Last Thursday I was having a really great day.
I was getting important stuff done and feeling like I was making some good progress on the day’s goals.
My parents were coming into town to visit with us for a few days and the weekend was nearing.
And then I got the email.
As I was finishing up an article I was writing, I got a message from my assistant that there was an email that I needed to see right away.
I only process email on Mondays, but my assistant keeps tabs on what is going on in my inbox, in case something urgent comes up that I need to see.
And in this case, I am really glad that I did see this one right away.
The ransom email
As I popped open my inbox, I couldn’t believe what I was seeing. The password that I had used on hundreds of sites was sitting there right in the subject line.
The email went on to explain that they not only had my password but had hacked into my webcam and installed a keylogger on my computer as well.
They politely informed me that if I didn’t send them $2900 worth of Bitcoin in the next 24 hours, they would begin their attack.
6 months earlier…
Just about 6 months earlier I was chatting with a friend who had his entire business taken hostage from him and held for ransom.
They had gained access to his primary email account and all his banking institutions as well as core business websites. And since they had control of his main email account (which served as his hub) it was a nightmare to get resolved.
He ended up getting things sorted out without paying the ransom, but the agony that it brought on him for a few days was bad enough.
So as I was reading this email that I had just received I couldn’t help but think of where this could be headed.
I was suspicious as to whether or not this email was legit or not, but the bottom line was that they had a password that I had used hundreds of times and there was no way I was going to be able to remember all the places I had used that password.
And because of that, I didn’t really know how much damage they could actually do.
What I did
The first thing I did was reach out to my friend that I mentioned above to ask his advice. He suggested:
-
- Making sure I had 2-Factor authentication on every important account that I could think of (that offered it).
-
- Calling my web host to let them know about the threat, just in case they tried to hijack my website.
- That I do not respond to the email.
After I got off the phone with him, my assistant and I went to work, making sure every account we could think of was using a different password than what was included in the email.
I had stopped using that password years ago and began using a different password for every site (as the experts suggest), but I had never gone back and attempted to change it on all those old sites.
After we were very confident that all of the most business-critical sites had 2-Factor Authentication and/or different passwords, I decided that was all we could do. Now it was time to let it go and trust that the Lord would fight the battle.
What I learned from this experience
I had already been doing a pretty good job with online security which really helped minimize the potential damage that could have been done.
But, there was no getting around the mistake of having spent 5+ years using the same password for every site that I created an account on.
It also was just a good reminder that any security system is only as good as its weakest link.
So even if I am doing a fantastic job creating strong passwords and keeping an account secure, but an employee, spouse, friend, etc. is not, then we can still get ourselves in trouble.
What I would recommend to you
If you have no idea where to start but want to start protecting yourself better than you have been, this is what I would recommend, knowing what I know now.
1. Start using a different password for every account
If you use a service like 1Password or LastPass definitely use their 2-Factor Authentication options.
2. Use 2-Factor Authentication for everything you can
While this sounds complicated, it actually isn’t that difficult to do for most sites that offer it. And for most people, it virtually guarantees that you will keep your account safe.
You can do this with your smartphone or use a Yubikey (just check that it works with your account).
To learn more about it or see how it works, watch this video:
3. Consider ID Theft insurance
This is a little bit different but falls under the category of 21st-century security so I thought I would add it. You do not have to have this, because if your identity gets stolen you can do everything that most of these companies would do for you, BUT if they are good at what they do this insurance will save you tons of time if this ever happens to you.
I have seen stats that say that the average victim of identity theft has to spend 100-200 hours of time getting all the issues resolved.
With ID theft insurance, you are paying a company to take most of that burden off your plate, should an incident ever occur.
The best 2 companies out there that I know of are LifeLock and Zander. I use one of them, but like any insurance company, you never really know how good they are until you file a claim – and thankfully I have not had to yet. So do your own research when making your decision.
4. Avoid using Public WIFI
Use your smartphone’s hotspot instead when possible.
5. Get a webcam cover
Mark Zuckerberg (the guy who has eroded so much of our privacy) always keeps his webcam covered because he knows how easy it is to hack.
