Skip to content
by
  • Products
  • Free Tools
  • Search
  • Free Sophos Home
XG Firewall
Next-Gen Firewall
Intercept X
Next-Gen Endpoint
  • Sophos Cloud Optix
  • Sophos Central
  • Sophos Mobile
  • Intercept X for Server
  • Secure Wi-Fi
  • Phish Threat
  • SafeGuard Encryption
  • Secure Email
  • SG UTM
  • Secure Web Gateway
For Home Users

Sophos Home protects every Mac and PC in your home

Learn More
Free Security Tools
Free Trials
Product Demos
Have you listened to our podcast? Listen now

How to report a computer crime: Unauthorised email account access

31 Oct 2012 30 Law & order, Privacy

Post navigation

Previous: Whodunnit? Conflicting accounts on ARAMCO hack underscore difficulty of attribution
Next: Counterattack! Suspected hacker caught on HIS WEBCAM, while spying on Georgia
by Bob Burls

Thumbprint, courtesy of ShutterstockDo you know how to report a computer crime? Or even who you would report it to?

Well, there is no one size fits all solution – it depends on the individual circumstances and where you are in the world – but we’ve drawn up some scenarios that are typical of some of the crimes that any computer user, at home or work, might come across.

In the first of our series of articles on how to report a computer crime, we’ll look at unauthorised email access, what offences are committed when a crime like this happens and how you should report it.

Take this scenario:

Abigail is at work. She logs into her personal webmail account during her lunch-break, which she is allowed to do according to her company’s computer policy.

A friend had advised her to use a complex password for her personal webmail, but she finds it difficult to remember so she has it written down in her diary.

Abigail logs out of her personal webmail account and leaves the building to make a private phone call, but doesn’t take her diary with her.

Barry sits opposite Abigail; he has a secret crush on her. Barry goes to Abigail’s desk, searches her diary, finds the webmail account name and password and logs into her webmail account from his smartphone at the office.

Barry reads a number of Abigail’s previously read personal emails using his mobile, but does not read any unread mail in case Abigail notices someone has accessed her account.

Abigail later discovers that someone has read her emails after she checks her email account activity and notices the account has been accessed by a mobile web browser. She suspects it was Barry after he made a comment regarding something she had written in a personal email.

What was the offence?

We can break it down like this:

Flower on laptop, courtsy of Shutterstock

  1. Barry deliberately gained access to Abigail’s web-based email account
  2. Barry did not have permission to access the account, nor would he have been given it if Abigail, the genuine account holder, knew what he was doing.
  3. Although Barry did not delete or deliberately alter any data, he has still committed an offence because the access was not authorised

The legal bit

We’ve focused on the UK, USA, Canada and Australia, but each country has its own legislation, though the relevant statute often exists to accommodate the same offences in each country.

UK

In the UK, most computer crime falls under offences covered by one of three pieces of law:

  • Computer Misuse Act 1990
  • Communications Act 2003
  • Fraud Act 2006

Other associated crimes could include Conspiracy or Money Laundering offences, but victims of crime are more often than not affected by at least one of the three Acts listed above.

In this case, Barry committed an offence of “Unauthorised Access” in contravention of S1 Computer Misuse Act 1990, committed when the offender causes a computer to perform a function intending to secure access (which Barry did when he gained authentication to Abigail’s account).

Gavel, courtesy of ShutterstockUSA

In the USA, most cybercrime offences are covered by Title 18, United States Code (USC) Section 1030 – Fraud and related activity in connection with computers. This is what Barry contravened when he logged into Abigail’s account.

Canada

The Criminal Code of Canada contains sections that specifically cater for cybercrime, including:

  • Unauthorised Use of Computer
  • Possession of Device to Obtain Computer
  • Mischief in Relation to Data
  • Identity Theft and Identity Fraud

In this case, Barry contravened Section 342.1 Canadian Criminal Code (CCC) – Unauthorised Use of Computer.

Australia

Both state laws and commonwealth laws exist in Australia. In South Australia, the investigation of cybercrime by police is classified under three tiers and is spread across the organisation depending, mainly, on severity.

The primary legislation for computer offences is the Summary Offences Act, 1953 (SOA) and the Criminal Law Consolidation Act, 1935 (CLCA).

In this case, Barry has contravened Section 44, Summary Offences Act.

Reporting the crime

UK

Police station, courtesy of ShutterstockIn the UK, when a crime has taken place it should be reported to the police, so Abigail should go to her local police station to report it.

There is also a web portal for reporting fraud and internet crime: Action Fraud.

Action Fraud records and passes on crime reports to the National Fraud Intelligence Bureau, who then decides whether the incident requires further investigation, as not all computer crimes are investigated.

