Have you received an email from a purported hacker who wants Bitcoins or some other form of cryptocurrency payment because they’ve somehow captured compromising information about you? Maybe they claim to have accessed your device’s camera or files and have your password as proof?
Don’t panic. This is just an online scam commonly referred to as “sextortion” by information security researchers and it’s becoming increasingly common because it preys on our fears surrounding our webcams and the pervasiveness of malicious software and hacking activity that most everyone has encountered or read about.
We’ll talk about a few steps to take to protect yourself, but the first and foremost piece of advice we have: do not pay the ransom.
We have pasted a few examples of these emails at the bottom of this post. The general gist is that a hacker claims to have compromised your computer and says they will release embarrassing information—such as images of you captured through your web camera or your pornographic browsing history—to your friends, family, and co-workers. The hacker promises to go away if you send them thousands of dollars, usually with bitcoin.
What makes the email especially alarming is that, to prove their authenticity, they begin the emails showing you a password you once used or currently use.
Again, this still doesn’t mean you’ve been hacked. The scammers in this case likely matched up a database of emails and stolen passwords and sent this scam out to potentially millions of people, hoping that enough of them would be worried enough and pay out that the scam would become profitable.
They have my password! How did they get my password?
Unfortunately, in the modern age, data breaches are common and massive sets of passwords make their way to the criminal corners of the Internet. Scammers likely obtained such a list for the express purpose of including a kernel of truth in an otherwise boilerplate mass email.
If the password emailed to you is one that you still use, in any context whatsoever, STOP USING IT and change it NOW! And regardless of whether or not you still use that password it’s always a good idea to use a password manager.
And of course, you should always change your password when you’re alerted that your information has been leaked in a breach. You can also use a service like Have I Been Pwned to check whether you have been part of one of the more well-known password dumps.
Continue reading about sextortion scams: https://www.eff.org/deeplinks/2018/07/sextortion-scam-what-do-if-you-get-latest-phishing-spam-demanding-bitcoin (Electronic Frontier Foundation)