In the last few weeks, there has been an upswing in people receiving threatening, extortion e-mail letters, demanding payment to avoid release of sensitive information. Nearly of the time, these emails are what we call "sextortion" emails, as they claim that malware on your computer has captured embarrassing photos of you through the webcam, simply in that location can be other variants on the aforementioned theme.

These extortion emails are zip new, only with the recent increase in frequency, many people are looking for guidance. If you have received such an email bulletin and desire to know how you lot should respond, yous're in the right place. Read on!

Extortion claims

These email letters are not all exactly the same, but they do have fairly common characteristics. Consider the post-obit example:

Example extortion e-mail text

This is adequately representative of many examples. It starts out by telling you that the scammer knows 1 of your passwords, and the password actually IS 1 of your passwords, which immediately ratchets up the fright and puts you in a mindset to believe that the rest of the message is also true. (Hint: it is non.)

Side by side, it tells you that the scammer knows other things near you, including photos of you doing something embarrassing, captured through malware on the figurer. The message threatens to send these photos to people you know. Some variants may not involve this kind of "sextortion," merely the general blueprint of doing something damaging with data stolen from the user is the same.

In club to forbid this, the scammer demands to be paid, usually in a currency called Bitcoin. There's ordinarily a time limit given for the payment, to really put the pressure on and encourage fast action rather than seeking help.

Are the extortion claims true?

With one exception, none of this is true. There is no malware involved. The scammer does non have any of the claimed information. If you don't pay the demanded sum, nil bad will happen. For the most part, these letters tin can simply exist ignored.

Still, the one office that is true is the password—which is the role that makes everything else seem more conceivable. The password did non, however, come from malware on the computer. Instead, it came from a third-political party data alienation.

What happens is that a site you take an account on gets breached, and someone is able to extract a agglomeration of email addresses and passwords. How this happens is non particularly important for our purposes here, but the issue is that two pieces of your personal information may accept been published to various "dark web" sites: your email address and a password used with an business relationship associated with that email address.

This is very similar to someone writing your phone number on the wall in a bathroom stall: it becomes public cognition, for anyone who knows where to look, and it can lead to a lot of harassment.

In one case this information has become public knowledge, criminals can accept these lists and send mass email messages to anybody on the list, including the countersign associated with their electronic mail bulletin. This is the real source of the seed of truth in these messages, not the fictitious malware the scammers desire yous to believe you're infected with.

So I can ignore this, correct?

Well, aye and no. Yes, the threat itself is an empty one, since there's no malware. However, there's a existent danger under the surface: you lot take a password that has become public knowledge!

If the password provided is an onetime one that you are no longer using, then y'all're golden. You've got no need to do anything further. All the same, for many people, the password is one that is still in active use, and that presents a problem. This detail scammer decided to employ the countersign to scare you, but in that location are other criminals out there who might determine to utilise information technology for more nefarious purposes, like taking over your online life!

To prevent this from happening, there are a few steps you'll demand to take.

Step i: Modify your password

First and foremost, on whatsoever business relationship using the password that was provided, alter your password. While yous're at it, though, let's make sure that information technology's a good potent one. The all-time passwords are long, random ones… for case, "vdBdq8GoDh8ELGm$qRdgXVTq." The longer the better.

Information technology's as well important to use a different password on every site. Because password breaches will always happen, if you utilise the aforementioned password on multiple sites, that can lead to a alienation on 1 site making it possible for an attacker to access your accounts across many dissimilar sites.

Okay, I hear yous. No, I'm non expecting you to memorize ridiculous passwords for every site yous have an account on. There'due south a solution to that problem.

Step 2: Utilize a password manager

A password manager is a plan designed to call up your passwords for you. Password managers can go on a list of not just your passwords, simply also what site you've used them on, the username y'all utilise to log in to that site, any security questions you use on that site, etc.

A password managing director can be every bit elementary equally a notebook you continue in a drawer in your desk-bound. Of course, that'due south also something that tin can be read by anyone with access to your office, and it'southward not something you lot tin can easily carry around with you.

Password managers more typically come in the course of software, which can encrypt your passwords with a single master password, help you share them between devices, and much more.

