Patrick Marshall answers your personal technology questions each week.

Share story

Q: After reading your recent column regarding email security, I want to share a personal story.

I’ve always communicated with my CPA over email. He would use a secure link if files needed to be sent to me, but our communications were over regular email. This year due to a sale of my business I owed several hundred thousand dollars to the IRS. I asked him via email if wiring the money would be easier. He replied that it would, so I went to the bank to wire the money to the account he listed, saying this was where the IRS wanted the money sent. It wasn’t a government company (red flag) but since my CPA said to do this I went along.

At the bank the person helping me with the wire said she needed a physical address for the institution receiving the funds. That wasn’t included with the instructions from my CPA, so I called him. His response was a horrified. “I never sent that email!” Somehow someone hacked into our email communication.

Looking at the emails afterward, when the scam artist took over, their emails were COMPLETELY identical to my CPA’s email setup and format except for the small disclaimer at the bottom that was a slightly different font. If it weren’t for the bank employee I would have suffered a huge financial loss.

Related Tech Q&As

Read more from Patrick Marshall here >>

How did the scam artist get into the email thread? We don’t know. My CPA had his computer checked for virus and malware and so did I. Nothing was found. I still reformatted my computer just in case.

— Allen Matson

A: The fact is that any email can easily be captured by a hacker with a network sniffer. That’s why I recommend the use of a virtual private network when logging onto a public network that doesn’t control logons — say, at a coffee shop. Once you launch the VPN, all your transmissions, including your emails, will be encrypted. A hacker with a network analyzer can still capture your transmission but they won’t be able to make sense of it.

The same applies to your home network, of course, if you’ve left it unsecured. If you don’t require strong passwords to log on — or, even worse, if you haven’t changed the default administrator logon for your Wi-Fi router — it’s easy for a hacker sitting in a car outside your house to gain access. And yes, once the hacker gains access to unencrypted email it’s relatively easy to spoof that email.

My guess is that the hacker most likely accessed your CPA’s network rather than your network. If I was a hacker looking for an opportunity to trick someone into sending money I’d be more likely sniff around a CPA’s office than a coffee house.

The long and the short of it is that you are wise to be suspicious about any communications asking you to send money.

Q: What is the computer pop-up referring to when it mentions “long-running script”? Should I be concerned?

— Bob Lalande, Tacoma

A:  Not to worry.

The script is a small program that launches when you enter some websites. If it takes longer to run than the default setting in your browser, the browser will stop the script from executing and will ask if you want to let the script proceed. You can change the default setting in your browser, though the specific steps for doing so depend on the browser you’re using.

Unless there’s something on that specific site that isn’t working properly, however, I wouldn’t change the setting. It’s really up to the site’s webmaster to make sure that the scripts on the site work properly with all browsers.