Around a year after my first website was built, more than twenty years ago, a collector of my work wrote to me via the email address connected to my domain name, hazeldooney.com . After a while, they told me they were having difficulties receiving my emails and perhaps there was a problem with my account. I spoke to the website developer, who couldn’t find the problem. The collector, who owned a major painting that was meaningful to me and was far more experienced in tech’ than I, offered to set up an email address for me on a large, stable domain. Naively, I agreed.

Years later, I woke unusually early and checked my email. I saw emails written from my own account, corresponding in a familiar tone with someone I'd ever heard of, as if it were me. In another, the tone was argumentative with the words, “You don’t know me.” Ten minutes later, the emails vanished.

Eventually, I came to realise that the collector had been using my email account remotely to impersonate me: recommending themselves; inserting themselves into my professional life; sabotaging business relationships that did not involve them; sabotaging family relationships; conducting several email interviews as me; following up at least one major interview conducted in person with an email contradicting what I’d said; attempts to pass off their work as mine; at least one attempt at art fraud; and developing virtual friendships with people who thought they were talking to me. It felt like a badly written, tech-enabled version of the film Being John Malkovich.

By that time, I was using the email address to log into all of my business and personal accounts, which meant the collector also had access to them. I quietly created a new email address for myself, used it to replace the previous one in all my connected accounts, and phased out the email address that had been created for me.

While mending a professional relationship damaged during that time, I disclosed what happened. Referring to the discrepancies between speaking with me in person and some of the emails received, they said, “I admit, I was confused.”

It was impossible to know the extent of the damage. So I resigned myself to dealing with the fallout if or when it came up later and moved on with my life.

By now, we all know the basics of online security: choose strong passwords and two-factor identification; limit the disclosure of information tied to our legal identity such as our birth date; don’t click on links or download apps that are unfamiliar; don’t broadcast holiday plans or current location on social media; and so on.

Beyond this, the most valuable lesson I learned about online privacy is DIY: learn to do it yourself. However, this is not always practical or possible. So, what do we do then?