That’s enough for me. I bought these webcam covers.
6. Use Anti-Virus software
There are a lot of options, but Avast is a pretty good free option to try.
7. Always use a passcode on your smartphone
For most of us, this is the easiest access point for bad guys into our lives. I hate that it slows me down getting into my phone, but it is worth it.
There are always more things to do to protect yourself depending on your level of vulnerability and risk tolerance, but these are a few to get you started.
If you want more, check out our article: 16 ways to protect yourself from identity theft.
So what ended up happening?
I kept an eye on my inbox over the next 24 hours and never heard another peep. I assume that if it was a serious threat they would have gotten back to me.
What I suspected from the beginning (but wasn’t 100% sure) was that this email was an automated one sent to me and thousands of others who had their passwords compromised in one of the data breaches.
And just yesterday I got another email, very similar to this one, so that is even more confirmation that they are just fishing to see who bites.
This is going to become commonplace
What is so scary to me is that I think emails like this are going to become commonplace.
With all the massive data breaches where our password information was compromised, it just makes sense that after that info is sold on the black market that we would begin getting emails like this.
God only knows how many others got the email I did and paid them out of fear.
We have all gotten the scam emails that try to get our money by greed (the promise of more money) or by compassion (tugging on our heartstrings), but I would argue that fear is going to be an even more effective tool for the scammers.
And that is what makes ransom emails like this something to watch out for.
Spread the word
Please share this with anyone who may benefit from this information – I consider myself fairly tech-savvy and this email was still worrisome because it was created with such skill so I’m sure many people are falling for it.
And I want to stop that from happening any way I can, so definitely pass this along to anyone who you think could benefit from it.
Stay safe out there!
I wonder where the password was hacked from. One thing that just happened to me is that I got an e-mail from WordPress.com that they reset my password they discovered that it had been compromised. I haven’t used that account in years, I think I was planning on using it as a sandbox to test a site conversion years ago, and I have the account remaining so that I can comment on blogs that are hosted there. Which, I’m guessing now, might be quite less if others got compromised as well.
But it makes you wonder, maybe if you had/have an account there, it could have been the source. You never know I guess.
Webcam covers? Why pay for these?
Just take a small Post-It Note or equivalent, take black magic marker and cover the not with it. Next, stick it over your webcam. Simple and cheaper for certain!
True, I have done that for a while, but it has been annoying me enough that it is worth me spending a few bucks for a nicer solution
A little duct tape works quite well, too.
Just so you know, Lifelock is the same company that got itself hacked and the owner’s personal information stolen. He was the guy who put his Social Security number on the side of his van, bragging that he couldn’t be hacked. So, no, I would never use Lifelock. He showed very poor judgement and I don’t trust the company.
I didn’t know that Jane – good point.
I received the same (or very similar) ransom email. But I knew it was fake when they said they recorded me using a pornography website. They said they were going to release the recording of me and what I was watching. I have never used pornographic websites so I knew it was a scam. But I really appreciated your article and the helpful tips you provided. Thanks. Brian
Two weeks ago I had a similar ransom email sent to me. I read it twice, had a good laugh and deleted it. I have the webcam on my phone and on my laptop covered for a number of years and I do not view any porn. I have had text, phone call and email threats from CRA…all fake. I had a scammer try to dupe me in a dating website.
Thank you Bob for this informative article. I am glad you were able to stay safe. I will take further measures as in changing my passwords etc. I believe this scam is going to become very common and unfortunately many people will fall prey. These scams are everywhere. Know the red flags and share this knowledge with your friends, family and colleagues!
