Sadly, phishing emails are a part of modern life on the Internet. Bad people doing bad things exist in cyberspace as much as in the real world. Until technology surpasses the use of passwords to authenticate our identities, the password breach is likely here to stay. Couple bad actors with data breaches and you get some pretty outlandish attempts at fooling people into parting with their money.

You are aware of phishing emails from your security awareness training but one creative phishing tactic you may not have heard of is called, "sexploitation." It's called that because it preys on people's fear of being shamed or embarrassed in front of their family, friends, or coworkers.

Here's what is looks like:

From: W C <l1f6j0a5k@outlook.com> 
Sent: Wednesday, May 6, 2020 10:38 AM
To: Dan Wardon <dwardon@vcs.net>
Subject: Geude1t

 

𝙸 𝚔𝚗𝚘𝚠, 𝙶𝚎𝚞𝚍𝚎𝟷𝚝, 𝚒𝚜 𝚢𝚘𝚞𝚛 𝚙𝚊𝚜𝚜𝚠𝚘𝚛𝚍. 

𝙸 𝚗𝚎𝚎𝚍 𝚢𝚘𝚞𝚛 𝚌𝚘𝚖𝚙𝚕𝚎𝚝𝚎 𝚊𝚝𝚝𝚎𝚗𝚝𝚒𝚘𝚗 𝚏𝚘𝚛 𝚝𝚑𝚎 𝚝𝚑𝚎 𝚗𝚎𝚡𝚝 𝚃𝚠𝚎𝚗𝚝𝚢-𝚏𝚘𝚞𝚛 𝚑𝚛𝚜, 𝚘𝚛 𝙸 𝚠𝚒𝚕𝚕 𝚌𝚎𝚛𝚝𝚊𝚒𝚗𝚕𝚢
𝚖𝚊𝚔𝚎 𝚜𝚞𝚛𝚎 𝚢𝚘𝚞𝚝𝚑𝚊𝚝 𝚢𝚘𝚞 𝚕𝚒𝚟𝚎 𝚘𝚞𝚝 𝚘𝚏 𝚜𝚑𝚊𝚖𝚎 𝚏𝚘𝚛 𝚝𝚑𝚎 𝚛𝚎𝚜𝚝 𝚘𝚏 𝚢𝚘𝚞𝚛 𝚎𝚡𝚒𝚜𝚝𝚎𝚗𝚌𝚎. 

𝙷𝚒, 𝚢𝚘𝚞 𝚍𝚘𝚗'𝚝 𝚔𝚗𝚘𝚠 𝚖𝚎. 𝙱𝚞𝚝 𝙸 𝚔𝚗𝚘𝚠 𝚎𝚟𝚎𝚛𝚢 𝚝𝚑𝚒𝚗𝚐 𝚊𝚋𝚘𝚞𝚝 𝚢𝚘𝚞. 𝚈𝚘𝚞𝚛 𝚏𝚋 𝚌𝚘𝚗𝚝𝚊𝚌𝚝 𝚕𝚒𝚜𝚝, 
𝚜𝚖𝚊𝚛𝚝𝚙𝚑𝚘𝚗𝚎 𝚌𝚘𝚗𝚝𝚊𝚌𝚝𝚜 𝚊𝚜𝚠𝚎𝚕𝚕 𝚊𝚜 𝚊𝚕𝚕 𝚝𝚑𝚎 𝚟𝚒𝚛𝚝𝚞𝚊𝚕 𝚊𝚌𝚝𝚒𝚟𝚒𝚝𝚢 𝚘𝚗 𝚢𝚘𝚞𝚛 𝚌𝚘𝚖𝚙𝚞𝚝𝚎𝚛 𝚏𝚛𝚘𝚖 𝚙𝚊𝚜𝚝 
𝟷𝟽𝟹 𝚍𝚊𝚢𝚜. 

𝙸𝚗𝚌𝚕𝚞𝚍𝚒𝚗𝚐, 𝚢𝚘𝚞𝚛 𝚟𝚒𝚍𝚎𝚘 𝚌𝚕𝚒𝚙𝚜, 𝚠𝚑𝚒𝚌𝚑 𝚋𝚛𝚒𝚗𝚐𝚜 𝚖𝚎 𝚝𝚘 𝚝𝚑𝚎 𝚙𝚛𝚒𝚖𝚊𝚛𝚢 𝚛𝚎𝚊𝚜𝚘𝚗 𝚠𝚑𝚢 𝙸 '𝚖 𝚠𝚛𝚒𝚝𝚒𝚗𝚐
𝚝𝚑𝚒𝚜 𝚜𝚙𝚎𝚌𝚒𝚏𝚒𝚌 𝚖𝚊𝚒𝚕 𝚝𝚘 𝚢𝚘𝚞. 

