We've heard lots of reports recently of people receiving emails from 'hackers' saying that their computer has been compromised and demanding a ransom, usually in the form of BitCoin, to prevent any further damage or embarrassment.
These emails are seemingly becoming more sophisticated, and in some cases even include your password to 'prove' the threat is genuine. Here's a helpful guide to show what you should do.
The chances are that the threat you've received is simply a hoax, designed to instil enough fear to lure even the strongest-willed user into paying a ransom; and there's some logic to this conclusion.
Think about it - if a hacker truly had access to your computer or email account, they could do plenty of damage without even telling you. They could use a key logger to record your bank card details when you type them in, or even your bank login credentials. This would allow them to syphon off money which could potentially go unnoticed for some time. What reason would they have to tell you they've been hacked and make you buy the Bitcoinfor them?
Another dead giveaway for me was the fact that they'd allegedly been spying on me... I don't even have a webcam!
This very common email doing the rounds includes your account password in the body of the message to prove the attack is genuine. Now this is very simple and very clever, and it's undoubtedly fooled many; but again the likelihood is that it's still a hoax, though the reason is equally troubling as it is reassuring.
Every year there's a story in the news about a big company that's been hacked. Ticketmaster, Dixons Carphone and British Airways, some of the biggest companies in the UK, have failed to keep hackers out. And when they get in, there's one thing they go straight for - your personal data. Very rarely do they care about stealing anything relating to the company itself, it's your password and credit card details that they want.
Now for the clever bit. This user data ends up becoming readily available on the dark web somewhere and obtained by the composer of the email, and these hackers know that people generally use the same (or very similar) password for everything. That's not a dig at the general population, I mean - who has the capacity to remember dozens of different login details? But in this instance, it gives the attacker terrible ammunition to use against you.
When a user sees an email containing their password (or at least a password they've used somewhere before), it's guaranteed to srike terror into their heart, and sadly the outcome is often devastating. The user then buys the Bitcoinor other digital currency in the hope that the threat goes away. But there never was a threat and what's worse is that digital currency is it's virtually untraceable. Once your made the payment, that's it.
Now I'm not saying that you should ignore the email entirely - that would be foolish. If someone has a password that you've used at some point in the past then there's clearly some room for improvement with your password variations and online security (and some work needed by businesses to protect your data of course). So why not take the opportunity to do a bit of housekeeping and make sure you're not leaving yourself open to any genuine threats.
If you don't have any antivirus software installed and running on your computer, then do something about this immediately! Don't make excuses like, "I don't visit dodgy websites therefore I won't get a virus" or "Surely that's only for people who make online payments". It's rubbish. The threat of attack is very real, it doesn't matter what sites you visit or what emails you open, it only takes one wrong step and you're compromised without ever knowing it.
Machines running modern operating systems will have an antivirus and firewall built in automatically, or you may have some free software like AVG; these will work just fine - just make sure they're enabled.
Below, we'll show you a great tool which checks your email address against a list of known hacked company data to see where the password used in the email originally came from. These should definitely be acted on by changing the password at the very least.
There's a useful website which checks your email address against a database of breached data when one of those big companies gets hacked. It's definitely worth checking out to see if you were part of their data slip at any point. www.haveibeenpwned.com
Companies have a duty under the General Data Protection Regulation (GDPR) to notify you if your data has been compromised, however in the past they've not been very good at this - either because their processes are poor or they (embarrassingly) don't even know what data has been stolen.
If your email address pops up on any of those lists, then you should definitely change your password with that business too. When I searched my email there were accounts which I hadn't used for years displaying on there - so I just shut those accounts down all together.
There are some really useful websites which exist for the primary purpose of password management. They help you to store all your login details in one convenient location whilst helping you with strong, unique passwords for each website you visit. Best of all, these are often encrypted which means that if you ever do get hacked, the scrambled passwords stored in the config file will be unusable by the modem-borne miscreant.
A good one that I've been using for some time is Dashlane. It's free and easy to set up, with premium features available including the ability to sync between your devices. www.dashlane.com
Another great tool is Two Factor Authentication, which most popular sites have the option to enable. When you sign it it'll ask for an authentication code either sent by text to your phone or using a separate (free) app on your mobile device. More on these options in a later blog.
In summary of all the things we've thought about in this post, if you receive an email claiming that someone has hacked you - they probably haven't. So don't panic, DO NOT pay any random, and use it as a good opportunity to review your security measures.
Sign up for our newsletter for updates on blog posts and Twist servicesSubscribe