Extortion scams that claim to have hacked your account

We’ve seen a few reports recently of customers receiving messages that begin something like this:

I’m going to cut to the chase. I am aware [redacted] is your pass word. More to the point, I know your secret and I’ve evidence of your secret. You don’t know me personally and no one paid me to examine you.

Or like this:

You may not know me and you are probably wondering why you are getting this e mail, right? I’m a hacker who cracked your email and devices a few months ago. Do not try to contact me or find me, it is impossible, since I sent you an email from YOUR hacked account.

The message then goes on to demand money (usually in the form of a Bitcoin ransom) in order to not reveal your “secret”.

These are a scam; you should ignore them. The mail is sent in bulk by spammers to millions of people, just like any other spam, and they know nothing about you beyond your email address and possibly a password they stole from another site. Our filters block most of these (we’re blocking more than a dozen per day per account, on average), but unfortunately no filter can block all spam messages, and the spammers are constantly changing them to get around the blocking.

You can find more information on sites like Sophos and Krebs on Security.

What if they used my own address to send the mail?

If the message appears to come from your own address, that just means that they’ve forged, or “spoofed”, your address on a message they sent through another server. Forging an email address is easy for spammers to do: almost all spam uses forged addresses, and it doesn’t mean they have access to the mailbox address they forged. In this case, they chose your own address to forge (instead of another random address) because it makes the email seem more believable. This page on our website explains more about forged addresses.

What if they know my password?

If the message includes a real password you’ve used somewhere, they know it because they’ve stolen it from another service that had a security breach that exposed their users’ passwords and email addresses.

You can often check if this is the case by entering your email address into Have I Been Pwned?, a site that tracks breaches. You might see something like this, for example:

As you can see, someone stole all the LinkedIn users’ email addresses and passwords a few years ago, and those are available to spammers. The spammers simply send each address a message that includes the LinkedIn password, making it seem more legitimate.

This type of thing is so common that it appeared in the XKCD webcomic:

To avoid problems from breaches like this, you should use a different password for each service (and change any passwords that match the one the spammer sent you, although you don’t need to change other, different passwords). If you use a different password for reading email, for example, it doesn’t matter if hackers steal the password you use on LinkedIn. The Have I Been Pwned? site has more tips.

Don’t let them fool you

This scam is clever. The hackers know only one or two things about you (your email address and perhaps a password you used somewhere), but they try to use those to make you think they know more than that. It’s easy for hackers to steal an email address and password from somewhere else, but that doesn’t mean they have access to your email, or your webcam, or anything like that. Don’t let them trick you into thinking it does.