𝚆𝚎𝚕𝚕 𝚝𝚑𝚎 𝚙𝚛𝚎𝚟𝚒𝚘𝚞𝚜 𝚝𝚒𝚖𝚎 𝚢𝚘𝚞 𝚠𝚎𝚗𝚝 𝚝𝚘 𝚜𝚎𝚎 𝚝𝚑𝚎 𝚊𝚍𝚞𝚕𝚝 𝚖𝚊𝚝𝚎𝚛𝚒𝚊𝚕 𝚘𝚗𝚕𝚒𝚗𝚎 𝚜𝚒𝚝𝚎𝚜, 𝚖𝚢 𝚖𝚊𝚕𝚠𝚊𝚛𝚎 
𝚎𝚗𝚍𝚎𝚍 𝚞𝚙 𝚋𝚎𝚒𝚗𝚐𝚝𝚛𝚒𝚐𝚐𝚎𝚛𝚎𝚍 𝚒𝚗 𝚢𝚘𝚞𝚛 𝚌𝚘𝚖𝚙𝚞𝚝𝚎𝚛 𝚜𝚢𝚜𝚝𝚎𝚖 𝚠𝚑𝚒𝚌𝚑 𝚎𝚗𝚍𝚎𝚍 𝚞𝚙 𝚛𝚎𝚌𝚘𝚛𝚍𝚒𝚗𝚐 𝚊 𝚕𝚘𝚟𝚎𝚕𝚢 
𝚏𝚘𝚘𝚝𝚊𝚐𝚎 𝚘𝚏 𝚢𝚘𝚞𝚛 𝚜𝚎𝚕𝚏 𝚙𝚕𝚎𝚊𝚜𝚞𝚛𝚎𝚙𝚕𝚊𝚢 𝚜𝚒𝚖𝚙𝚕𝚢 𝚋𝚢 𝚝𝚛𝚒𝚐𝚐𝚎𝚛𝚒𝚗𝚐 𝚢𝚘𝚞𝚛 𝚌𝚊𝚖. 
(𝚢𝚘𝚞 𝚐𝚘𝚝 𝚊 𝚝𝚛𝚎𝚖𝚎𝚗𝚍𝚘𝚞𝚜𝚕𝚢 𝚠𝚎𝚒𝚛𝚍 𝚙𝚛𝚎𝚏𝚎𝚛𝚎𝚗𝚌𝚎 𝚋𝚝𝚠 𝚑𝚊𝚑𝚊) 

𝙸 𝚘𝚠𝚗 𝚝𝚑𝚎 𝚏𝚞𝚕𝚕 𝚛𝚎𝚌𝚘𝚛𝚍𝚒𝚗𝚐. 𝙸𝚗 𝚝𝚑𝚎 𝚌𝚊𝚜𝚎 𝚢𝚘𝚞 𝚏𝚎𝚎𝚕 𝙸 '𝚖 𝚏𝚘𝚘𝚕𝚒𝚗𝚐 𝚊𝚛𝚘𝚞𝚗𝚍, 𝚓𝚞𝚜𝚝 𝚛𝚎𝚙𝚕𝚢 
𝚙𝚛𝚘𝚘𝚏 𝚊𝚗𝚍 𝙸 𝚠𝚒𝚕𝚕 𝚋𝚎𝚏𝚘𝚛𝚠𝚊𝚛𝚍𝚒𝚗𝚐 𝚝𝚑𝚎 𝚛𝚎𝚌𝚘𝚛𝚍𝚒𝚗𝚐 𝚛𝚊𝚗𝚍𝚘𝚖𝚕𝚢 𝚝𝚘 𝟼 𝚙𝚎𝚘𝚙𝚕𝚎 𝚢𝚘𝚞 𝚔𝚗𝚘𝚠. 

