‘I've received an email that contains my password, and it's asking me to send money. What should I do?’
A new type of scam email has become quite prevalent recently and it can be quite alarming if you're on the receiving end of it. It will contain a password that you either currently use, or one that you have used in the past and the email will usually try and scare you into sending money to the scammer.
Typically, the email will tell you that they have hacked your device and have a compromising video of you that they will send to your contacts if you don't send them money, usually via bitcoin.
It's important not to panic if you receive one of these emails, as they usually contain a tight deadline in order to try and force you to act quickly.
How did they get my password?
When you see your password in the email, your first reaction is that you must have been hacked in some way.
However, the way that the scammers obtain your email address and password is far less sophisticated than you might suspect. Unfortunately, there have been (and always will be) multiple occasions where criminals have extracted data from sources such as online forums, online stores and even banks.
In some of these breaches, usernames and passwords have been compromised and made publicly available for scammers to use.
You can find out if any of your data has ever been compromised by entering your email address at a website called have I been pwned?
It's worth noting that you'll need to check all of the email addresses that you use to sign up for various accounts online.
Scammers will then use the email addresses and password combinations that were obtained during the data breach to send a wave of spam emails. Therefore, the password you see in the email might be a password you have since changed - they only have access to the data that was available at the time of the breach. If you have since changed your password, their data is effectively worthless.
If the password in the email is one you currently use for anything we advise you immediately do the following:
Change your password.
Run a virus and malware scan on your devices.
Do not reply to the email, you should just ignore it.
These malicious emails are sent out to thousands of email addresses in the hope that they will either get a response or the recipient will send the ransom. If you respond, you'll likely receive further communication to try and persuade you to send money. It's always worth changing your passwords and virus/malware scanning your devices if you suspect you have been compromised in any way, but there's no need to do anything else at this stage.
What can I do to protect myself in the future?
There's nothing you can do to prevent your data being compromised in a third-party breach, but you can take the following steps to protect yourself if it does happen.
Use 2 factor authentication where possible.
Do not re-use passwords for multiple accounts - try and use different passwords for every single login you use.
Strong passwords. Use all the characters available - lowercase letters, uppercase letters, numbers and special characters.
Passwords that are not easy to guess. Pa55word! uses all the characters available but is still very easy to guess.
Do not store your passwords in plain text.
Use a password manager if you can. A password manager can securely store your usernames and passwords for all the services you use that require a login. You just need to remember one password to access the password manager, which makes it easier to use much stronger passwords that you never have to remember. LastPass and KeePass are both free and commonly used managers, but there are other solutions that you can use too.
Change your passwords on a regular basis. This will ensure that if your username and password is compromised, it can't be used for very long.
If you follow the above actions it will go a long way to prevent these criminals activities affecting you and your business.
Contact Swan Solutions for more information at sales@swan-solutions.com