The Washington PostDemocracy Dies in Darkness

What happens when a top privacy and security regulator falls for an email scam

Julie Brill, an FTC commissioner, testifies on Capitol Hill. (Manuel Balce Ceneta/AP)

Most of us would probably prefer that nobody found out if we got hacked. Not so for Julie Brill, a commissioner at the Federal Trade Commission who really wants you to know about the time she fell for an email phishing scam.

"These are not the prince-from-Nigeria types of attacks of the past that we're used to," Brill said in a recent interview. "These are deeply sophisticated."

Phishing scams can affect anyone — even, as it turns out, high-ranking federal officials whose whole jobs revolve around regulating corporate data security practices. The irony isn't lost on Brill, who is trying to turn her personal story into an object lesson for consumers like you and me.

As Brill tells it, the saga began earlier this year. A business contact of hers — Gene Kimmelman, president of the consumer group Public Knowledge — sent her an email with an innocuous-looking Google Drive attachment. But after clicking on the link and entering in some of her personal information on the resulting page, she soon realized the truth: This was not a Google site at all.

Instead, online criminals had muscled their way into Kimmelman's email account and begun sending fake emails in his name to everyone in the account's address book. (I, too, got a fraudulent email from Kimmelman's attackers.)

"I was busy, I saw an email from this person, I opened it, tried to interface with it," said Brill. "And I pretty soon realized this was a false email from [someone] who was trying to get my data."

Three ways to step up your own cloud security

Luckily, even though Brill had given out some of that data, she had made sure that the criminals wouldn't be able to hijack her own accounts. She'd taken advantage of two-factor authentication, a security measure that prevents someone from logging into a website unless they can also reproduce a special code sent to a separate device such as your mobile phone. Two-factor or two-step verification has been adopted by Google, Amazon and other major websites to combat the rise of digital fraud.

The loss of information took place on Brill's personal computer, so nothing in the FTC's systems was affected, she said. But she did consult with the agency's IT managers.

"Once they found out I had two-factor authentication and I had changed some passwords, they were comforted that I had done all that I could do," said Brill. "If it had been an attack on our systems, they would have jumped into high gear right away."

So how did the hackers break into Kimmelman's address book in the first place? That mystery may never be solved.

"It was either a random hack, or someone … knew those on my contact list would expect me to have secret documents to share," Kimmelman joked in an email. "If not a random hack, my reputation may be ruined!"

Kimmelman has since switched email accounts.

Brill is leaving the FTC at the end of the month to enter the private sector — a decision that was unrelated to this incident. But her imminent departure makes this an opportune time to highlight the risks of not having two-factor authentication enabled for your sensitive online accounts.

"I say to groups, 'How many of you have two-factor authentication?' and I don't see enough hands," said Brill. "So I say to folks, 'If you get nothing else out of this talk, please go home and turn on two-factor authentication.' "