Thank you so much for alerting us to what can happen and sharing with us what to do. I have been on the receiving end of many scams; one lottery scam I fell for in 2004 cost me thousands. It was my own fault. And I have received calls from people who pretend to work for the IRS and who threatened to arrest me if I did not pay back taxes owed, immediately. And just today I received an email that looked to be legitimate, from PayPal. It stated that I sent $154.99 to some gentleman in England to pay for a headphone to be delivered to another gentleman also in England. I panicked; however, after I calmed down, I figured this might be a phishing email since I had not ordered a headphone, so I did not click on the link in this email to cancel the order which was most tempting for me. I went to the secure, official PayPal website and logged in to my account. I did not see this transaction listed at all so I assumed correctly that it was a fake email designed to obtain my password to PayPal. I thank God for alerting me to phishing emails. I am so glad I did not click on the link in the email. This email looked so
legitimate, with the PayPal logo, etc. Anyway, I also forwarded this fake email to [email protected] so they can investigate it and hopefully shutdown whoever is sending these kinds of emails. I read that scammers steal billions of dollars a year from unsuspecting people, especially the elderly. This makes me so sad. I thank God for honest bloggers like you who help us to make money, save money and protect our money, our identity, etc. Thank you! Thank you! Thank you!
Yes, I got something just like this as well and it made my heart skip a beat. I knew it was a scam but the password they listed made it seem somewhat legit. I then figured it out.
These hackers have all these passwords they’ve harvested. Some are old. Some are just passwords with no username. Some are the username and password but no website. So, to them this is an asset but how can they profit from it. Ah! List a password if there’s an email address and try to extort money from people by sending them a scary email… and that’s just what they did.
Your tips here are good and everyone should follow them.
Bob, Great article. I have LifeLock and they saved me a couple of times when someone tried to open sev. charge accounts in our name. Also, I recommend putting a “freeze” on your Experian, Equifax and TransUnion accounts. It is the ultimate protection according to LifeLock. But you have to plan ahead and remove/suspend the freeze if you’re going to buy something on credit.
Thank you for the great article.
Best,
Bob H.
I got an email like this just yesterday. I assumed it was spam but it’s still scary to see an old password in the subject line
Wow! Thanks for the great information. I know I shouldn’t be surprised, but I still am stunned by the evil things people come up with. Thanks for the heads up! I would have never imagined this one.
I have my webcam taped over with a fortune cookie.
For those of you who want to know what mine reads:
YOU HAVE AN ABILITY TO SENSE AND KNOW HIGHER TRUTH
Put up your favorite one, it’s fun to look at and doesn’t cost you (if you don’t count the Chinese meal you paid for to get the FREE fortune cookies…)
Identity protection: try Legalshield they have a solid Identity Theft membership service called ID Shield
FYI – I won’t recommend a particular tool, because I don’t want this to be viewed as advertising, but use a password manager. The tool I use has a master password that gets me into the program, then within this “vault” are all the passwords for all my sites. Most if not all password managers will also generate ridiculously secure passwords for you when you are signing up for something, or updating passwords on existing accounts. My tool also has features that allows you to check for risks such as multiple sites using the same password. This has been invaluable to me as I subscribe to hundreds of sites. Just make sure you do your homework and get a reliable, reputable, secure solution.
A few weeks ago, someone was able to hack into an online site for a box store that I had used previously. They used my saved credit cards to place orders for themselves and I received the emails that the orders had been placed. Please try not to store credit card numbers in your online ordering accounts.
great info u put down, God bless ya
Thank you Bob for sharing! The only thing I would add, would be a VPN program. Personally I like ExpressVPN but they can be pricy, NORD VPN would be another good option (more affordable.) Both are easy to set up and use and I’ve found them indispensable for helping me keep my privacy intact.
Your ransom email post was timely. My husband received the same alarming email this week. It was a blessing to be able to be able to refer back to your post for information on steps to take. Although the email appears to be spam/phishing, since by nature we can get lulled into a false sense of security, it served as a good reminder that we need to remain alert and diligent in our business and private practices. Thank you for sharing the info. I passed your post on to my adult children – who promptly reminded me that I probably could have chose a better email subject line than: “Mom re ransom email”.
