You’ve been hacked – or have you? You get an email from an unknown person telling you they have lots of information about you – they accurately list personal details like your home address.
What’s more, they claim to have embarrassing photos or videos of you, taken from your computer. You have to pay them a large amount of money in cryptocurrency, or they will reveal this information to the world.
This is the kind of scenario that can make some people really panic. But is it real?
Reports increasing
Reports to the NCSC of extortion and blackmail have been increasing over the past year.
“Around a year ago, we would get around 20 of such reports a quarter, now we are getting more than 80 a quarter,” says the NCSC’s Threat and Incident Response Team Lead, Tom Roberts.
“Fortunately, all these reports to date are from people who have spotted that these are a fraud. They have not paid out any money, and they’ve done the right thing by reporting to the NCSC.
“However, there may be people out there who did take the threats seriously – and don’t want to report out of embarrassment or fear.”
Personal information
What makes the situation unnerving for those subjected to this scam is the amount of information the scammer has about them.
For example, they might mention a person’s address, date of birth, or phone number.
“Being able to list this information to the target gives the impression they have been able to compromise the person’s devices or systems, and makes it seem believable that they may have compromising images or information.”
“We suspect that in most cases the criminals are bluffing – they don’t really have the information they say they do.”
Data dumps
There are a few ways that criminals can get hold of personal information. One way is through a data dump.
A data dump is a large amount of data in one place. These can result when cyber criminals illegally access an organisation’s network and exfiltrate large amounts of data, or the data could be illegally leaked. In other cases, organisations may accidentally leave sensitive files unprotected on the internet, where they are accessed by bad actors.
Sometimes such dumps are made available on the dark web, for other criminals to buy and make use of.
It’s an example of how one cyber security breach can lead to further incidents.
For example, a dump of email addresses might be purchased by criminals for use in phishing attacks.
Or, they could attempt credit card fraud, stealing someone’s identity and using it to open accounts or take on debt. Or use the information to target people and attempt to blackmail them.
“We can’t say for sure how criminals obtained the information they use to try to convince people that they have accessed their computer, but data dumps are a strong possibility.”
The main thing for people to be aware of is that cyber criminals don’t always have what they say they have.
“As with many types of cyber security threats, the key thing is to pause and take a moment to think before reacting.
How to protect your personal information
- Be careful giving out personal information – only provide what’s essential.
- Use long, strong, unique passwords.
- Use multi-factor authentication on your accounts.
- Lock down your social media privacy settings.
Don’t panic
- Extortion emails are a common type of scam – just because a scammer has personal details about you doesn’t mean the rest of their claims are legitimate.
- Change the passwords for any accounts you think may have been compromised, and add multi-factor authentication to those accounts if it’s available.
- Contact the NCSC and let them know about the extortion email.
- Check the Have I been pwned website External Link to find out if your info has been in a breach.