Scam Alert : I know your password !!! email

I know your password email is one of the many scam email that is spreading right now. But this one is unique as it is trying to extort and threathen the victim if they will not give in to their demands, on this article we discuss some tips on how to deal with this security threat.

Scam-I-know-your-password-email_1589649628.png Photo by Emer


Currently, there is an email circulating around the internet demanding the recipient to pay in bitcoin or else they will expose the likely victim’s private behavior online.  Some of the email excerpt can be found below. (The email text may vary depending on who sent them.)

 

“I know, #supersecret, is your password.
I require your complete attention for the up coming 24 hours, or I will certainly make sure you that you live out of guilt for the rest of your existence.”

“Hello, you do not know me. However I know all the things about you. Your fb contact list, mobile phone contacts as well as all the digital activity in your computer from previous 183 days.”

“Well the last time you visited the **** mature webpages, my malware ended up being triggered inside your computer system which ended up shooting a eye-catching footage of your..”

“I have got the whole recording. Just in case you think I am fooling around, just reply proof and I will be forwarding the recording randomly to 7 people you recognize.”

“I want to make you a 1 time, non-negotiable offer.
Get USD 2000 in bitcoin and send them on the down below address:”

 

If you’re one of the people who unluckily received this kind of email, we have good news and bad news for you.

The good news is that this is just another email scam which surfaced around two years ago and is now finding its way back into fold again.  Once you receive this email, don’t be scared or panic - we will give you tips and tricks on how to resolve this.

The bad news is if you currently use the password that they stated, there is a high chance that they can breach your account so read on and we will tell you what to do to secure your accounts online.

 

How can a scammer get your password?

There are a lot of ways a scammer can get hold of your password. Below are some of the usual scenarios:

  1. Probing your social media accounts such as Facebook, Twitter, Instagram etc.  Scammers are very creative people.  They can think of lot of ways in order to work around security.  One of the techniques that they could use is probe your social media accounts for personal information and public posts, so if you are using your birthdates or pet’s name as your password there is a high chance that they will be able to break into your online accounts.
     
  2. They can also use a method called phishing, wherein they would send you an email with a link to a site asking you to reset your password.  If you click on the link and enter your password, they’ll instantly be able to get that information from you.
     
  3. There is also what IT security calls as social engineering, wherein the scammer calls or sends an SMS to your mobile phone stating that your relative has an emergency and asking you for your credit card pins and the likes.  There are a lot of ways to do this and we will discuss this on a future post.
     
  4. Data breaches. This is probably the easiest way to get your security information.  They only need to look for data breaches dump around the web.

    Every year, several giant websites encounter data breaches and, as a result, billions of email addresses and password records have been exposed to the public.  A few examples:

    Around year 2008, Myspace suffered a data breached exposing around 360 million accounts. It was only discovered on 2016 when the data was sold in the dark web - 8 years after the breach had happened.  The information contained usernames, email addresses and passwords (first 10 characters only).  If the email that you received shows the first 10 characters of your password and you have a myspace account during that time, then that is most like where the scammer get your password.

    On 2012, the website LinkedIn was hacked, exposing 164 million email addresses and passwords.  It was only in May 2016 that the data was  published when it was put up on sale in the dark web.

    In October 2017, Disqus, a blog commenting service announced that they have been breached, exposing around 17.5 Million email addresses and usernames.

    Adobe also suffered a data breach in October 2013, exposing around 153 million usernames, passwords, emails and plain text password hints, making it easier for hackers to crack passwords.

    At the time of this writing, there are approximately 9,620,883,035 accounts that have been exposed.
     

As you can see, even the biggest companies are susceptible to attacks like these, no matter if they have the means and budget to secure their infrastructure.
 

If you would like to find out if your email account has been exposed in a data breach, visit this website https://haveibeenpwned.com/ . Don’t worry, this is a legitimate website developed by Troy Hunt - one of the most well-known IT security experts from Microsoft.


What should you do if you receive ‘I know your password’ emails?

  1. Change your password immediately.
    Go to every website where you have an account and immediately change your password.  Remember to not use a simple word or anything that is relatable to you.  We recommend that you use a combination of alphanumeric characters to make it difficult to crack.  Scammers send emails in large numbers, probably in thousands or millions, so there is low probability that they have already accessed your account. Hence, you still have time to secure it.
     
