Phishing scams have a purpose. The convincing email that arrives in your inbox could be enticing you to register for a free gift or creating a sense of urgency to log in and check your account status. In the end, the criminal behind these attacks is seeking an easy way to make money off of you. The crook could be wanting to steal your credentials and other personal information in order to sell it on the dark web or to breach your accounts. They could be quietly installing malware on your device that will enable them to harvest your processing power for cryptocurrency mining. Perhaps they are encrypting your files and demanding a ransom in order to get the decryption key to restore access to your files and/or computer.
The latest scam circling the web is called the sextortion scam. In this phishing email, the scammer threatens to release inappropriate or illegal sexual activities to the victim’s family, friends or the Internet at large if the victim doesn’t pay a ransom. Many times the email is poorly worded and the scammer quickly explains away the wording and misspelling in an effort to make it clear that this is a serious issue and the nationality of the scammer is not a factor in the authenticity of the threat. It may also include a password that you have used in the past which the crook collected from a previously breached database.
This is just another twist on some of the tactics used on victims. By eliciting fear and urgency, the crook is hoping to snag another victim.
Phishing is the number one cause of a compromise. Why do the crooks use this tactic? Because it works. It is so much easier to just ask you to provide them the information than it is to actually have to hack into a network.
How can you protect yourself and your organization against these persistent attacks?
- Keep your systems up to date with the latest operating system and patches.
- Use strong passwords/passphrases. Change them on a regular basis and never use the same passwords for everything.
- Implement two-factor authentication where possible.
- Don’t click on links or open attachments from unknown senders.
- Develop an ongoing cyber security awareness program. (See MOREnet’s phishing simulation service – Cofense PhishMe .)
Educating the end user is an important part of helping deter this criminal activity.
If you believe that you are a victim of sextortion, call the FBI at (800) CALL-FBI.
Sextortion Scam Uses Recipient’s Hacked Passwords