I got a phishing email that tried to blackmail me – what should I do?
Paul received a spam message that looked like a sextortion or webcam scam.
I got this email today. It says, “I hacked your device, because I sent you this message from your account.” It goes on to claim that it has filmed me watching pornography and demands $2000 in bitcoin. Phishing? Pwned? What to do? –Paul
This is generally known either as “webcam blackmail” or “sextortion scam” and the email should have been diverted to your spam folder. Millions – perhaps billions – of similar emails have been sent over the years, but there seems to have been a flood of them over the past month.
Very few people ever make the requested payment. However, since the cost of sending millions of spam emails is basically zero, even a few payments are easy profits.
What’s on the hook?
Random spam emails probably don’t have much success, so the would-be blackmailers have been trying to personalize their attacks in various ways. The most common ones are email spoofing, including a password, and including all or part of a phone number. These have usually been obtained from one of the security breaches that have exposed details of billions of users. In 2017, Yahoo admitted that its data breaches compromised 3 billion accounts. Other major breaches involved Marriott International (500 million customers), LinkedIn (164 million), Adobe (153 million), eBay (145 million), Sony’s PlayStation Network (77 million), Uber (57 million) and Ashley Madison (31 million).
There’s a good chance that one of your passwords was exposed in one or more of these breaches. To find out if your own email address has been affected by a data breach, head to the Have I Been Pwned website. You’ll need to enter your email address here – don’t worry, there’s no security threat to doing so, and you’ll never be asked to enter a password or other personal data.
What does ‘pwned’ mean?
Pwned, in this context, simply means that your account has been the victim of a data breach.
The word itself takes its name from player-to-player messaging in online computer gaming. When one player is defeated, another might type out a message to say, ‘You’ve been owned’.
This was so frequently misspelt as ‘pwned’, the word itself took off.
What should I do if my account has been pwned?
If your email address has been compromised in a data breach, it’s a smart move to change your login password for your email address, and for the service which was affected by the breach. Even if your email account itself hasn’t been victim of a data breach, there’s a security risk if another account that you log into with the same password has been affected.
Ideally, you should never use the same passwords across multiple websites. It can, admittedly, be a pain to remember multiple logins. If nothing else, you should always have a completely unique password for logging into your email account – don’t use this same password on any other service.
When creating a strong password, use a mix of upper and lower case letters, numbers, and symbols.
The best way to deal with phishing and other spam emails is to delete them on sight. Don’t open them, don’t reply to them, don’t open any documents that may be attached to them, don’t click any links in them, don’t enter any information into websites fetched by those links, and definitely don’t send them any money.
Many of these emails will include a transparent, single-pixel image, known as a beacon. When you open the email, it fetches the tiny image.gif file from a remote server, so the spammers know they’ve hit a live, working email address. (Note: Gmail and some other services pre-fetch images to avoid this problem.)
Also bear in mind that spam and phishing emails may include attempts to infect your computer with malware. This is why you should keep your anti-virus software and operating system up to date. It can be annoying, but thousands of PCs were infected by malware such as Stuxnet and WannaCry months or sometimes years after the vulnerabilities they exploited had been patched.
Watch out for spam
It’s more important than ever to watch out for spam and junk messages – especially if your account details have been included in a data hack.
Clicking on links within spam, or responding to messages, is a risk – you may expose your address to a data breach, or inadvertently install a virus on your computer. Keep an up-to-date antivirus program running on your PC at all times.
Keep an eye out, too, for signs that your own email address may be sending out spam. The most likely symptom of this is a deluge of ‘bounceback’ emails. You may see automatic responses or ‘address not recognized’ messages in response to emails that you didn’t intentionally send.
If you believe your own address has been used to send spam, don’t panic, there are steps you can follow to secure your account and let your contacts know what has happened.
I am sending spam emails
- Q) My email account is telling me that I am sending out spam emails myself! I keep getting ‘message not received’ errors from emails I’ve supposedly sent in bulk. What can I do?
Cloned email account
It’s possible your email address may have been ‘cloned’. This doesn’t mean that someone has accessed your account, but don’t immediately think the computer or email account has been compromised.
Hacked email account
It’s not impossible that your account has been hacked. Passwords that are too simple can sometimes be to blame for a hacked email account. Changing your password to something complex to include a capital letter and digit is really the only physical thing you can do to try to stop this from happening again.
Extreme option 1 – delete your Contacts
It may help to delete your Contacts list, in case spam emails are being sent to the addresses on this list. Note down the addresses of your contacts manually first or export the list as a CSV file – this is usually an option within the Contacts section.
Most email programs and webmail suites can auto-generate email addresses based on the mail you receive anyway, so having a Contacts list is less essential. But keeping a backup of your contacts as a CSV file is handy – keep it saved on your computer.
You can always re-import the CSV list into the Contacts section of your email account to return the list again.
Extreme option 2 – create a new email account
If your email account continues to send out spam messages, it may be best to open a new one. You’ll need to let your contacts know that you’re changing your address, and you can import a CSV file of your contacts list from your old account into your new, more secure account.
Contact PC Solutions if you have questions about unusual emails you received.
If you ever receive an email that you aren’t sure of, don’t open any attachments or click on links within it. These actions can allow hackers to gain access to your account. If you don’t recognize an email, delete it, and don’t click links within it. You can email us at Support@pcsolutionscapecod.com or call 508-441-4432.
PC Solutions Cape Cod Newsletter
By signing up for PC Solution’s Bits & Pieces Blog Notification you will receive an email when a new Blog is posted, with great tips and how-to’s. You will get access to exclusive insight and guides that will help you navigate and stay safe in this digital world we are all living in.