Cybercriminals are taking old passwords bought and sold online from previous breaches and using them against unsuspecting victims in the latest sextortion scam making the rounds.
“They are taking old password databases that may have been leaked six, seven, or ten years ago,” said Sophos security expert Chester Wisniewski.
Coverage of cybersecurity on Globalnews.ca:
RCMP describe “sextortion” as incidents involving the threat of releasing shared intimate videos, images, or explicit messages online.
Burnaby RCMP have investigated 24 incidents of sextortion since May.
Police say some of those cases have resulted in victims transferring money to the suspect.
Wisniewski said it’s unlikely that criminals have compromising images of their target victims.
“Unless you happen to store some compromising pictures somewhere where you do use that password, even in that case, the criminals wouldn’t know. They’re just bluffing,” said Wisniewski.
Still, it’s important to protect yourself. A 2018 IBM sponsored data breach study reported 48 percent of all breaches are caused by malicious or criminal attacks.
“When you hear about your password being stolen in a breach on the news, if you use that password on more than one website, as soon as the criminals have it, they try to log on to Facebook with it and they try and log on to Instagram with it and then they try and log onto any banking website,” said Wisniewski.
That’s why it’s imperative passwords are different for all accounts, changed often, and unique.
Wisniewski recommends a password manager tool that can safely store and manage complex passwords in an encrypted database.
“That’s the key, not to use the same password everywhere and to try and make it complicated which means we don’t want to memorize it so it’s better to use a program and let it do it,” said Wisniewski.
While practicing safe password use is important, Wisniewski warns the best way to protect ourselves is to trust no one.
“If you are doing business with your bank, you have to call your bank,” he said.
“If you are doing business with the Canada Revenue Agency, you need to call the CRA. If anyone contacts you through any mechanism, whether that’s online, on the telephone, or even knocking on your door, those people cannot be trusted to be authorities.”