USA

The Department of Justice website contains a Computer Crime and Intellectual Property Section with a contact page for reporting incidents to local, state or Federal Law Enforcement Agencies (LEA).

Two Federal LEAs have a remit to investigate some computer crimes:

  • The Federal Bureau of Investigation (FBI)
  • The United States Secret Service (USSS)

In this case Abigail should report the crime at her FBI Local Office, or US Secret Service or Internet Crime Complaint Centre.

Canada

The Royal Canadian Mounted Police (RCMP) are the main agency with regard to the investigation of federal statutes but also have policing responsibility for a number of the Canadian provinces and all 3 territories, as well as some local police services in towns and cities.

A computer crime victim, like Abigail, should report their incident to their local police service. If appropriate, it will be escalated for the attention of the agency with federal responsibility, the RCMP.

Australia

Abigail should report the crime to the Australian State or Territory Police.

Investigation policy differs from state to state but the Australian Federal Police website offers a guide on whether the crime should be reported to either Australian State or Territory Police.

Preserving the evidence

Woman at computer, courtesy of ShutterstockAbigail may want to consider informing her webmail service provider that she has reported the incident to the authorities.

She should also request that they preserve the web access logs so they can be looked at during the investigations.

Remediation

Abigail should change her webmail password immediately and use a robust password that she can memorise rather than one which she has to write down. She could also consider using password management software (examples include 1Password, LastPass or KeePass) where she only will need to remember one complicated master password.

Conclusion

In general, it’s important that all computer crime is reported. Even if no investigation follows, crime report intelligence can be built up and an accurate picture of the levels of computer crime can be produced.

If victims of a particular crime do not come forward to report incidents, then the number stated in crime reporting statistics will be not be a true reflection of the number of crimes taking place.

The scenario above is given as an example to help you in understanding when and what offences have taken place. Please be reminded that no two situations are the same and we have not catered for the “what if” situation.

We have also not included any corporation’s AUP (Acceptable Use Policy) that may be in place and may have been breached.

All of the scenarios are made up and the characters depicted bear no resemblance to any person.

Acknowledgements

Naked Security gratefully acknowledges the assistance of the following organisations in preparation of this series of articles:

UK Police Central e-Crime Unit
Action Fraud
United States Federal Bureau of Investigation
United States Secret Service
Royal Canadian Mounted Police
South Australia Police

Police station, thumbprint, flower on laptop, gavel and woman at computer images courtesy of Shutterstock

  • Follow @NakedSecurity on Twitter for the latest computer security news.

  • Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Free tools

Sophos Firewall Home Edition

Boost your home network security.

Sophos Scan & Clean

Free second-opinion scanner for PCs.

Sophos Cloud Optix

Monitor 25 cloud assets for free.

Post navigation

Previous: Whodunnit? Conflicting accounts on ARAMCO hack underscore difficulty of attribution
Next: Counterattack! Suspected hacker caught on HIS WEBCAM, while spying on Georgia

30 comments on “How to report a computer crime: Unauthorised email account access”

  1. Jill says:
    October 31, 2012 at 12:02 pm

    Authorize is misspelled.

    • Craig says:
      November 2, 2012 at 6:32 pm

      Not if the author is English (which they are).

    • Jim Jones Jameson Sr. says:
      June 6, 2014 at 3:31 pm

      Authorise is the original and correct spelling of the original English language. AuthoriZe is americanism, slang, barbarism, recent misspelling that became “correct” in the USA.

    • Jim says:
      June 6, 2014 at 3:33 pm

      Dog is a misspelling too. The correct spelling is dawg. 🙂

  2. Bob Hannah says:
    October 31, 2012 at 2:23 pm

    One thing that I discovered when I discovered one of accounts had been hacked. That Microsoft IWindows Live) will do nothing to help you correct the problem. Buried underneath your Windows Live Account are all your other Microsoft Accounts including email and others. Once someone is into your Windows Live Acoount, they are also into all your other Microsoft Accounts. The access to my Windows Live Account was granted by someone at Microsoft, not me. Upon discovery that this had happend, I attempted to retake control of the Windows Live account and was not able to. I was able to get back one of the underlying accouts but I am still trying to correct the mess that this caused. I have also read in one the other Security feeds that one in five Microsoft Accounts is comprmised.

  3. Brett Greisen says:
    October 31, 2012 at 3:04 pm

    The Windows Live comment above has electronic health records (EHR) ramifications now.

    Many hospitals use Microsoft Vault (accessed by Hotmail acct info) for their patient-accessed medical records/online bill paying/general info sites.

  4. kums says:
    October 31, 2012 at 3:38 pm

    then few antivirus programs should be punished for this offense who where stealing user's system file without his permission.

