So there is a new twist on an old email scam. But DON’T fall for it.
The old scam sent an email to you claiming to have hacked your computer and threatening to expose you, post compromising videos of you or your online activity of porn sites, and demand money to protect your privacy even if you have never visited a porn site in your life. Those scams have been (pardon the pun) exposed as fraud and most people ignore them.
However, recently the scam has resurfaced with a troubling new element – it contains your real password (or at least an old one), thereby making it more believable and scary. It has the same blackmail scheme as before – send money via Bitcoin and you will not be revealed to all your friends and family. Unfortunately, because the email contains a valid password, people are falling for it and giving over their hard-earned cash to prevent the blackmail (which, in most cases, isn’t blackmail at all because you haven’t done anything risque in the least).
How are they doing this? If the person emailing you isn’t legit, how did they get a correct password? I’ll explain.
Most websites no longer store your passwords in a location accessible to hackers. Further, most websites now use a more secure methodology to protect your login information.
Unfortunately, some websites have either been hacked in the past (Chipotle, Target, Hilton Hotels, Sony, etc.) or still store old passwords in a text format. Thus, these people have purchased passwords on the Internet’s black market (called the Dark Net – very Darth Vaderish) and are able to link it to your email address. Hence, they send you an email which startles you because the password matches one that you use or have used in the past.
But the email is still a scam. They are unable to carry through their threats, so don’t send them money!!!
Here is what you CAN do:
- If you are still using the password referenced in the email, go to every website that still has that password and change it immediately. Yes, I know this is a pain and requires time, but it is worth it. They won’t be able to get the new password and therefore can’t get access to your accounts. At least do this for websites that store your financial information or credit cards, like banks or merchant sites.
- Report the email to your local police and the FTC. They won’t investigate or prosecute, but the report will protect you IF you become a victim of identity theft.
- Don’t use that password again for a long while. Create a new, more complex password to use from now on – it should contain at least one capital letter, one lowercase letter, one number, and (if the site allows it) one special character like # or ! or @ or %. And consider making the password random, yet means something to you like “biCyCleRideR@55” (no, that’s not my password)
- For websites that use it, enter or update the additional security questions (e.g. high school mascot, first car you owned, etc.) and also provide your cellphone number for text alerts and to secure access to your login.
Nothing is completely safe anymore, but if you are unsure if something is an Internet scam or not, ask a techie friend or contact the police before you send off $4000 in Bitcoin. You’ll never see that money again and you’ll probably open yourself up to more scammers. Don’t do it.
Learn more at these links:
- Sextortion Scam Uses Recipient’s Hacked Passwords from Krebs on Security
- Smut Scam: Don’t fall for this ‘sextortion’ scam that will trick you into thinking you’ve been filmed watching porn from The Sun (UK)
- This sextortion scam uses your real passwords to deceive you from Neowin