Spam emails are an unfortunate part of life on the internet, but the last few years have seen not only a revival but an evolution of extortion scams. You're likely aware of the infamous Nigerian Prince scam and know not to take it seriously, but what do you do if something more sinister finds it's way into your inbox?
According to the FBI's Internet Crime Complaint Center (IC3), email extortion is continuing to grow significantly. Complaints rose more than 200% in 2018 and were on track to continue at that rate in 2019. And the majority of these emails were part of a sextortion campaign, where hackers threatened to release compromising images or information if the victim didn't pay up.
Email-based blackmail scams are on the rise, and while we don't see many signs of the trend coming to an end, there are ways to protect yourself.
How do sextortion scams work?
This rise in sextortion emails is partially thanks to data breaches at companies like Ashley Madison and Yahoo, where the information leaked is sensitive. In the case of Ashley Madison, the nature of the data source means that information exposed in the breach could be potentially damaging to a victim's reputation if it were leaked or otherwise disclosed.
While an email address may have been exposed in such a breach, typical hoax sextortion emails don't have any basis in reality. Data breaches of companies such as Ashley Madison lead to a rise in the number of fake blackmail attempts that make their way to people's inboxes, which inevitably leads to panic.
These emails are form letters sent by scammers to lists of email addresses pulled from breachers and include vague claims of your alleged improprieties. These claims could consist of anything and everything from inappropriate photos or videos of you they claim to have pulled from a hacked webcam, evidence of your supposed affairs, or even evidence and links to pornographic material you've viewed on your computer.
Why were you targeted?
From the extortion email you receive, you know a scammer has your email address, and they may have even given you “proof” that they have access to more information — or even worse, your computer.
Hackers and others with ill intent are incredibly skilled at finding the vulnerabilites in your security armor and will jump at any chance to take advantage of people. This is why if you've used the same username/email address and password combination on more than one website, you're not only leaving yourself vulnerable to a password attack but opening yourself up to other potential scams.
If you've received an email attempting to extort you for money, there's a good chance that your email address was exposed in one of many data breaches that have occurred in the last few years. And depending on what data was exposed, they may even have one of your passwords. An attacker will use this password, sharing it with you via the extortion email, in an attempt to make their claim appear genuine.
Even if that password doesn't match your current email address, the fact that they have one of your genuine passwords could be enough to scare you into believing their other claims.
How you can protect yourself
With data breaches becoming more common, it's vital that you have a way to check if your passwords have been leaked, exposed, or otherwise compromised. That's why in 1Password Watchtower alerts you to any password breaches and other security problems that impact your accounts.
Through integration with Troy Hunt's haveibeenpwned.com service, Watchtower checks your passwords against over 500 million exposed passwords and highlights any that show up on the list. If there's a match, your password has been compromised, and Watchtower lets you know it needs to be changed.
If the scammer claims to know your password and shares proof of that, it's a good idea to check and see if that password appears in Watchtower. If it does, it's time to change the password for any logins that might have used it. While this won't prevent any nasty blackmail emails landing in your Inbox and demanding Bitcoin in the future, it will mean you can be confident in ignoring them.
Remember, strong, unique passwords are the name of the game here. Don't make life easy for hackers by only making them hack one website to gain access to everything.