𝙸𝚝 𝚖𝚒𝚐𝚑𝚝 𝚎𝚗𝚍 𝚞𝚙 𝚋𝚎𝚒𝚗𝚐 𝚢𝚘𝚞𝚛 𝚏𝚛𝚒𝚎𝚗𝚍𝚜, 𝚌𝚘 𝚠𝚘𝚛𝚔𝚎𝚛𝚜, 𝚋𝚘𝚜𝚜, 𝚖𝚘𝚝𝚑𝚎𝚛 𝚊𝚗𝚍 𝚏𝚊𝚝𝚑𝚎𝚛 (𝙸'𝚖 𝚗𝚘𝚝 
𝚜𝚞𝚛𝚎! 𝙼𝚢 𝚜𝚘𝚏𝚝𝚠𝚊𝚛𝚎𝚠𝚒𝚕𝚕 𝚛𝚊𝚗𝚍𝚘𝚖𝚕𝚢 𝚌𝚑𝚘𝚘𝚜𝚎 𝚝𝚑𝚎 𝚌𝚘𝚗𝚝𝚊𝚌𝚝 𝚍𝚎𝚝𝚊𝚒𝚕𝚜). 

𝚆𝚘𝚞𝚕𝚍 𝚢𝚘𝚞 𝚋𝚎 𝚊𝚋𝚕𝚎 𝚝𝚘 𝚕𝚘𝚘𝚔 𝚒𝚗𝚝𝚘 𝚊𝚗𝚢𝚘𝚗𝚎'𝚜 𝚎𝚢𝚎𝚜 𝚊𝚐𝚊𝚒𝚗 𝚊𝚏𝚝𝚎𝚛 𝚒𝚝? 𝙸 𝚍𝚘𝚞𝚋𝚝 𝚒𝚝... 

𝙽𝚘𝚗𝚎𝚝𝚑𝚎𝚕𝚎𝚜𝚜, 𝚍𝚘𝚎𝚜𝚗'𝚝 𝚗𝚎𝚌𝚎𝚜𝚜𝚊𝚛𝚒𝚕𝚢 𝚑𝚊𝚟𝚎 𝚝𝚘 𝚋𝚎 𝚝𝚑𝚊𝚝 𝚛𝚘𝚞𝚝𝚎. 

𝙸 𝚠𝚘𝚞𝚕𝚍 𝚕𝚒𝚔𝚎 𝚝𝚘 𝚖𝚊𝚔𝚎 𝚢𝚘𝚞 𝚊 𝚘𝚗𝚎 𝚝𝚒𝚖𝚎, 𝚗𝚘 𝚗𝚎𝚐𝚘𝚝𝚒𝚊𝚋𝚕𝚎 𝚘𝚏𝚏𝚎𝚛. 

𝙿𝚞𝚛𝚌𝚑𝚊𝚜𝚎 𝚄𝚂𝙳 𝟸𝟶𝟶𝟶 𝚒𝚗 𝚋𝚒𝚝𝚌𝚘𝚒𝚗 𝚊𝚗𝚍 𝚜𝚎𝚗𝚍 𝚒𝚝 𝚝𝚘 𝚝𝚑𝚎 𝚍𝚘𝚠𝚗 𝚋𝚎𝚕𝚘𝚠 𝚊𝚍𝚍𝚛𝚎𝚜𝚜: 

1Kg7Siaff7yD*4S2jrZiTTe532sswtt66ki9_+@2!swFSTqdqBKCH7Rdagx 
[𝚌𝚊𝚜𝚎-𝚂𝙴𝙽𝚂𝙸𝚃𝙸𝚅𝙴 𝚌𝚘𝚙𝚢 & 𝚙𝚊𝚜𝚝𝚎 𝚒𝚝, 𝚊𝚗𝚍 𝚛𝚎𝚖𝚘𝚟𝚎 * 𝚏𝚛𝚘𝚖 𝚒𝚝] 

(𝙸𝚏 𝚢𝚘𝚞 𝚍𝚘 𝚗𝚘𝚝 𝚔𝚗𝚘𝚠 𝚑𝚘𝚠, 𝚕𝚘𝚘𝚔𝚞𝚙 𝚑𝚘𝚠 𝚝𝚘 𝚋𝚞𝚢 𝚋𝚒𝚝𝚌𝚘𝚒𝚗. 𝙳𝚘 𝚗𝚘𝚝 𝚠𝚊𝚜𝚝𝚎 𝚖𝚢 𝚒𝚖𝚙𝚘𝚛𝚝𝚊𝚗𝚝 𝚝𝚒𝚖𝚎) 

