SCAM ALERT - An Old Scam with a New Twist

(Classified under: Security)

Posted on 25 October 2018

Over the last week or so, a number of our clients have reported receiving emails from someone claiming to have hacked their email account.

The emails appear to have been sent from the same email account on which the message was received, and in each case, the supposed hacker has included a password that the client has recognised.

Furthermore, the emails claim that the recipient's computer has been infected with a virus or malware, and that embarrassing webcam footage of the person has been collected... The sender then threatens to send this footage to everyone on the person's email contact list if a sum of money is not paid into a BitCoin wallet within a particular timeframe.

Please be reassured that these emails are a scam. The best thing you can do if you receive one of these messages is to simply delete it.

Here are some important facts about the content of these messages:

  • Most importantly, your email account has not been compromised - the sender is simply pretending that the email was sent from your email account. This is called "email spoofing" - it's very common and sadly it's also very easy to do if you know how and are so inclined.
  • The password they include is most likely a password you used in the past on a major website or service that has previously reported data breaches, possibly one of: Facebook, eBay, Adobe, Skype and LinkedIn, just to name a few.
  • The passwords included in the latest batch of scam emails appear to be very old. However, if you are still using the same password that is mentioned (or a variant thereof), please change the password to that account immediately.
  • The text of the email is designed to make you doubt your online security and to try to scare and/or guilt you into paying the scammer. Do not attempt to contact the scammer, and please do NOT pay them.

Here are a few things that you can do to protect yourself from scams like this:

  • Regularly change your passwords. Passwords are like toothbrushes -  never share them with anyone and change them at least every six months!
  • Never re-use passwords across different websites. Rather:
  • Use a Password Generator to create individual complex passwords for each website or email account you use, then:
  • Store your unique complex passwords in a Password Manager such as 1Password for Business. 1Password is used by over 32,000 businesses world-wide will securely keep track of your passwords for you and securely synchronise them across the various devices you use;
  • Where possible, enable Two-Factor Authentication for any website you use that offers this feature;
  • Ensure your computer's security software allows you to control when your webcam is operational. If you are particularly security conscious, cover your webcam with a sticky note (if your webcam is in-built) or physically disconnect the device (if you use an external webcam) when it is not (supposedly) in use.

If you want to see if a particular email address is known to have been compromised, the data breach search website can be used to do so safely. This site is run by Troy Hunt, an Australian web security expert known for public education and outreach on security topics.

If you're looking to secure your family's passwords, check out 1Password Families...

Disclosure: Cornerstone Web Solutions Pty Ltd is a referral partner for 1Password.

NB: Information presented here is general in nature, does not take into account your particular situation and should not be used in place of professional IT consultation.