  2. Do not click on any links in the email.
    Do not click on any provided links - they could’ve attached a script to the link to notify them that your email address is still active. If they know that the email address is still actively being used, they could isolate and target your email specifically.
     
  3. Delete the email.
    If you have done the first two items above, then you are relatively safer than you were before.  You can now delete the email.

    (NOTE: If you are living in the United States, prior to deleting the email, you have the option to forward it to FTC to file a complaint. The link is provided below.)

    Go to this site to file  your complaint.  www.FTC.gov/Complaint.
     
  4. Ignore but be vigilant.
    While you can start ignoring messages like these, we advise that you remain vigilant as hackers can find other ways to retrieve personal security information. When online, stay on guard for malicious malware that may be posing as something that is safe to be used.  Take for example when you go to a website.  The site might tell you that they have detected a virus on your machine and that you should allow them to scan it for security, but before you can do that you must download their software and run it under administrator profile.  Do not fall into this trap. This is likely a malicious software that needed administrative access to your computer in order to install more viruses or keyloggers on your machine.  Only install antivirus software from legitimate websites that you trust.
     
  5. Don’t be scared. Fear makes us vulnerable.
    As you would have noticed on the email excerpts above, scammers try to instill fear on you immediately so you would give in to their demands. Do not be scared.  Just follow the tips we have given you to secure your accounts and you should be alright.
     
  6. Don’t give in to their demands.
    If you give in to their demands, then you are already scammed.  People like these earn their living by blackmailing and extorting money from their victims. If you keep on feeding them, they will continue to prey on you, or worse, use the resources you’ve provided to improve on their ‘craft’.
     
  7. Install an antivirus/anti-malware software on your machine.
    Install an antivirus/anti-malware on all your machines. This software should come from legitimate security companies.  Some of them offer free trials but if you want to feel secured you should avail of their premium offers, since those will give you extra features for added security.
     

What can you do to make yourself safer online in the future?

  1. Change your passwords regularly (a good rule of thumb is to do this every month).  As you would have noticed on the sample above, data breaches happen frequently.  If you change your passwords regularly, chances are hackers will only get your old passwords.
     
  2. Use difficult to guess passwords or strong passwords. Do not use words that are relevant to you. Examples of these are: names of pets, birthdays, spouse and/or children’s names. Basically, if the info can be obtained by browsing on your social media, don’t use it as a password.
     
  3. Use two-factor authentication if the website that you have an account on has this feature.  Two-factor authentication is an authentication method in which you will need to provide a two-step verification to an authentication mechanism in order to be given access to a resource.  For example:  When you login to a website, you will be asked to provide your username and password, and upon successful verification of the username and password, you’ll also need to input the PIN that they’ve sent your mobile number registered on their service, before you can access your account.
     
  4. If you always forget your password and you are using Yahoo! mail, you can use their Account Key feature as alternative.  Instead of providing your password in order to get access to your email, all you need to have is your mobile phone, which they will use to authenticate with their service. In order for this to work, you have to register your mobile on your Yahoo! account and enable the Account Key feature.
     
  5. Use 1Password.com or other websites that provide the same service, as the name implies you just need 2 things - your password and your mobile - for two-factor authentication.  These types of services are useful if you have subscriptions on multiple websites which make password management a difficult task.  1Password.com is a security service in which you only need to remember one password and they will manage your password for different websites for you, and yes, they can even help you generate a hard-to-crack password.  Proceed to https://www.1Password.com if you need more information about their service.
     
  6. Refrain from sharing too much personal information on the internet. Your real name, email address, credit card numbers, birthdate, ID’s, phone number, personal address, relationships with other people, etc. can be used by hackers and scammers for their social engineering attacks.
     

Technology has come a long way, and we have benefited a lot from it, but such things have downsides in that it can be exploited by some dubious people.  We have to always be careful and keep security in mind when we are connected on the internet to avoid being victimized by hackers/scammers and the likes.

 

Useful links and references

https://www.consumer.ftc.gov/blog/2020/04/scam-emails-demand-bitcoin-threaten-blackmail

https://1password.com/

https://haveibeenpwned.com/

https://www.reddit.com/r/privacy/comments/8zem2h/new_scam_email_with_real_password_im_aware_xxxx/

Tags : Technology | Scam Email Alert, Information Security



Related Articles

How do you feel about this?