Recently, there’s been a wave of spam emails that claim to have some dirt on you. They’ll threaten to release the data if you don’t pay up. To seal the deal, they’ll also post your email’s username and password to “prove” that they have access to your computer.
While this attack is very scary, you shouldn’t obey anything the scammers tell you. They don’t actually have any dirt on you, and they’re relying on the scare factor to get you to pay them what they want.
The Average Scam Layout
Typically, these emails lead in with a claim that the scammer has been recording you for the past few days. They’ll say that they’ve been recording your webcam feed and browsing history for the past few days. They go on to claim that they caught you performing some dirty activities and that it’d be very damaging for you if the information was leaked out.
They’ll then ask for a sum of money, paid via Bitcoin. The scam goes on to claim that the agent has software installed on your PC that detects when the email was opened and that you have a certain amount of days after opening it to deliver the money, else the hacker will release the data.
This sounds very scary, and it’s a nasty financial hit for the people who fall for it. Of course, there is no dirty data on you, and the scammer is making all of this up. If this is true, however, then how can the scammer reveal the username and password for your email address?
Faking the Scam
Getting the Details
While the scammers don’t do any hacking themselves, they do depend on someone else who has hacked in the past!
You may have heard about website database leaks that have occurred around the Internet. This is when websites are breached and hackers gain access to the user database, full of usernames and passwords. Sometimes these details will contain the user’s email address. Sometimes the username is the email address! Either way, the leak will give the scammer two things; an email address and a password.
Using the Details
Of course, this password may not strictly be the same one that the victim actually uses for their email address. The scammer has to take a gamble and consider the fact that users typically reuse the same password over all their accounts.
They then take the email address and the password from the data leak and send an email to that address claiming they have the victim’s login details, revealing the password they got from the leak as “proof.”
Of course, if you have different passwords for each site, you’ll be able to see through this scam easily. You may even be able to tell what site the scammer got the password from. If you use the same password for every website, however, this scam can cause a real scare!
What to Do Next
If this does happen to you, delete the email and change your email’s password immediately! It means your login details are currently out on the Internet for all to see, so it’s only a matter of time before an actual hacker gains access to your account.
You can check which of your accounts have been leaked on Have I Been Pwned? This site is dedicated to collecting database leaks and informing victims when their details are compromised. You can enter your details into this site and see if you’ve been hit. You can also sign up for automatic alerts as soon as your details are hit.
Evil Emails
While Bitcoin blackmail emails are very scary, rest assured that the scammer holds no embarrassing data on you. They do, however, have your email address and password; if they managed to “guess” your login credentials correctly, it’s time to change your passwords, and probably use a password manager, too.
How good are your password habits? Let us know below.
Simon Batt is a Computer Science graduate with a passion for cybersecurity.
Our latest tutorials delivered straight to your inbox
