“I can’t believe I fell for this. I feel so stupid. Any way to get my money back?” That’s how the email starts. Some poor guy has fallen for the “caught you watching porn” scam. I replied with some suggestions thinking nothing more of it. Then another email arrived along the same vein. Then another.
This isn’t normal so why are people falling for this email scam? Time to investigate:
Not the usual Phishing Email
If you have email, you get SPAM. Simple as that. Amongst the SPAM odds are pretty good that you have received emails warning you that your bank account is about to be suspended or your PayPal has been hacked or your Gmail needs you to re-login. In each of these types of emails, you have to click on a link to prevent that action from happening. IF you do click on the link, you will see a website that looks identical to the one you are used to hoping you would enter your username and password. Of course, these are fake and you have handed over your info.
Fortunately, our anti-virus has become much smarter at detecting these dodgy links and prevents our web browser from even reaching those websites.
However, recently there has been a new type of email which doesn’t contain any links or images or dodgy attachments and therefore it doesn’t trigger the typical anti-virus/ SPAM filters. Since it lands in our inbox many people are falling for it.
The email is a variation of this email:
Why does this work?
There are several factors that make this scam work:
- The email is sent from your own email address. This is used as “proof” that they hacked your account. In reality, this very simple to do and required zero hacking skills.
- They show you a password. In my case, I have no idea where they got that password from as it was never my password. However, there are literally millions of emails addresses and passwords available for sale and since most people don’t change their passwords often, this is a good scare.
- They go into some technical jargon of how they have malware or trojan or virus (or all three) on your computer/ router so even if you change the password now they will still get the new one. While there is some truth to that in technical terms, the odds of this actually happening are slim.
- The blackmail/ shame technique has been used forever. They assume that you have been watching some online adult sites and since your laptop has a front facing camera, they simply merge the two together and claim to have “dirt” on you. RAT is a thing – this is where someone can remotely activate your computer’s camera. So technically this could be done, but in this scam, the odds are slim.
- The payment amount varies from email to email. I have had it as low as $200 and as high as $1000. Usually, the price is around $700 for their silence and the fact that you need to be pay within 48 hours, causes a time pressure to make a decision to pay or not.
- They use bitcoin and are smart not to link to how to make a bitcoin payment, but they tell you to look it up yourself. So not only there isn’t a link to trigger the anti-spam, but once you are actively searching for “how to make a bitcoin payment” you are already convincing yourself that you need to pay.
What can you do to protect yourself online?
There are a couple of steps you can do to protect yourself and secure your username and password:
- Head over to HaveIBeenPwned.com – this is a website that looks up your email address in lists of known data leaks. Collision #1 is the most recent data leak which has over 773 million email addresses and passwords. If your email address is amongst that list, then you need to change your password asap.
- Don’t use the same password for everything. I know its tempting to remember just one password, but if your password is leaked then not only one system is compromised by the websites you log into with the same password are too.
- Sites like Facebook, Gmail, Twitter and more have a feature called 2-factor authentication. When you try log in, it will send you a random passcode to your phone after you put your username and password. Yes its one extra step but it makes it that much harder for someone to steal your info
- A good password trick is to use a phrase. Like “IGoToTheShopOnJan1st” and something like “TheBlueFridgeDoesntscream5!” is even better as it is random words spliced together and that makes it much harder for brute force attacks to happen.
- Too difficult to remember these? Then use a Password manager that keeps your passwords and logs you into the websites when you need to log in.
- Low tech but highly effective – cover your webcam with a small piece of paper and tape!
ps. While on the topic of scams – make sure you don’t fall for these PayPal scams!