Below is an example of a sextortion email. One of my client’s received it this morning. These types of emails (or sometimes letters) are so effective because the criminal provides real information. The bad actors typically purchase personally identifiable information from the dark web after a data breach has made it available. The recipient sees that the email has real information about them. If they happen to be guilty of activities suggested in the email fear of exposure sets in. The criminals are successful because they are likely to catch some guilt-ridden people in the scores of attempts they send out.
In addition to the extortion threat, if the recipient has used this password for other accounts, those accounts are now exposed because we know that this password has been traded on the dark web.
The lessons here are:
- Don’t reuse passwords.
- Don’t fall victim to scam attempts even if they use social engineering and real data.
- Secure your corporate data to avoid exposing your customers’ data.