Scary Email Scams: They Have My Password!

I’ve written about email scams here before, but just like everything online, scams have changed over the years. From phishing emails pretending to be trusted companies you do business with to shady characters demanding money to save your reputation, identifying email scams can be tricky.  Here’s one of the latest and what you should do if you receive one. 

Sextortion/Extortion Email Scams

It’s pretty scary to receive something like the following example:

Hi. I think you will not be happy, because I have a very bad news for you. Just a few months ago I hacked your operating system and I have full control of your device. I implanted a small application into your device which sends me your current IP address and allows me to connect to your device just like remote desktop. Even if you change your password, it won’t help

Sometimes the email includes a line where they say they have your password and sure enough, the one they claim to have is a password you’ve used in the past or they may indicate they know your phone number and it really is your phone number.  The email then goes on to either explain that they have proof of you visiting porn sites (sextortion) that they will share with all your contacts or they claim they will lock your computer so that you can not use it.  In either case, they give you a matter of hours, 24, 36 or maybe 72, in order to pay their demands.  They demand to be paid in bitcoin and gives the information for payment.  They also may stress that there is no way you can track them down.  

People frightened out of their wits contact me asking if it’s for real. Even when I tell them it’s an email scam they always ask, “But how do they have my password (phone number, other personal info)?  

How DID they get your information?

You know all of those security breaches you’ve read about. The ones like Yahoo, Equifax, Anthem, Target, Google?  This is where the personal information they have about you came from.  It is why it’s so important to follow the instructions for changing your passwords when your information may have been leaked in a breach.  And it’s also why these new extortion-style emails can be so convincing that people panic and are willing to pay the money. 

What you should do:

• Ignore it and don’t open suspicious emails, click links contained in such emails, post sensitive information online, and never provide usernames, passwords and/or personal information to any unsolicited request.
• Make sure you’ve changed all passwords leaked in any data breaches.  You can check at HaveIBeenPwnd.com if you’re not sure if your personal information has been leaked. 
• Don’t re-use passwords. Use a password manager program to generate unique passwords for all of your different accounts and keep track of them. 

Cybercriminals are constantly adapting and creating new, more sophisticated, email scams to try to get money, passwords and personal information.  It’s normal to be fearful when a scammer uses personal information about you. Before you do anything take a deep breath, stay calm and do your research.  Doing a quick search of the scary email subject lines will usually identify it as a hoax.  The FTC Scam Alerts page is a great resource as well. By keeping a level head, you can keep yourself from becoming a victim to scary email scams.