There are two flavours of this scam, and the more convincing one includes your actual password in the email to convince you of the legitimacy of the email.
In most cases, the email is still a lie, and the scammer does not have any video footage of you. What they do have, however, is a password that you have used in the past. How did this happen? Usually as a result of a breach on
This may still be a current password or one that you have already changed. If you’re like most people, chances are that you have used this same password on multiple websites, which means that several of your accounts may be at risk.
How did they get your password? Easy – there have been a number of well-publicised security breaches with millions of accounts compromised (such as Facebook, LinkedIn, Dropbox, etc to name but a few). This is of course just the high-profile, well-known breaches but breaches occur all the time and many never get reported. The scale of the problem becomes clearer when you read that recently a single password dump with over 25 billion records composed of over 2 billion unique accounts was posted on the dark web. This represents a massive security risk for all of us and the problem becomes ever larger because people tend to re-use passwords, and so your LinkedIn password was quite possibly reused on even more important systems like email, work IT systems, social media accounts and possibly even ultra-sensitive accounts like your online banking.
So what should you do?
Don’t pay the ransom. In the vast majority of cases this is just a scam and paying the scammers just funds and encourages them.
Check your email address(es) on https://haveibeenpwned.com. This website contains a huge database of previously compromised accounts and will usually tell you if your account was compromised in a publicly disclosed breach. By no means is this database 100% complete so even if you come up clear here, that doesn’t mean your account was never compromised.
Change your passwords! Set strong, unique passwords for all your online accounts.
Don’t re-use passwords! This way a compromise on one site can’t affect any other sites. Unless they get access to your email and use that to reset other passwords – but that’s another story.
Review security information (your mobile number, secondary email etc) for all your online accounts. This information can be used by attackers to regain access to your account even if you have changed your password.
Set up multi-factor authentication (also known as 2-step verification) for all your online accounts. This is a huge step forward in keeping your accounts secure and is very quick and easy to set up and use.
Start monitoring the dark web for compromised credentials. Consumers can do this by using a service like Dashlane which includes some basic dark web monitoring. Businesses should speak to their IT provider (or contact us) about setting up dark web credential monitoring service for all their business email domains. HaveIBeenPwned is a good source of information but needs to be searched manually and by the time your information gets there, it is usually already too late.
If you’re a business, you can do a lot more to improve your security so that a compromised password does not equal a breach. Speak to your IT provider, or contact us.
Stay safe online, folks!