Last fall, when security consultant Frank Abagnale spoke at an AARP Fraud Watch presentation in Louisville, the former “Catch Me If You Can” con artist warned his audience to assume that their personal data was among the millions compromised by database breaches. All those phone numbers, addresses, birth dates and other private information are now circulating on “dark web” sites for sale to the highest bidder.
Now comes a “sextortion” scheme that uses stolen passwords to personalize an emailed threat to send sexually compromising “stolen” video to all your contacts if you don’t pay up via Bitcoin. This scam, first reported July 12 by former Washington Post tech columnist Brian Krebs on his Krebs on Security website, seemed to be using older passwords. But Krebs predicts that this new extortion twist will be refined with newer passwords and more targeted details such as satellite images of your street gleaned from geo-location data. (The Electronic Frontier Foundation has complete text of four versions of the phishing emails here.)
What to do if you’re a victim of such a scam?
— Take a deep breath. The scammers have your password, but don’t have any video or screen shots. And should this message arrive in Grandma’s (or Granddaughter’s) inbox, be assured that she is innocent; millions of these emails are sent in hopes that only a small percentage of the guilty ones will pay.
— Don’t reply. That will let them know they have reached a live person and will open the door to an escalated attack.
— Don’t pay a ransom. The money will only line the criminals’ pockets, and it might encourage them to up the ante. And it might discourage scammers from this type of campaign in the future.
Next month: Password Protection