Hackers stole 100,000 of her Aeroplan points. She wants to warn others about how they did it
Last Sunday, Jacinthe Dupuis knew something was off when she noticed hundreds of emails had flooded her inbox in just a few hours.
All of them appeared to be spam.
After an online search, the woman who lives in Léry, Que., on Montreal's South Shore, realized that she'd likely been the victim of something called email bombing. It's a technique used by hackers to over‐ whelm someone's inbox with useless emails to take their focus away from the one message they should be pay‐ ing attention to.
By the time she realized what hackers were up to, it was too late.
Buried in that pile of emails was a warning from Aeroplan, Air Canada's loyalty program. It was alerting her that changes had been made to her account. When she checked, more than 100,000 Aeroplan points had disap‐ peared.
Someone had already booked a flight from Malaysia to Abu Dhabi, and she had only about 12,000 points left.
"I know it's a little bit su‐ perficial because it's just points, it's not actual money. I still feel a bit violated," said Dupuis, who was looking for‐ ward to book a trip using points she had spent years accumulating.
Even though Air Canada was not at fault, it quickly re‐ stored Dupuis's lost points.
She's hoping to get the word out about her experi‐ ence so that people can act quickly if ever they're the vic‐ tims of email bombing and fraud.
"I think it's important to know that it's happening right now and it can have an effect. I mean, this was only my Aeroplan account. It could have been something else like my bank accounts," she said.
WATCH | Tips to avoid being defrauded:
Protecting yourself from a 'false flag'
Claudiu Popa, a privacy and cybersecurity consultant, says email bombing is known as a "false flag."
"It's trying to draw your attention to one thing while criminals are doing another," he said.
"It allows criminals to op‐ erate with impunity and to delay detection. And that's key because when you're de‐ laying detection, you're also delaying reporting."
He said email filters can help guard against email bombing and popular email services usually come equipped with those. Popa also recommends people customizing those filters to make sure certain keywords commonly used in emails you don't want to receive are detected.
The most important step people can take to guard against hackers getting into their accounts after being email bombed, Popa said, is to make sure none of them can be accessed without a two-step verification process.
"No one should ever ac‐ cess their bank account with‐ out two-factor authentica‐ tion. No one should ever ac‐ cess any government ac‐ count or Revenue Canada ac‐ count or financial account without multi-factor authen‐ tication being turned on," he said.
"Nowadays it's also very important to enable it on so‐ cial media accounts. Face‐ book, for example, and
LinkedIn accounts are being stolen."
Dupuis plans to make sure all of her accounts have that level of protection "even if it's really annoying," she said with a laugh.
"I need to be really care‐ ful."