Have you gotten an email from yourself today?

October 24, 2018

Elizabeth from Client Services here. Have you gotten an email from yourself recently? More specifically, an email from your own address with one of your old passwords in the subject? This isn’t a new scam, but there’s been a resurgence in the past week. I myself received an email today from my personal account from someone who claimed he was able to hack my email using an old password (which he helpfully included), so he stole my contacts, infected my computer, and spied on me. He said he’d saved my entire browsing history, accessed my webcam, and taken compromising photos of me. He asked for $843 in Bitcoin or he’d send these photos to my contacts, and threatened,

“There will be laughter when I send these photos to your contacts! I expect payment for my silence.”



Sample of email I received this morning

Now, I admit the fact that he sent it from my email and included a real password of mine, albeit one I haven’t used in years, was startling. But there were a couple of things that didn’t quite add up. One, the password he offered was never a password I’d used for that email address. Two, it was a typical sort of automated plug-and-play scam where the only personalized features were my email and old password. These two facts told me that this was someone who’d found my email address and password from a previously compromised site I hadn’t accessed in years, or a database of leaked passwords from long ago.


So, this person didn’t actually hack my email, infect my computer, compromise my webcam, or take photos of me. He spoofed my email address to make it look like he had access to my inbox, and he’s trying to scare me into paying him off. As I’ve posted before, it’s never a good idea to pay off a scammer: you’re making yourself a target for future scams, because now they know you’ll pay. But what should I do instead?


One, I should always have two-factor authentication enabled on any website I access that offers that feature. Two-factor (or multi-factor) authentication varies by site, but entails entering more than just a password in order to log into my account. It might be a six-digit code that gets texted to me, geolocation, or even voice recognition. I review two-factor authentication methods Facebook employs here.


Two, I should make sure I never use the same password twice. It would be nearly impossible to remember all the passwords for every site that requires me to log in, and for that, there are reputable cloud-based password managers I might take advantage of. Locally, I could create an encrypted spreadsheet in Excel, where the only password I’ll have to remember is the one that unlocks the spreadsheet.


Three, although there are different schools of thought, it’s generally accepted that long passwords including upper- and lowercase letters, numbers, and special characters are the safest. I should ensure that all of my current passwords are long and strong, and it might not be a bad idea for me to go around changing my passwords as a precaution. Again, it is extremely unlikely that this hacker actually has anything other than my email address and an old password, but I’d rather be safe than sorry.


This is an incredibly clever, harmful, and sick scam these people are perpetrating. It’s easy to understand why someone would be scared enough to pay the ransom. That’s what cyber criminals are banking on. The final thing I should do when I get an email like this is delete it – from my inbox, from my junk mail, right out of my deleted items. I shouldn’t click anything, I shouldn’t respond, and I definitely shouldn’t pay.