Let me tell you about the events leading up to the hack.

Last week I lost my Gmail account. Not gradually. Not suspiciously over days. In about sixty seconds.

One click on what appeared to be a legitimate collaboration link, and everything changed. Password removed. Passkeys added. Recovery phone numbers deleted. Two-step verification altered. It happened so quickly that I am convinced it was fully automated. We often celebrate automation in our work, but the dark side is just as efficient.

What makes this story uncomfortable is that I consider myself cyberaware. I use 1Password. I had security in place. I am constantly speaking about technology and digital tools. Yet I had not activated two-factor authentication on that personal Gmail account. I had not set up a passkey. I did not even realise I had ten backup codes sitting there unused. The friction of extra login steps had felt unnecessary. Until it wasn’t.

The scam itself was patient and sophisticated. I was approached about a content collaboration from someone claiming to represent Coursera. The communication unfolded over several weeks. The tone was natural. The negotiation felt normal. The job title was plausible. Real social media links were included. Even the pacing mirrored legitimate brand partnerships. Nothing screamed urgency.

The weak point was the email domain. The sender used a privacy email provider rather than a corporate address. There were subtle inconsistencies in the spelling of the name. The initial outreach was generic. But because the broader context felt aligned with my professional world, my guard lowered.

The actual breach came via a second email that appeared to be an onboarding invitation. The logo rendered correctly. The footer included Coursera’s real physical address. The design matched SaaS onboarding templates. It even arrived exactly when the supposed contact said it would. That timing was the hook. The weeks of grooming existed solely to make that single button feel safe.

Within moments of clicking, I received multiple Google alerts. New sign-in on Windows. Passkeys added. Password removed. Recovery details changed. Every safeguard was stripped away. When I attempted to recover the account, I discovered all recovery pathways had already been altered.

Panic is an interesting experience. My first thought was my friend Alex, who lost a substantial amount through a banking scam. I immediately placed all credit cards on temporary hold. That feature alone brought some relief. Then I began the slow process of securing the 400 logins associated with that email address. Seeing that number inside 1Password was confronting.

Public recovery channels were unsuccessful. Automated systems could not differentiate between me and the attacker. That was perhaps the most sobering lesson. Long-term trusted behaviour did not automatically trigger human intervention.

What ultimately saved the situation was human connection. Over the years, I have made a habit of connecting with conference speakers, including people working at Google. I reached out to ten connections. Most responded kindly. One verified my identity, escalated the case internally and within ninety minutes, my account was restored. I am deeply grateful.

Regaining access did not mean returning to normal. My immediate view was that the data had been exposed and I needed to transition away from it. I established a new personal email account with full security activated. Two-factor authentication. A passkey. Backup codes downloaded and stored safely. I reviewed forwarding rules, filters and connected accounts to ensure nothing had been quietly altered.

I also used ChatGPT to methodically walk through additional security checks. In fairness, most of my settings were strong. The missing elements were the simplest ones.

Cybercrime today is not clumsy. It is patient, researched and psychologically aware. It uses real brand names, real infrastructure and believable pacing. The lesson here is not that we should become paranoid. It is that we should remove unnecessary vulnerability.

If you are listening to this and have not enabled two-factor authentication, set up passkeys, and downloaded your backup codes, please do so today. It takes five minutes. I lost four days.

We operate in a profession built on trust, access and digital connectivity. Our email accounts are gateways to financial platforms, client data and identity verification systems. 

One click was all it took.

Apps & Tools Mentioned:

1Password, LastPass Authenticator, Coursera, Impact, Google, Gmail, Revolut, Claude, ChatGPT, LinkedIn, Twitter, TeamYouTube

Episode resources and links:

Alex Falcon Huerta’s story: https://www.linkedin.com/posts/alexfalconhuerta_fraud-alexfalconhuerta-share-7394786345610682370-s-49/

https://cyberwardens.com.au partners with the Australian Government to deliver free online security courses with verifiable CPD.

