The real purpose behind this message
The purpose of this newsletter is not really to make you discover what “Sextorsion” is. Rather, it is to convince you to never use the same password in more than one place. And maybe this story of misadventure will convince you of the merits of this advice.
Recently two of my clients each received a troubling email. A fraudster claimed to have in his possession compromising photos and videos of them viewing pornography. The fraudster threatened to send these photos to all their contacts unless they paid a ransom denominated in Bitcoin money. To make his threat even more credible, he showed them that he was in possession of one of their passwords. Oh no! How is it possible?
Sexual blackmail via e-mail has existed for a while unfortunately. But lately, this criminal tactic has taken another turn with the addition of a password that the victim would have used on a website.
What should you do?
First, do not answer the message. The fraudster does not know who the victim is and has no compromising videos or photos. But how could the fraudster get a password used by the victim? We regularly read news about companies being hacked and account information stolen. If you want to know if you have any compromised passwords, I will give you the address of a website that will tell you, a little further. I checked it. In my four email accounts, I have seven compromised passwords. Do you think I should be worried?
What’s the most important takeaway?
My seven compromised passwords are unique to those websites that have been hacked. I do not use them elsewhere. And these accounts do not include any important information that can help a fraudster steal my identity. Your date of birth and your social insurance number are even more important than your credit cards because they can allow a fraudster to steal your identity. As for credit cards and your banking information, you are protected against fraudulent transactions.
What’s the lesson?
As tedious as it may seem, never use the same password in more than one account. Write your passwords in a secret place. I know, so-called specialists say not to write passwords. Ignore them. They live in a fantasy world. This is real life. Passwords do not have to be super complicated. Just show a little imagination and sense of humor. Here are some examples: for a pizza account: Miummitsgood! 1. An account linked to a seller: Givemeagooddeal1! For your phone account: Ringringyeshello?!12.
Do not give your real date of birth to those who request it, other than governments and financial institutions. You only have to change the day and month of your birth, not the the year, to deceive fraudsters. But take note of the little lie in your little secret book. For example, I use this fake date of birth: 1967-01-01.
When checking the website for compromised passwords below, if you discover that you in fact have one or several compromised passwords that you still use, take a breath and prepare a plan. List the accounts where this password is used and change them one by one.
In this case the victims got a good scare but no harm came to them. But, it could have been otherwise. A more determined hacker could still engage in identity theft. Do not be easy prey by using the same passwords.
See if you have compromised passwords here: https://haveibeenpwned.com/
Sextortion Scam Uses Recipient’s Hacked Passwords, from the Krebs on Security website: https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/