephone numbers were changed on his website, and money was stolen from his bank account.
All of his more than 900 contacts were removed from his email account.
It took weeks to sort out the mess, including five days of desperately trying to reach someone at Yahoo to get his email account running again; setting up a temporary account (which clients then thought was also a scam); hiring two IT companies to fix his website and install top-notch internet security; and contacting and reloading on to email all of his clients using business cards and old files.
"It was virtually starting again."
Mr Myers said he had always been security-conscious and had his website designed by an Auckland company believing it was as secure as it could be, but after his experience would advise everyone to be "over-secure".
He said he was told by a Yahoo staff member this was happening to up to five Yahoo customers a day, and he was not the only Dunedin victim.
The Otago Daily Times has received several emails purporting to be from Dunedin people, with similar messages.
Police said the scam had been doing the rounds for several years, and Mr Myers' story was not uncommon in New Zealand or overseas.
Hackers were becoming more dangerous and people needed to be aware user names and passwords were no longer enough to ensure security while accessing personal information online, police e-crime group manager Maarten Kleintjes said.
"It is like in the 1960s, when we left houses and cars unlocked, but we needed to become more aware of security. It's the same with computers."
Most online providers, certainly at least Hotmail, Gmail, PayPal, Facebook and some banks, now offered the option of installing a two-step verification system, which he recommended people took up.
Two-step verification, or two-factor authentication, was a security process where, for example, to get into personal accounts not only was a password and user name required but a number on either an electronic token carried on a person, in a text message or on a smartphone application each time access to the account was sought.
"People should take up these additional security features without delay. It provides excellent protection against their account being hijacked."
While people could report the activity to police, it was possibly more important to report it to theorb.org.nz, which helped direct a person to the best organisation to investigate it and kept track of online crime, he said.
