Scam e-mails

I recently received a scam e-mail and would like to share it with you.  By understanding how this scam works, you’ll be able to identify similar e-mails and help protect yourself.

This is an example of a fairly common scam e-mail.
  1. Check the subject of the e-mail. The author of this e-mail put my username and password (more on this in a moment) in the subject. By including my username and password in the subject, the scammer hopes to give the impression that they’ve hacked my PC, and the following e-mail is “legitimate.”
  2. Identify the sender. As you can see, the name of the sender is someone I don’t know, using an e-mail address of random letters from a free host. The e-mail address used here had no effort put into it, which tells me it’s a throwaway account and is being used to send scams.
  3. The first paragraph. The author of the e-mail starts with the seemingly terrifying message that he knows my password. Here’s the problem; while it was a password I’ve used in the past, I changed the password 15 years ago. Not a single account I have uses that password anymore.

So, have I been hacked?  No.  What’s happening is very simple.  Over the years, I’m sure you’ve seen in the news about all these companies that report data breaches.  MySpace back in 2008 suffered a breach that saw usernames and passwords released, Adobe in 2013, MGM Reports, LinkedIn, and the list goes on.  All of the information was published online.  Scammers then took this information and put it into this e-mail and sent it to me.

To anyone that hasn’t changed their password since these breaches occurred, it will appear that someone has hacked their computer and is now threatening them.

What actions can you take to help protect yourself?  First, visit the website https://haveibeenpwned.com/ and put in your e-mail address.  The search results will inform you of any online data breaches that may have released your information.

Next, change the password for any accounts that the website reports as being breached.  If you’re unsure whether or not you’ve changed the password since the breach, go ahead and change it anyway.  I also recommend changing the password for any other accounts that share the same password.

As a general rule, it’s best not to use the same password for multiple sites, and this is why.  If all of my accounts used that same password, it would only have taken one breach to allow a scammer into all of my accounts.  It may seem inconvenient, but the inconvenience of having multiple passwords is far less than that of dealing with compromised bank accounts.

Remember, your computer not being hacked; the information is publicly available!