Many of our clients have received blackmail emails in recent weeks, all with the same basic premise:
I have hacked into your computer and I know your password is “Hunter2”. I have been watching you, and I know that you visited *insert non family friendly website*.
Whilst you were there I turned on your webcam and recorded what happened.
Pay me $1000 or I will send the video to all of your contacts.
The key that stands out and makes this seem believable is the email normally has the user’s actual password in it.
What to do about it?
The key thing – don’t panic, don’t engage with the scammer and most importantly don’t pay the ransom. In all likelihood absolutely nothing will happen, as it is extremely unlikely anything in the email (beyond your password) is truthful.
The key step that you should be taking is ensuring that you are not using that password for any accounts, and if you are, making sure they are changed to something unique as soon as possible.
If you are still concerned we suggest you get in contact with a security expert who can investigate and confirm what has and has not occurred with your computer.
How is this happening?
In all cases of this blackmail that we are aware of, the user’s details have been stolen via a 3rd party website somewhere along the line. There have been countless websites hacked, and countless more will be hacked in the coming years.
These stolen details often allows them to match a password with an email address, which is all the information they need for the scam. The details are entered into a template email, and sent to the victim hoping the rest of the information is generic enough to stick.
What can we do about it?
The key defence in this situation is using a separate password for each and every website that you create a login at. This is important, so if a website gets hacked (which is out of your control!) the attackers cannot use those details to log into your other accounts.
Of course it’s difficult for humans to remember a different password for each different account they have, so that is where a password manager comes into play.
A password manager securely stores each password for you, providing the right one to you as you log into each account you control. The passwords are stored behind a single “master” password, which is never given to any 3rd party websites. This provides a decent balance for most users – a single password for you to remember (the master), and a unique password for each account.
What if you want to take it to the next level?
Multi factor authentication (MFA) is the gold standard in protecting accounts, and should be used where possible, particularly on business accounts.
The idea behind MFA is you require more than one piece of information to authenticate to, or log into, an account.
Common examples are:
- A user types in their password, and then receives a code on their mobile phone that they must also enter before they are allowed access.
- A user types in their password, but must also swipe a special “smartcard” across their keyboard before they are allowed access.
Each of these solutions, and others like it, ensure that even if staff reuse their passwords where they shouldn’t, a stolen password can’t be used to pivot to other accounts as the attacker cannot remotely steal the smartcard or mobile phone.
Get in touch with our team if you would like more information, or you have been affected by this scam and would like some advice.