Today’s episode is more personal than usual. Last week, my Gmail account was taken over by a cybercriminal. It happened in the blink of an eye.

One click on the wrong link, within 60 seconds, I lost complete access to a personal account I’d used for more than a decade. The takeover happened so fast, I believe it must have been an automated robot. So while automation can help make us more productive, it is also helping the dark side be more destructive.

Probably like yourselves, I thought I was cyberaware and had enough security in place to prevent this from happening to me.

To cut a long story short, after 3 stressful days, I have now regained access to my Gmail account. I want you to know the three things I was missing from my Gmail account that I have now implemented.

I have activated 2 factor authentication. This is a security step that asks you to prove your identity in two ways before you can log in. Usually, a password you know and a code sent to your phone, or an authenticator app.

I use the 1Password password management solution and the LastPass Authenticator app on my phone. 

I have activated a passkey, which replaces a password with either Face ID, Touch ID, a fingerprint, or a PIN.

I have downloaded and safely filed away my ten 8-digit backup codes.

So 2-factor authentication, a passkey and my ten 8-digit backup codes. I’m sure many of you are shaking your head at me, but I thought I had enough security in place and am shocked one click, removed all of my other security measures and took over my Gmail account.

Why had I not done this earlier? This was my personal account and I did not want the hassle of going through the extra process of two-factor authentication, each time I logged in. I did not understand what a passkey was, and it turns out it is really quick and easy to use. I had no idea I had ten 8-digit backup codes associated with my email account.

You can set all of this up in five minutes and I highly recommend you do!

Let me tell you about the events leading up to the hack.

The hack did not start with an obvious warning siren.

It started in a very ordinary way.

I was approached by someone who said they wanted to do a content collaboration with me.

As someone who creates content, speaks at events, hosts a podcast, publishes a newsletter and works with accounting technology companies, this type of approach is not unusual.

Content collaborations are part of my professional world.

That is one reason this matters.

The approach sat inside a normal business pattern. It did not feel wildly out of context.

I was in email communication with a person saying they were from Cousera for several weeks. They wanted to collaborate on a video  and to do this they wanted me to sign up to their Content Creator Platform, and that email came from a different email address. 

Coursera is an online learning platform where you can study courses, certificates and some degrees from universities and companies. I want to make it clear that the scammer said they were from Coursera, but in reality they were not, and Coursera did nothing wrong here.

Interestingly, the email they were contacting me on, was NOT, I repeat NOT the one the hacker took over.

I’m in shock that this happened to me, and how I did not see the red flags. 

You may recall that I mentioned my very good friend Alex Falcon Huerta was cyberscammed through her Revolut Bank account and lost 53K sterling and it took 20 months to recover https://www.linkedin.com/posts/alexfalconhuerta_fraud-alexfalconhuerta-share-7394786345610682370-s-49/ and all sorts of horrors started running through my head.

Let’s take the emotion out of this. I printed out the full email conversation and asked Claude to highlight what was credible about it and what should have raised red flags to me.

I am going to walk you through this so hopefully you can learn from my experience.

The email was constructed carefully to feel legitimate:

Credibility Signals

• Coursera is a real, well-known platform — easy to trust by association
• “Senior Partner Marketing Manager” is a plausible, specific job title
• The signature block included real Coursera social media URLs (youtube.com/@coursera, instagram.com/coursera) — all genuine links
• There was a photo of a blonde lady and I actually looked her up on LinkedIn and she existed there, until the scam happened, and then she no longer existed and it became a 404 page.
• Reference to Impact platform, which is a real and widely used affiliate/partnership tool
• “Collaborations coordinated through Coursera partnership infrastructure” sounds like internal corporate language

Conversational Tone

• The exchange felt natural and unhurried — multiple emails over several weeks, not a rushed grab
• Hannah responded to your specific questions directly and practically
• She accepted your $500 starting rate without pushback, which felt like a normal negotiation
• Short, professional replies with no obvious spelling errors

Process Mirroring

• The flow matched how legitimate brand deals actually work: initial enquiry, rate discussion, terms confirmation, platform registration
• Browsing course catalogue access instead of a free subscription was a realistic compromise — it felt like a company protecting its product

The Pacing

• Weeks between emails made it feel like a real busy professional, not a scammer in a hurry

The combination of a real brand name, real URLs, plausible process, and patient pacing is what made it convincing. The weak point was always the email domain.