  5. @undefined says:
    October 31, 2012 at 3:44 pm

    My GMail account got hacked a while ago and I actually reported it to the local police but I don't think anything at all was done about it. The attacker's IP address was located in China and might have been a part of a botnet. At the time I couldn't find a way to inform Google, I did post the incident on the Google forums. luckily the two-step authentication was implemented not long after that so that made me sleep a little easier.

  6. Harry pollard says:
    October 31, 2012 at 4:32 pm

    My account was compromised when a list of passwords for I site I used was posted on a website. Two months later a person contacted me and said this list had my email and password and when I logged in to my account on my computer, I was suspended and was required to go through a procces and verify my account. I then changed all my passwords.

  7. Graham Cluley says:
    November 1, 2012 at 12:16 am

    That rather depends on whether you speak English English or American English. 🙂

    Bob is EE.

  8. Guest says:
    November 1, 2012 at 3:11 am

    I didn't bother to report the person (whom I've known only electronically) who'd hacked my Hotmail account recently – the same person who (unbeknownst to me, until 2 years after the fact) had remotely installed keylogger spyware on my computer. Why not? The FBI won't help you unless you give them all the evidence that they need to prosecute the hacker. Moreover, the FBI won't help you unless you can prove that the hacker had caused you financial or physical harm. Recently I spoke with a self-described expert on criminal psychopaths, who acts as a liaison between FBI agents and prosecuting attorneys, regarding the hacker in question. The expert's response? "I don't see a crime here." If I couldn't get the expert on my side, how could I get the FBI on my side? The authorities won't help and you can't reason with a psychopath, so what's the point of reporting internet crimes? The FBI would probably tell me that had I scanned every email attachment that the hacker had sent me and checked every link (before clicking) that he'd sent me, the hacker would not have been able to install spyware on my computer – in which case, they would be correct; I should have updated my antivirus program daily, scan everything before opening, and paid attention to the seemingly insignificant red flags that I'd noticed from time to time. Shame on the psychopathic hacker for being shameless and shame on me for being too careless and trusting.

    Two problems: Internet crimes are hard and expensive to prosecute. Secondly, if the (presumed) psychopath hacked my computer and. more recently. used brute force to crack my Hotmail password, who else is he hacking?

    I've learned the hard way that the psychopathic hacker is a dab hand at plagiarism, hacking, and telling strangers lies about you that actually apply to him. Learn from my example and don't trust anyone with whom you have only electronic communications – regardless of how friendly they might sound. And if an unknown hack claims to be writing a biography about an obscure, long-dead entertainer about whom little is known, run for the hills!

    • iAmCodeMonkey says:
      March 1, 2015 at 6:17 am

      Good points. I did not report my GMail hacker 2 years ago either.

  9. njorl says:
    November 2, 2012 at 1:59 am

    "searches her diary" – I'm struck by how, in the letter of the law, and in the typical reaction of citizens, information attains specific importance when it's on and used/abused from a computer system.

    We might have had a briefer version of the tale (though not in NS), in which Barry had been caught satisfying his curiosity by reading Abigail's (personal) diary. Would Bob still have advised, "Abigail should go to her local police station" etc?

    I'm not condoning the actions attributed to Barry, but I'm not surprised by the reluctance of the authorities, as noted in other comments, to take up such cases.

  10. DaveM says:
    November 2, 2012 at 4:38 pm

    This story amuses me, notably as it does not mention whether "Abigail" got any help. If it is illegal to read someone else's e-mail, surely it is illegal to make repeated death threats online, publish someone's personal information on various web pages, and make harassing phone calls to that person. There were also false accusations of multiple felony crimes, and online stalking over several online forums and other pages.

    That happened to me during a two-month period this past summer. Local authorities stated it was not a crime. State and Federal authorities never responded to my complaint. The Federal complaint, conversely, was made directly through the ic3 site created specifically for that purpose.

    There is little point in having laws and elaborate means of reporting offenses if nothing is done about said offenses. I am reminded of the "push for walk signal" buttons on traffic lights which in practice seem to do nothing but keep a pedestrian occupied while the light changes.

  11. roy jones jr says:
    November 5, 2012 at 10:12 pm

    That is kind of messed up that there wouldn't be a followup investigation. Its also messed up that companies hide the issue (Microsoft letting hackers steal email passwords) and then its too late for us the end user to do anything.

  12. still driving says:
    August 22, 2013 at 8:14 am

    The game plays a little bit like clue, but with more elements of random chance. You will have to use your deductive reasoning and skills to build a case and catch the bad guys before your opposing players do. Thanks.