This has also made the local news here in Washington, DC. I have received 4 such emails each asking for vastly different sums of money. Each very lengthy with the same theme but sligtly different, different bitcoin addresses and different sender addresses. All also written by someone who english is not their first language. All using the same once (10+ years ago) password. So long ago it was only 7 characters long with no special characters as way back when most sites limited passwords to 7 characters. I’ve had free monitoring service (thank to my government info being hacked twice) and have learned many years ago that this password was on the dark web. It was a password I used for a free ecard site way back when. That ecard site was known to have been hacked a very long time ago. So I know where it came from originally and likely was bought or harvested off the dark web. So, of course I didn’t all for it. Especially since what they purported to have was obviously false in my case. I started to send it to the FBI who has a web page to report internet crime but then realized this was likely sent to many thousands of people who have had passwords compromised and as such would likely have been reported already. The local news article recently confirmed the FBI had received many reports of this scam. Lucky for me I never shared passwords across sites except for a few bogus sites that all share similar or same passwords but these sites are ones that only get an email address from me and nothing more.
If you ever want to use a site that requires a facebook account. Then what I did was create a separate facebook account which basically has no info on it and I use that rather than my real facebook account too. Many people I know use a fee yahoo or other email address for creating accounts on these sites that must require you to have an account to access information on the site. I don’t go that far but it works for many.
I think lifelock and similar services are a waste of good money. IMHO. You will have to give them lots of info if you are ever hacked and so they won’t save you that much time. Prevention is worth a pound of cure is very true here. Use different passwords. Not just different by a couple of letters or numbers either. Use long passwords too. They are better than short complex passwords in many cases. Password managers are great. Many are free. But choose a secure one as you are putting all your keys in one basket.
Welcome to the new world.
Thank you for this! I was freaking out when I received my scam/ransom email. I wasn’t going to pay him. I don’t have that type of money! But the stress is really bad at the moment with this email. I reported it as phishing. I changed my email account password and turned it into a 2 authenticator as you suggested.
I am glad you posted this. I ran across the post a very long time ago and started to do what you suggested. Not long ago I received an email with an old password that I no longer use. Hopefully it is a scam. Since then I reformatted my phone and computer in case they really did install a key logger.
Hehehe… I’ve received several of these blackmail email scams. I find them amusing, in that they are no real threat.
For several years, I have been using unique email addresses for every account. But, in the old days, I used the same email (but not the same password). Now, I also create very strong passwords, as well.
I like knowing that, in the future, if I receive spam/scam email, I will know precisely which company leaked my info., since part of the unique email address will include that company’s name.
But getting back to the ransom-type scams, I was never concerned, even with the very the first one I received.
You see, the wording of the emails go on about visiting adult sites. I don’t visit adult sites, so I have zero concern that anything else they say could be valid.
They often use the idea that they’ve used your own camera to record you “enjoying” said adult sites, in order to blackmail you. Again…I’m unconcerned. Don’t visit those sites, and certainly haven’t been caught “enjoying” them.
They sometimes also use a reference to some sort of Facebook widget, which also proves it’s just spam (okay…they purchased my valid login credentials hacked from some old site…so, they are criminals…just not very bright criminals). You see, I have zero social media accounts, as well.
Three strikes and you’re out, pals.
Now, these emails are a result of hacking. But I like to point out that most people click on links in emails and texts, willy-nilly.
If you want your information stolen or malware loaded onto your device, clicking on links in emails or texts is a really efficient way to make it happen.
Instead, go to the company’s site. Sign into your account at the company’s official site. If the subject of the link can’t be accessed via your account at the company’s official site, complain to the administrators and/or IT department. Encouraging customers to click links in emails or texts is the opposite of what a good corporate citizen should be doing. (I recently rec’d an email with a link to my tax receipt for a charity I give to. I logged into my account, and found no way to access my tax receipt securely at their site. They literally only make access available via a link in an email.) smh
Too many companies do things like this. I cancelled a subscription box, for example, because I had no way to securely update my credit card info. via my account. They sent me a link in an email. And while I am quite sure their link went to a secure site, you couldn’t pay me to click a link in an email, and then enter personal information or a credit card, at the destination. Do you want your identity stolen? Because that’s how you get your identity stolen. 😉