Sender Details

• Email address is hanna.hschuster@posteo.com — Posteo is a privacy-focused German email service, not a corporate domain. A genuine Coursera Senior Partner Marketing Manager would use a @coursera.com address.
• The spelling of the name switches between “Hanna” and “Hannah” across the thread.

Opening Contact

• The initial outreach was vague and generic — no mention of your channel name, specific video titles, or subscriber count. Legitimate brand partnerships usually show they’ve done their homework.
• Flattery about your content being “structured, clear, and easy to engage with” is boilerplate.

Financial Terms

• 42% commission is unusually high for a legitimate affiliate arrangement. Coursera’s public affiliate programme pays around 10-45% but legitimate partner deals are typically negotiated differently.
• Payment structure (half upfront, half on go-live) via Impact is a common lure — it creates urgency to register on an external platform.

The Impact Platform Registration

• Pushing you to “check inbox and spam” for an Impact invitation is a classic phishing trigger — it primes you to look for and open a suspicious email.

Sympathy Play

• The “family tragedy” explanation for delayed replies is a recognised social engineering technique to lower your guard and discourage pushback. (This was the only thing I thought was weird)

Practical Lesson: The attack likely came through the Impact registration link, not the email conversation itself. Any “register here” link from an unverified sender is the actual point of entry.

The Other Email

The email that hacked me was for directions for me to sign up was sent from another email address:

This is the most dangerous email in the sequence — it’s where the actual attack happened. Here’s the breakdown:

Red Flags

• Sending domain is wrong — it shows “partner.operations@coursera via learn-mail.org” — that “via learn-mail.org” is the giveaway. Legitimate Coursera emails come from @coursera.org. Learn-mail.org is a spoofed sending service.
• Gmail flagged it “External” — that yellow badge was Gmail warning you explicitly that this didn’t originate from a trusted source
• No personalisation — just “Hello,” with no name. A genuine partner invitation would address you by name
• Urgency trigger — “This link expires in 7 days” is a classic pressure tactic to make you click before thinking
• Single call to action — the entire email exists only to get you to click one button. No supporting information, no context, no reference to your conversation with Hannah
• Vague access promise — “full, immediate access” language is designed to excite rather than inform

What Made It Feel Real

• Coursera logo rendered correctly and in brand colours
• Professional layout matching genuine SaaS onboarding emails
• Real physical address in the footer (2440 W El Camino Real — Coursera’s actual address)
• Legitimate-sounding copyright notice
• The email arrived exactly when Hannah said it would, so you were primed to expect it

That last point is the most important. The weeks of patient email grooming existed entirely to make you trust this one button.

From there, I followed the process to sign up and clicked on the link that appeared to be connected to the collaboration. I don’t think I entered any personal data, it was just one click.

Very quickly, things changed.

I received a series of Google email security alerts within around 60 seconds.

Those alerts included:

• A new sign-in on Windows
• New passkeys added to my account
• A password removed from my account
• A phone number added for two-step verification
• Phone numbers removed from two-step verification
• Recovery phone details changed
• Recovery email details changed

Within that short window, all of the security I had in place was removed, and the account had effectively been taken over.

I have had this personal Gmail account for a decade, so while I am sensible, I was really not sure what part of my digital life they could now control.

I immediately jumped into my bank account and put all my credit cards on temporary hold – thank goodness for this feature! 