You may have a password managing director right at your fingertips already, every bit some web browsers have them built in. Examples include iCloud Keychain in Safari, Google Password Managing director in Chrome, and the Firefox Password Managing director.

Safari's password management settings
Safari'south countersign management settings

If yous use a more obscure browser, don't desire to use the built-in password director, or just need something more powerful, yous can consider something like 1Password or Lastpass.

Whatever fits your item needs, use information technology. A password managing director is the only way yous tin can realistically have long, strong passwords that are different on every site. Your password managing director'southward "master" password becomes the only countersign you need to call back.

Creating a master password for your password manager follows the same, simple rules for your regular passwords—the longer the meliorate. Since you'll exist typing this password in regularly, it could be easier to brand a passphrase, which is a string of words that should have no direct meaning to you. Avoid birthdates and street addresses and lean into the chaos of your brain's random word generator: something similar "cantankerousbuffalopotteryhypothesis."

Whoa, concord on a infinitesimal! Don't walk abroad all the same. Having good passwords and a way to store them is but a small part of the battle. Subsequently all, a good password is no adept as presently every bit the site gets breached by a hacker and spills all its passwords. Believe information technology or not, there'south something else beyond the password.

Step 3: Use two-gene authorization

Two-cistron say-so (abbreviated 2FA) is some kind of secondary piece of data, in addition to a password, that can exist required for you to log into a website. These typically are some kind of lawmaking—near commonly four or half dozen digits—that y'all must enter during the login process.

The most mutual manner to receive these codes is via text message on your telephone. However, they can too be codes that modify every xxx seconds, which are generated by a variety of dissimilar apps, such as Authy, Google Authenticator, or some more total-featured password managers. These are more secure than texted codes, simply also less commonly supported, and codes sent to your phone via text message are better than aught.

2FA token generated by Authy
2FA token generated by Authy on an iPhone

Whatsoever type your accounts support, use it. It can have some time to set this up these days, when people often have a LOT of accounts, so merely have it a few at a time until y'all're done.

For help figuring out what kinds of 2FA a site supports meet the Two Factor Auth site. Y'all can search this site for the site you're interested in, and it will tell you what types of 2FA it supports (SMS and Software Token existence the two types described higher up), and link y'all to that site's documentation for how to prepare up 2FA.

For more information about 2FA, see Duo Security's Two-Cistron Authentication: The Basics.

Stride 3a: What if at that place'south no 2FA?

Some sites don't support 2FA, instead only supporting something like security questions… you lot know, "What'south the name of your kickoff pet," or "What street did you live on growing up," and any number of other similar questions. Here's the problem with these questions: they're easy to guess, and the information may be public knowledge.

And then, hither's what you do if security questions are all you have to secure a site: prevarication ! Never, ever use true answers to security questions. Instead, make something upwards. For case, maybe say your first car was a "Millennium Falcon." Or peradventure you drove an "avocado toast." Even ameliorate, say you drove a "dknO6RF%an!Fdke8."

By at present, I'm certain you're not asking how you're supposed to remember these ridiculous answers, because you know what the answer will be already: use your countersign manager. Most password managers back up arbitrary notes, so add both the questions and the nonsensical answers to a notation for that login in your password manager.

Wrapping up

If y'all skipped to the end without reading the details (nosotros hope you did not), here's the tl;dr: these messages are fake, there is no malware involved, and the just thing to be concerned about is the fact that 1 of your passwords is floating around in cyberspace.

Once you lot have followed all the instructions to a higher place to secure your online accounts, y'all'll have nothing left to do, other than marker the bulletin as junk and delete information technology (if you lot haven't already).

Proceed in mind that no antivirus software can prevent you from seeing these types of extortion messages. Email systems or clients that do junk mail (spam) filtering can help to catch some of these, merely they cannot exist relied on to catch all of them. These scammers are sneaky, and are proficient at evading junk post filtering.

The fact that you go along receiving these extortion messages does not correspond a security issue, and you do not demand to be agape of these thugs. They are only a threat to your wallet, and just if you autumn for their tricks and send them coin. Otherwise, they cannot do y'all whatsoever harm… then long as you've secured your accounts so they tin can't use your leaked password against yous.