  13. John says:
    December 2, 2013 at 10:09 pm

    A friend gave me his password so that, at his request, I could monitor his emails for a period while he was unable to do so. I sought his consent to send an email from his account to a 3rd party albeit in my friend’s name, because I wanted to remain anonymous. Now my friend has complained that I have illegally impersonated him by sending an email in his name to a 3rd party! Have I broken any law?

    • iAmCodeMonkey says:
      March 1, 2015 at 6:22 am

      Even though he gave you his password, you had no right to send emails using his account. You probably have violated that “wire fraud” law in the US. Be careful.

      • immafighter4sure says:
        November 3, 2016 at 8:11 pm

        And how many court cases do you know of that stuck with these same circumstances ? Don’t scare the poor guy.or gal not sure . Our court system Would be so backed up for months if this were the case.

  14. Trunk Treeson says:
    June 6, 2014 at 3:40 pm

    Accessing criminal’s (scammer’s, fraudster’s, thief’s) email accounts may disclose a lot to the victim of crime and help them proptect themselves from further crime and collect important evidence against the criminal (fraudster, scammer, thief).

    • iAmCodeMonkey says:
      March 31, 2015 at 10:26 pm

      Maybe it will. Maybe it won’t.

    • immafighter4sure says:
      November 3, 2016 at 8:14 pm

      I have done this but you have to be careful because you could be implicated as well in the crimes. Sometimes criminals hope you’ll do that so they can slam dunk ya along with them. And criminals usually use other people’s computers, phones, emails accounts etc to do their crimes

  15. Anna says:
    July 17, 2015 at 8:05 am

    I need help please so the last couple of times I found my tablet laying outside.when I finally found it my neighbor excused me of stealing her password for her interent.The only person who had it cause she gave it to them was my brother and I left that between them, but long story short now she comes back and says there are reports about someone using the internet and now I get charges pressed against me.how can I prove it wasnt me when the times when it was lost and I found the tablet outside. Please I want my name to be cleared up the stupid part that was on me was I didnt have a code for my lock screen.please I need help clearing up my name.

  16. Anonymous says:
    November 20, 2015 at 12:37 pm

    The Police Central e-Crime Unit (PCeU) to which you refer is a virus that is harmful to computers. I followed your lead and went onto this site and the Met police in London have changed this to a 404(page not found status) due to the problems people have been experiencing. I think you should reconsider including this name as a place to go to report email hacking crime of any type – unless that is sophos and nakedsecurity are frontmen for scam sites too. At the very least you should be monitoring your own website to see what happens when you click on a given lead to another website. To see what problems the police virus site has caused you only need to safely highlight/copy: ( Police Central e-Crime Unit (PCeU) ) and do a google search – it makes for some reading and its even on youtube.

    • Paul Ducklin says:
      November 20, 2015 at 1:42 pm

      I’ve updated the article: “Action Fraud” is now the UK’s fraud and internet crime reporting portal. But the old “Police Central e-Crime Unit” page (now a “404 – not found” page) is not, and never has been, “a virus.” Those words were simply used by some crooks inside their own scareware programs to make them sound scarier and look more legitimate.

  17. clint says:
    August 14, 2016 at 3:34 pm

    how about here in the Philippines?

  18. Matt says:
    September 24, 2016 at 7:41 pm

    This helps. Thanks for sharing Bob.

  19. immafighter4sure says:
    November 3, 2016 at 8:20 pm

    Nothing’s safe these days. Just know that. If you have to write something secret down write it in a small notebook and put it in a hollowed out book on you bookcase. Don’t keep all of your money in a bank. One day soon you’ll wake up abd akl your money gone.
    Email accounts are easy targets. Criminals just looking for banking passwords or credit card info. But if you have xxx rated pics you’ll have them forever in your accounts.

  20. Joseph Bell says:
    February 9, 2017 at 11:41 pm

    it sounds to me that no one will take you serious so why bother reporting it to anyone

  21. Cedric West says:
    July 31, 2017 at 5:55 pm

    I want to press charges on someone who hacked my email accounts. I am not sure what information they were able to retrieve.

Comments are closed.

Recommended reads

Nov17
by Paul Ducklin
35

Black Friday and retail season – watch out for PayPal “money request” scams

Dec28
by Paul Ducklin
0

Twitter data of “+400 million unique users” up for sale – what to do?

Dec30
by Paul Ducklin
4

Naked Security 33 1/3 – Cybersecurity predictions for 2023 and beyond

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal
  • Intercept X
  • Intercept X for Server
  • Intercept X for Mobile
  • XG Firewall
  • Sophos Email
  • Sophos Wireless
  • Managed Threat Response
  • Cloud Optix
  • Phish Threat
© 1997 - 2023 Sophos Ltd. All rights reserved. Powered by WordPress VIP