Scammers out to blackmail you after big data breaches
New warning from the FBI about extortionists in your inbox.
You may worry about someone stealing money from your bank account after a big data breach. But federal agents are warning that the bad guys are trying another tactic—not stealing, but asking you for the money directly.
Problem is, they’re adding some “undue influence”—what some would call blackmail.
Consider this message that arrived in a victim’s e-mail, according to a new warning from the Internet Crime Complaint Center, or IC3.
“Unfortunately your data was leaked in a recent corporate hack and I now have your information,” the messages say. “I have also used your user profile to find your social media accounts. Using this I can now message all of your friends and family members.”
Go ahead, you might say. But the scammer threatens to release sensitive personal information that you don’t want to see made public.
“If you would like to prevent me from sharing this information with your friends and family members (and perhaps even your employers too) then you need to send the specified bitcoin payment to the following address,” the messages read.
The payment demanded can range from two to five bitcoins—about $250 to $1,200, according to IC3.
“If you think this amount is too high, consider how expensive a divorce lawyer is,” the scammers say. “If you are already divorced then I suggest you think about how this information may impact any ongoing court proceedings. If you are no longer in a committed relationship then think about how this information may affect your social standing amongst family and friends.”
To pay or not to pay
Do they have the goods on you, or not?
It can be hard to tell if they really do have your information from the many large data breaches, including Tumblr, LinkedIn and MySpace, reported just in the last month.
In addition, reports say hackers have been peddling details from adult hook-up site Fling.com and dating site BeautifulPeople.com. Some of the information is said to contain sex preferences and private messages.
The bad guys move quickly, sending the e-mails out soon after news of a large hack, according to IC3, so they may simply be hoping you feel guilty—about something, somewhere—and pay up.
The scammers typically give you a tight time frame to pay, cutting down your time to think and investigate.
Real or not, should you pay?
“The FBI does not condone the payment of extortion demands as the funds will facilitate continued criminal activity, including potential organized crime activity and associated violent crimes,” the IC3 warning says.
Cut down your risk
You can take some steps to keep the blackmailers at bay.
“We have access to your Facebook page as well,” one message reads. “If you would like to prevent me from sharing this dirt with all of your friends, family members, and spouse, then you need to send exactly 5 bitcoins to the following address.”
Combat this by not keeping sensitive or embarrassing images of yourself online or on your phone, IC3 says.
And remember this long-standing advice for the connected world—don’t write anything online that you wouldn’t want your grandmother to see.
“We have some bad news and good news for you,” another blackmail message reads.
“First, the bad news, we have prepared a letter to be mailed to the following address that details all of your activities including your profile information, your login activity, and credit card transactions. Now for the good news, You can easily stop this letter from being mailed by sending 2 bitcoins to the following address.”
For those with guilty hearts, this may be frightening. If you’ve been “living clean,” you may be more concerned with what they can do with your money and your identity.
IC3 says you should not communicate with the sender, and not send any sort of personal details to that person. You may want to change your passwords, and if so, use strong passwords and vary them for each account and site you use.
Check your security settings for your social media accounts—make sure they are turned on, and at the highest level of protection possible, adds IC3.
If you do have have to give credit card details, personally identifiable information or other sensitive things online, make sure you are sending securely—look to see that the URL prefix includes https, or that the status bar shows a lock icon.
Keep watch over your bank statements and check your credit report at least once a year.
If you get the message
The IC3 advises you not to open e-mail from people you don’t know. But if you get one of these messages, they want to hear about it.
Contact your local FBI field office, the warning says, and file a complaint at www.ic3.gov.
Write the words ‘Extortion E-mail Scheme’ in your complaint, they ask, and include any relevant information like the extortion e-mail with header information and the Bitcoin address, if possible.
The payments demanded in this latest round of blackmail messages are small compared to money demanded from people in the hack of the adult hook-up site Ashley Madison. Reports say some extortionists demanded $2,500 to more than $4,000 from people signed up on the site, and even their spouses, The Guardian reported.
But paying up does not mean the information will be kept quiet, noted Business Insider at the time.
“To be identified as a user of Ashley Madison — a site designed to facilitate infidelity — will almost always be publicly damaging,” Business Insider said. “But because the dump of Ashley Madison user data was public, there is no guarantee that a victim who pays up won’t be targeted again by someone else.”