Last week I woke up, checked my phone, and saw my old college email had a new message from a name I didn't recognize.
I opened it, and was immediately mortified.
A stranger had installed malware on my computer and recorded me while I was surfing some of the... darker corners of the internet. While he was accessing my computer, he also collected the emails and contacts from my e-address books, and planned to share the video with all of those people unless I paid him $3200 in Bitcoin.
As proof that he'd gained access to my computer, he included my current password in the subject line of the email.
This stranger had blown the doors off my digital privacy, and was holding my relationships and reputation as ransom.
Or so he wanted me to think.
The reality? This message was just the latest iteration of a time-honored internet tradition: the email scam.
Hacked... kind of
This email was scammers' most recent, most seemingly tech-savvy effort to extort money from strangers, but it uses the time-tested tactic of preying on people's response to either fear or greed.
Anyone that's ever heard of the "Nigerian Prince" or "Spanish Prisoner" understands the greed-based approach. The scammers offer immense wealth down the road in exchange for a small chunk of change now that's necessary to make the a deal or transfer happen. The proposed payoff is often a fantasy-inducing figure, the kind of number that can numb someone's common sense.
This new threat attempts to suspend disbelief too, but instead preys on people's shame to make that happen. A lot of people watch porn in the U.S. — adult website Pornhub touts over 80 million users per day, but its users probably aren't particularly proud or public about what they do on the site, and they definitely wouldn't want it recorded and sent to friends. The concept is such an anxiety inducing idea that it was the premise for an episode of Netflix's dystopian futurist show Black Mirror.
Now anyone could claim to have hacked into my computer, but what immediately gave this "Sheldon Figueroa" credibility was that he knew my password. I zeroed in on that piece of information, because it completely legitimized the idea that he had something I should be ashamed of. But in my case, this scammer got lucky, because there was no hacking, at least on his part.
This approach, which is gaining popularity takes account information that has been leaked in large-scale data breaches and attempts to use it to prop up the scammers' legitimacy, according to journalist and security expert Brian Krebs.
I popped my old college email into Have I Been Pwned, a website that allows users to check and see if an email address has been compromised in any data breaches, and sure enough the account and password had been included in the 2012 LinkedIn hack, as well as four others.
These scammers were simply masquerading leaked account information as something far more insidious and I made for a particularly good target. I had totally ignored updating my old email and I'd used the same password across several different accounts back when I was using it.
In my case, the scheme only cost me five minutes of Googling (way better than $3200 in Bitcoin), but there were other tells that should have tipped me off to the scam.
The signs of a scam
Whether they play on fear or greed, most email scams come unsolicited, from a stranger, and are somewhat deliberately heavy handed.
Here's a line from one that made the rounds a few years ago:
"I am here seeking for an avenue to transfer the fund to you in only you're reliable and trustworthy person to investment the fund."
It sounds counterintuitive, but the emails are deliberately dubious. These messages likely go out to several thousand people, but the operators can't possibly work every single person through the scam. To save themselves time and aggravation, they leave tells in the email — misspellings, awkward phrasing, and grammatical issues — so that savvy people will simply delete the email, filtering down to the unsuspecting and most prone users. A marketer would call these folks the scammers' most qualified leads, but to scammers, they're the suckers.
The new web-cam extortion con uses the same tactic. The email that hit my inbox had lines like:
"Let's hope you have chosen to generate all of this go away and pay me the confidentiality fee."
If you see weirdly phrased emails from strangers, be on high alert.
And if you aren't sure, talk about it with someone and spend some time searching online. Scams will also do their best to separate you from a voice (or website) of reason. This one preys on a private moment, making it tougher for people to talk about it with friends, but it also uses some "advanced tech" to try and prevent folks from getting outside help.
"I've a unique pixel in this message, and now I know that you have read through this e mail... Swear to god, If I see any wanna-be smart activity from your search history then I'll send out your video to your family members, colleagues even before time finishes."
Of course the scammers are trying to keep you from doing any fact-finding! A quick search shows articles from tons of outlets about this very scam.
How can you protect yourself?
This scam was momentarily scary because I'd had some pretty lax password practices in the past. If you take nothing else away from my experience: use different passwords for all your different logins and change them regularly. I've committed to do an annual overhaul of all my important accounts, but as this episode shows, it really needs to be done for anything you ever use.
While individual account passwords may seem daunting, it can be a little easier if you have a system in place. One suggestion: start with a base phrase (say: "arugula44$") that you use across all accounts and then use shortcut names for each individual site (fool.com = ful) so that you have a different password for each one (arugula44$ful for Fool.com). If that type of syntax gymnastics doesn't sit well with you, you can also try using a service like LastPass that lets you manage all your passwords in one place.
Another major lesson from this scam: cover your web cam. Facebook CEO Mark Zuckerberg does it. Former FBI Director James Comey also does it. While this specific email scheme was based on empty threats, it channels a very real danger. There are several examples over the past few years of hackers actually gaining access to an individual's computer, searching their files for private images and videos, and blackmailing them while monitoring their emails and controlling their webcam. With a piece of tape over your webcam, you're giving yourself one more layer of protection, and it is easy enough to remove when you actually do want to use it.
Unfortunately, these kinds of attacks are only going to continue. A few days after I'd gotten the message from "Sheldon," an email hit my inbox from an "Alonzo Sholz." He too had apparently hacked my computer, but he wasn't as merciful as Sheldon. He wanted $7000 in Bitcoin "to produce all this disappear completely."