Got A ‘Day Of Hack’ Email With Your Password? Here’s 3 Things To Do Now
Have you got a disturbing email from a hacker with your password? Please don't panic; I've got your back.
Has a hacker sent you an email with your password? Here's what to do next
getty
There's something alarming and shockingly personal when you get an email from a hacker who claims to have compromised your computer and has the password to prove it. But take a deep breath, all is not as bad as it seems: here's exactly what you need to do next.
So, you've got an email from a hacker with your password?
The two most common email pleas for help that land in my inbox are those from people who are convinced their smartphone has been hacked and people, mostly women, who a hacker has emailed with their password. Of the latter, the emails they are talking about seem increasingly to have "Day of Hack" in the subject line, along with a password that has, indeed, been used by the recipient.
That more women than men contact me for help is not surprising given that the sender of the email, the supposed hacker, also claims to have a compromising video of them due to being able to control their computers and webcams. Yes, we are talking about sextortion again, a particularly nasty method of trying to extort bitcoin from victims and one that is showing no signs of going away any time soon. Indeed, these scams seem to have surged somewhat during the pandemic, perhaps looking to leverage the raised anxiety levels that have been visited upon so many of us.
The 'Day of Hack' sextortion threat
While sextortion scams to evolve and details change over time, the Day of Hack script has now become a permanent fixture. So-called thanks to the broken English subject line that reads: "I know [your password] is one of your password on day of hack." The password that is cleverly included in the subject line to grab the attention and create fear in the recipient is, indeed, a password known to them. Whether you have received a Day of Hack email or any variation, dealing with it remains the same. I'll get to that in a moment, first let's look at how this supposed hacker knows your password in the first place?
Does this hacker really know my password?
The simple answer is yes, patently they do because it's displayed right there in the Day of Hack email subject line. It's a little more convoluted than that, though, and this doesn't mean they also have control of your computer, webcam or email. How so? Well, the first thing to consider is which password do they have? If you only use a small number of passwords repeatedly for different sites and services, the chances are that the password has been found amongst those stolen during a data breach at one of the services involved. If this is the case, the chances are equally high that you'll already have been notified of that breach and advised to change the password anywhere else you use it as well. This is sadly all too common a practice and one that needs to change: now would be a good time, it has to be said. Whatever, if you recognize the password but can't remember where you used it, then check the excellent and free Have I Been Pwned database to see where passwords associated with your email address have been compromised and exposed. Breach databases are traded on the dark web and in cybercrime forums, and the sextortion scammers make use of these. Your panic is a knee-jerk reaction and one that the scammer hopes will convince you they are in control, and while you are not, will pay the money they are asking for. This is why it's always important to take a breath, step back from the screen and think about what is being said with your logical brain engaged.
Could this hacker have control of my email, computer and webcam?
Again, yes, they could. But the chances of that being the case are minimal indeed. So small, I would say, as to be dismissed if you have received a Day of Hack email. Think about it: if the hacker controls your computer, why would they send you an email? Ransomware is readily and cheaply available to cybercriminals and much more likely to result in a payment being forthcoming than claiming to have filmed someone masturbating to online porn. Indeed, if they had got compromising video, then why have they not included a small clip as proof? Surely that would be the way to ensure payment? One victim of this despicable fraud campaign told me that the email sender had said that if she wanted proof, they would send one video to eight of her contacts. Again, designed to inspire fear but logically not something that really makes any sense when they could just have sent it to her instead. Unless, of course, they have no such video, only the empty threats.
What should I do now?
Keep calm and ignore the so-called "elite hacker" who is just using a scripted email threat. How do I know it's scripted? Because hundreds of concerned people have forwarded copies of the threatening sextortion email to me over the last year or so. The only thing that changes between one threat and another is the password included and, likely because of Bitcoin exchange rates rising so quickly, the ransom sum being demanded. The criminal hiding behind the email knows that the average person isn't going to respond to a demand for $10,000 (£7,150) and would be more likely to either ignore the email or report it to the police. Instead, they calculate that around $1,000 (£715) is the sweet spot to get paid.
Here are typical extracts from that script, which you may well find familiar:
"When you were viewing videos, your browser started out operating as a RDP having a key logger which provided me with accessibility to your display and web cam."
"My malware obtained every one of your contacts from your Messenger, FB, as well as email account."
"I actually placed a malware on the adult porn website and you know what, you visited this site to experience fun."
"If I do not receive the bitcoin; I definitely will send out your video recording to all of your contacts including friends and family, co-workers, and so on."
As to what you should do, that can be summed up in three simple steps
1. If you haven't already, change the account password for whatever service the one in the email applies to. If more than one, change them all with unique passwords. A password manager makes this easy to do and will result in stronger, safer passwords that you don't have to worry about remembering every time to want to log into an account.
2. While changing those passwords, look in the security section of the account configuration to see if two-factor authentication (2FA) is an option. If it, then use it. This is, most often, by way of a one-time numerical code that is securely sent to a smartphone app. Google Authenticator and Authy are among the most commonly used and recommended. If the only 2FA option is for a code sent by text message (SMS), opt-in. It's not as secure as the authenticator apps, but a whole hill of beans better than no 2FA at all.
3. Report the email to the relevant authorities. In the U.S., you can easily report the fraud attempt to the Federal Trade Commission (FTC) here. In the U.K., you can forward the email to report@phishing.gov.uk, and there's more information about this from the National Cyber Security Centre (NCSC) here.
Gloss