I then unsuccessfully went through the process to ‘Secure a hacked or compromised Google Account’. All of my recovery accounts, mobile numbers and passwords had been removed. The fact I was trying to access the account from a trusted location, and from trusted devices was irrelevant. I tried multiple times, and could get nowhere. 

I then started googling and reading what other people had tried. If you have a personal Gmail account there’s very limited support options available. I followed guidance from a YouTube video to contact TeamYouTube on Twitter, and I started down that route. I remained hopeful, though after 3 days they said they could not see any issues at their end. In my thought process, they have an account that has been sitting in the same location for over a decade, with the same trusted devices, the same mobile number, and recovery email, and they don’t think that’s potentially fraud?

I guess this is where my understanding of cybercrime and account recovery differentiated from Google’s approach. 

While I am trying to recover my email I am also securing all accounts that are associated with that email account. I can tell from 1Password, I have 400 logins associated with the compromised email account – so that was quite a daunting task.

So I thought and though and thought what could I do next. There has to be some way to recover the account. I was not making progress through the public routes, or the AI programmed bots I was dealing with. I needed to speak with a human.

If there is one thing I am good with, it is building networks with humans.

I then went through my LinkedIn contacts and identified I was connected with ten people who worked at Google. Yes, I was a little surprised myself, but whenever I attend a conference, if someone from Google is speaking I go and listen, and will actively connect with all speakers on LinkedIn after their session.

I created a short message to explain my situation, and for each connection I personalised it, and sent it to each of my ten connections. 

I created a short message explaining my situation, personalised it for each connection, and sent it to ten people who worked at Google who I was connected with.

Most of them kindly responded.

One of them asked for my mobile number, and he called me, and said he just wanted to verify that I was not a hacker.

It seems that I saw him give a presentation in 2017. At the time, in addition to speaking with him, I sent him a brief message to say I enjoyed his presentation. 

He got me to complete a link to an account recovery request, which seemed to be different to the ones that I had been able to access publicly. I followed the steps, which included letting him know how far I had been able to progress. He then was able to submit an escalation, and my account was recovered within 90 minutes.

What a champ!! 

I was so relieved. Boy, I slept well that night!!

What I did while I did not have access to my email Account.

As I mentioned, I was freaking out about the story of my friend Alex, losing 53 thousand pounds, so I quickly put all my credit cards on hold. Such a great feature offered to us by the banks!

We then went through the slow methodical process of trying to change the email address, and prioritising the high value accounts. The solutions all had different ways to change the email address, and frequently the code for permission would be sent to the compromised email address, alerting the hacker of what we were trying to do. So that was a bit stressful.

Regaining Access to My Account

Once I regained access, my approach was that they have all my data that was in that account, and I need to immediately cease using it.

I set up a new personal email account, with full security in place, and am working my way through moving all my logins to the new email.

I also got ChatGPT to work me through one by one security measures to ensure everything was in order. For the most part all my settings were strong. 

I installed an update that had come in over night, but to my credit I’d proactively updated that week prior to my cybercriminal activities. 

I jumped into the email settings to check if any changes had been made

It was also what may have happened while someone else had access.

• Set up forwarding rules
• Created filters to hide future emails
• Accessed connected accounts

Fortunately none had. 

This was a horrible time consuming experience. It took me 4 days to recover my account

I lost so many hours trying to recover and secure my hacked Gmail account.

Can I again encourage you to set up two factor authentication, passkeys, and download and safely file away your ten 8 digit backup codes. It only takes 5 minutes.

I want to highlight that https://cyberwardens.com.au partners with the Australian Government to deliver free online security courses with verifiable CPD.

I possibly like you, am overwhelmed by all the security messaging happening everywhere. I thought I had active spider senses, but clearly these criminals are becoming more sophisticated, and in a fast moving digital world one click was all it took.

Thank you for listening to Accounting Apps. Can I encourage you to sign up to my newsletter Accounting Apps dot io and join the Accounting Apps mastermind group and subscribe to this podcast.