I opened my email to find a rather nasty surprise. Although “sextortion” bitcoin ransom emails had been around for several years, I have never received one. I knew what they were and their purpose, but I had never seen one “in the wild.”
I opened the email, not paying very close attention and began to read, unprepared for the contents. It claimed to have one of my passwords and that malware had been activated on a porn website that I had visited to take control of my webcam and capture video of me. The sender claimed to have my email and Facebook contacts and threatened to send the video out to them unless I paid $1,293 in Bitcoin within 36 hours. If I did so, the sender promised to destroy the recording and all the details he had on me. He helpfully provided the URL for the payment, as well as an offer to provide proof of his threat by responding “Yes” to the email. If I didn’t send the money, he would send the video evidence to nine of my contacts right away. To close the email, he reminded me of my potential humiliation and the impact to my relationships if this video were to get out.
I immediately knew this was a total scam and a perfect example of sextortion. How did I know? My previous cybersecurity training told me to look for several tell-tell signs.
- the password he claimed to have was one I had never ever used
- I had never visited the site he claimed I had
- the email header information made it clear it was spam
Although I knew what was happening, I still had a physiological reaction to the email – my stomach dropped, I felt physically ill, my mind began to race. For a brief moment of time, I felt sheer panic. It was a terrible cascade of primal reactions.
I am glad it happened.
Scammers are betting on people’s panic to do something rash and against their own self-interest. The physiological response I had is primal to humans when they are threatened. It can feel as if the walls are closing in and we have to do something to protect ourselves. We are willing to do whatever it takes to make the threat stop.
Because of my background, my primal response was brief. I soon recovered and was able to look at the situation with a clear head. I knew how to review the email and determine what it really was. I also knew what to do and what not to do.
- Never pay the ransom, no matter how serious the threat. Even if the scammer has damaging material on you, they will not stop once they know you are willing to pay.
- Never respond to the email. Doing so lets the scammer know the email address is live and viable. You will continue to hear from them.
- Also never visit the web site named in the email. It, too, can be used to load malware onto your system in a drive-by attack.
- If you receive a bitcoin ransom email at your work email address, report it immediately and follow the instructions given to you. Do not forward the email unless you are asked to do so.
- If you receive the email to your personal email address, mark it as Spam and delete it immediately. If you use a preview pane, do not fully open the email.
This incident was a great reminder of these facts:
- The reason I knew what to do was the extensive exposure I have had to phishing scams through awareness training and simulations. Without that, I may have fallen victim.
- Data breaches have a long shelf life. A scammer with data from a breach may have a password that you had previously used. This is why if you receive notice that your credentials have been breached, you must change your passwords immediately.
- Do not use the same password across multiple applications or web sites. A single data breach can expose you on multiple fronts.
- Be careful with the web sites you visit, especially on a work system. If you hold company data in your system, an attacker can access it via a malware attack launched from a rogue site.
- New permutations of this type of attack occur everyday. Consistent, relevant training and simulations are essential for preparing people with what they should do if they receive a phishing or ransom email
- Be prepared to face phishing, ransomware and scam attacks in both the workplace and at home. They can occur at any time.
I am glad I received the email that I did. It was an effective reminder of what employees face each day and that we shouldn’t be complacent when it comes to giving them the tools and experiences they need to be ready.