Passwords. They've been a keystone of IT security since the dawn of the internet. 

We have rules about how many letters, numbers, and special characters we have to use in our passwords. Some websites even make us change our passwords every so often so that they won't be guessed or stolen.   

All of these security measures exist so that hackers won't take our passwords and use them to infiltrate our accounts and machines. But new password scams are adding yet another worry to the list – cybercriminals who use your credentials as blackmail bait.

Extortion-Based IT Scams – What Are They and How Can You Fight Back?

Cybercriminals know that you're worried about keeping your passwords secure. Now, they’re using that knowledge to get you to give them money.

Sometimes, the perpetrators will email you pretending to be the “good guy.” They’ll say that some unnamed nefarious person has gotten ahold of your passwords and gotten into your computer. They then offer their services – for a fee, of course – to help recover this information and keep it off the Internet.

This one is a double scam. The cybercriminals have no intention of protecting you from harm. And if paying them to do nothing wasn't bad enough, here's the clincher – that unnamed nefarious person wasn't real in the first place.

The Newest Scam – "Sextortion"

One particular password extortion scam has been getting a lot of press lately. It's become known as “sextortion.”

When they conduct sextortion scams, cybercriminals message you and tell you that they've gained access to your passwords. They claim that they've used those passwords to get into your computer and hack your webcam, which the perpetrators say allowed them to capture video of you watching adult videos online.

These are essentially blackmail schemes. The email will say that if you don't pay the sender, he or she will release video evidence of your alleged pornography habits. And it will happen whether or not you've ever actually watched this kind of content.

Separating Fact from Fiction

Just like in other password scams, the sender of the sextortion message hasn't actually hacked into your system, and they don't have video evidence of you doing anything. 

But they may have one of your old passwords. Usually, they've gotten it because it's on the internet due to a past data breach.

Wait ... Data Breach? Someone Has My Password? 

It's very possible that at some point in your browsing life, you entered information into a website that a hacker was able to infiltrate. These events can lead to the theft of millions or even billions of records.

The biggest data breach ever happened in 2013, when cybercriminals hacked into Yahoo and stole 3 billion records. High-profile database hacks have also struck Reddit, Equifax, Target, eBay, and other major corporations. And recently, four major banks and the US federal government were the targets of a data breach that collected information about millions of loan and mortgage customers.   

If you had an account with a company that's been hacked, it's very likely that you've heard about the breach. You may even have already changed your password. 

If not, you want to change it as soon as possible. A password extortion scammer hasn't necessarily used it to get into your system yet, but that doesn't mean that someone can't.

How to Protect Yourself

First, to see if any of your passwords might be available to hackers, visit Have I Been Pwned (“poned”) and enter all of the email addresses you've used in the recent past. If anything comes up as a target, change the password on that account, assuming you haven't already. Make sure not to change it to a password you're already using elsewhere.

Staying Safe from Scammers

In addition to changing passwords on accounts that you know were compromised in data breaches, there are a number of other strategies you can use to keep from falling victim to extortionists. 

  • If you have any suspicion at all that an email sender is a scammer, don't give them any personal information. 
  • Use different passwords for all of your accounts. (If you have a lot of accounts, consider using a password manager.)
  • Keep your antivirus software updated. 
  • Cut off communication with the scammer. 

The most important thing you can do, however, is not to send any money in response to these emails.

Protecting Your Employees

If you are a business owner, executive, or manager, you're probably concerned not only with the IT security of your own accounts but those of your employees and your company as a whole. IT scams are evolving all the time and have learned to target businesses by phishing their employees, and it's extremely time-consuming to keep an effective security strategy in place.

More and more, savvy businesses are hiring external IT services to keep an eye on these kinds of threats. Chicago IT company BKS (Business Knowledge Systems), a managed service group, is one of these companies. It offers a comprehensive suite of services to not only keep company accounts secure but also ensure that effective backup and recovery plans are in place.