I have your password, now give me money.By Bill Dunnion
From ransomeware, to viruses, to our favourite Nigerian Prince still looking for that business associate, the number of scams that pop up through people’s email is seemingly endless. So, of course, when scams start to become trendy, it’s always a good thing to shine a light on the bad guys to ensure people are not falling for their ever-evolving tricks.
Lately, the one that seems to be popping up is the “I have your password, now give me money” email. Usually, it comes in the form of an old password prominently displayed on the subject line. This is meant to garner one’s attention immediately—and rightfully so. Seeing your password on a subject line of an email would scare the most jaded of us on the best of days.
Following the prominently displayed password, comes the threat. Here is an excerpt of text from one of the many emails that are currently in circulation:
“I am well aware [REDACTED] is your pass words. Lets get right to point. Neither anyone has paid me to investigate you. You may not know me and you are probably thinking why you’re getting this e-mail?”
“I installed a software on the adult videos (pornographic material) web-site and do you know what, you visited this website to have fun (you know what i mean). While you were viewing videos, your web browser began working as a Remote Desktop that has a key-logger which gave me accessibility to your display and also cam. Just after that, my software gathered every one of your contacts from your Messenger, Facebook, as well as email. After that i created a double video. 1st part displays the video you were viewing (you’ve got a nice taste haha), and next part shows the recording of your cam, yeah its you.”
From here, the scammer usually asks for payment via Bitcoin to stop the circulation of the “video” content. And, unfortunately, this scam actually works. For so many, the shock of seeing their account information delivered to them via email, the confusion of how the information was obtained, and so on, leads to the rash decision of delivering payment.
This, however, is not what many think it is. What is happening is that account information has been obtained through a major breach from an otherwise reputable company—breaches that happen far more often than you think. For instance, in checking my own private email account it appears that my account information has been stolen from everywhere: from Facebook to LInkedIn, to Adobe, and more. These companies, like thousands of others, have been victims of data breaches where hundreds of thousand of accounts have been stolen and uploaded to the dark web. These accounts are then used as targets for these types of scams—tricking people into thinking that they have been compromised.
To shed light on this situation, here are two links you can visit. The first link is to our monthly Breach Report—the most recent showing the biggest data breach in history representing 50% of all US households. You can read it here: https://cyber.calian.com/project/the-breach-report-2/.
The second link is to a website called “Have i been pwned?” Here you will be able to enter your email address to see the sites from which your account information has been stolen. You can visit the site here: https://haveibeenpwned.com.
So, what do you do to avoid this type of cyber threat? First, this goes back to the age-old best practice of ensuring good password etiquette. Having strong passwords is a great start, but as mentioned that won’t help if your account is breached via a third party. Therefore, making sure your passwords are changed frequently will help immensely in ensuring that your accounts stay safe.
But there is more that you can do. Multi-factor authentication (MFA) can help mitigate risk of breaches by securing access to corporate networks, protecting the identities of users, and ensuring that a user is who he or she claims to be. The more factors used to determine a person’s identity, the greater the trust of authenticity.
MFA can be achieved using a combination of the following factors:
- Something You Know – password or PIN
- Something You Have – token or smart card (two-factor authentication)
- Something You Are – biometrics, such as a fingerprint (three-factor authentication)
Because multi-factor authentication security requires multiple means of identification at login, it is widely recognized as the most secure method for authenticating access to data and applications.
And the moral to this particular story? We live in an age where cyber crime is to be expected, so don’t let the scammers intimidate you. And if you find yourself receiving any type of suspicious email, simply Google it—chances are you’ll get confirmation that it’s a scam almost immediately.
And, of course, be diligent. Creating a resilient environment that encompasses technologies like MFA, Cloud Access Security Broker (CASB), and more, will all help to strengthen the walls that keep the bad guys at bay.