Extortion/Blackmail EMails

The email claims to have compromising images of the recipient and goes on to ask for payment in order to stop the images being released publicly. Attempting to manipulate victims by claiming to have compromising images of them is known as sextortion, and its been used for years. What makes this latest scam different is that it’s added something extra: it contains a real password used by the victim. This instills an immediate sense of fear and panic on the user in the hope that they do panic and pay up. In fact what has gone on here is really simple. The persons email address and password pair where obtained from a list floating out there on the net, in turn gained from a website or service that was breached in the past. There is a website you can visit  https://www.haveibeenpwned.com where you can enter an email address to see if it appeared on any breached sites in the past. To be honest you would be lucky not to appear on at least one list, as it contains over 711 million email addresses and password pairs. So although it appears they have your password what they actually have is an old password. That is of course unless you have not changed it...


Best practices to help protect yourself from online fraud


  • Never reply to e-mail messages that request your personal information.  Be very suspicious of any e-mail message from a business or person who asks for your personal information — or one that sends you personal information and asks you to update or confirm it. Instead, use the phone number from one of your statements to call the business. Do not call a number listed in the e-mail message. Similarly, never volunteer any personal information to someone who places an unsolicited call to you.

  • Don't click links in suspicious e-mail . Don't click a link in a suspicious message. The link might not be trustworthy. Instead, visit Web sites by typing their URL into your browser or by using your favorites link. Do not copy and paste links from messages into your browser.

  • Don't send personal information in regular e-mail messages.b     Regular e-mail messages are not encrypted and are like sending a post card. If you must use e-mail messages for personal transactions, use Outlook to digitally sign and encrypt messages by using S/MIME security. MSN, Microsoft Hotmail, Microsoft Outlook Express, Microsoft Office Outlook Web Access, Lotus Notes, Netscape, and Eudora all support S/MIME security.

  • Do business only with companies that you know and trust     Use well-known, established companies with a reputation for quality service. A business Web site should always have a privacy statement that specifically states that the business won't pass your name and information to other people.

  • Make sure the Web site uses encryption. The Web address should be preceded by https:// instead of the usual http:// in the browser's Address bar. Also, double-click the lock icon  on your browser's status bar to display the digital certificate for the site. The name that follows Issued to in the certificate should match the site that you think you are on. If you suspect that a Web site is not what it should be, leave the site immediately and report it. Don't follow any of the instructions that it presents.

  • Actively protect your PC.  It is important to use a firewall, keep your computer updated, and use antivirus software such as Bitdefender, ESET, Sophos etc. You should also consider using anti-spyware software such as malwarebytes.

  • Monitor your transactions, review your order confirmations and credit card and bank statements as soon as you receive them to make sure that you are being charged only for transactions you made. Immediately report any irregularities in your accounts by dialing the number shown on your account statement. Using just one credit card for online purchases makes it easier to track your transactions.

  • Use credit cards for transactions on the Internet. In most locales, your personal liability in case someone compromises your credit card is significantly limited. By contrast, if you use direct debit from your bank account or a debit card, your personal liability frequently is the full balance of your bank account. In addition, a credit card with a small credit limit is preferable for use on the Internet because it limits the amount of money that a thief can steal in case the card is compromised. Better yet, several major credit card issuers are now offering customers the option of shopping online with virtual, single-use credit card numbers that expire within one or two months. If the service is available in your country, your bank can provide you with details about perishable virtual credit card numbers.