𝙸𝚏 𝚢𝚘𝚞 𝚜𝚎𝚗𝚍 𝚘𝚞𝚝 𝚝𝚑𝚒𝚜 𝚙𝚊𝚛𝚝𝚒𝚌𝚞𝚕𝚊𝚛 '𝚍𝚘𝚗𝚊𝚝𝚒𝚘𝚗' (𝚕𝚎𝚝'𝚜 𝚌𝚊𝚕𝚕 𝚝𝚑𝚒𝚜 𝚝𝚑𝚊𝚝?). 𝙸𝚖𝚖𝚎𝚍𝚒𝚊𝚝𝚎𝚕𝚢 
𝚊𝚏𝚝𝚎𝚛 𝚝𝚑𝚊𝚝, 𝙸 𝚠𝚒𝚕𝚕𝚟𝚊𝚗𝚒𝚜𝚑 𝚊𝚗𝚍 𝚞𝚗𝚍𝚎𝚛 𝚗𝚘 𝚌𝚒𝚛𝚌𝚞𝚖𝚜𝚝𝚊𝚗𝚌𝚎𝚜 𝚐𝚎𝚝 𝚒𝚗 𝚝𝚘𝚞𝚌𝚑 𝚠𝚒𝚝𝚑 𝚢𝚘𝚞 𝚊𝚐𝚊𝚒𝚗. 𝙸 
𝚠𝚒𝚕𝚕 𝚐𝚎𝚝 𝚛𝚒𝚍 𝚘𝚏 𝚎𝚟𝚎𝚛𝚢𝚝𝚑𝚒𝚗𝚐 𝙸 𝚑𝚊𝚟𝚎𝚒𝚗 𝚛𝚎𝚕𝚊𝚝𝚒𝚘𝚗 𝚝𝚘 𝚢𝚘𝚞. 𝚈𝚘𝚞 𝚖𝚊𝚢 𝚟𝚎𝚛𝚢 𝚠𝚎𝚕𝚕 𝚌𝚊𝚛𝚛𝚢 𝚘𝚗 
𝚕𝚒𝚟𝚒𝚗𝚐 𝚢𝚘𝚞𝚛 𝚛𝚎𝚐𝚞𝚕𝚊𝚛 𝚍𝚊𝚢 𝚝𝚘 𝚍𝚊𝚢 𝚕𝚒𝚏𝚎 𝚠𝚒𝚝𝚑 𝚣𝚎𝚛𝚘𝚌𝚘𝚗𝚌𝚎𝚛𝚗. 

𝚈𝚘𝚞 𝚑𝚊𝚟𝚎 𝚐𝚘𝚝 𝟸𝟺 𝚑𝚘𝚞𝚛𝚜 𝚝𝚘 𝚍𝚘 𝚜𝚘. 𝚈𝚘𝚞𝚛 𝚝𝚒𝚖𝚎 𝚋𝚎𝚐𝚒𝚗𝚜 𝚊𝚜 𝚚𝚞𝚒𝚌𝚔𝚕𝚢 𝚢𝚘𝚞 𝚌𝚑𝚎𝚌𝚔 𝚘𝚞𝚝 𝚝𝚑𝚒𝚜 
𝚎-𝚖𝚊𝚒𝚕. 𝙸 𝚑𝚊𝚟𝚎 𝚊𝚗𝚞𝚗𝚒𝚚𝚞𝚎 𝚌𝚘𝚍𝚎 𝚝𝚑𝚊𝚝 𝚠𝚒𝚕𝚕 𝚒𝚗𝚏𝚘𝚛𝚖 𝚖𝚎 𝚘𝚗𝚌𝚎 𝚢𝚘𝚞 𝚛𝚎𝚊𝚍 𝚝𝚑𝚒𝚜 𝚎𝚖𝚊𝚒𝚕 𝚝𝚑𝚎𝚛𝚎𝚏𝚘𝚛𝚎 
𝚍𝚘𝚗'𝚝 𝚊𝚝𝚝𝚎𝚖𝚙𝚝 𝚝𝚘 𝚙𝚕𝚊𝚢 𝚜𝚖𝚊𝚛𝚝.

The goal is to get you to believe they actually have video or other proof of some sort of embarassing thing, and will send that information to everyone in your contact list. Some fall for it because after all,  they have your correct password.

However, this whole thing is a scam. There is no malware, and they do not have access to your computer, nor do they have incriminating video of you. 

Here's what happens.

Think about the last time you heard about a data breach, whether it was Target, LinkedIn, Adobe, or many others. When passwords are used at multiple legitimate service providers, say your LinkedIn account, and one of those sites/services is compromised, those passwords wind up in the dark web amongst a very long list of other breached accounts that may number into the millions. These lists are marketed as commodities, to be bought and sold many times over.

Some bad actor purchases these compromised accounts and formats them to be used in phishing scams. They use a simple mail-merge script to send automated emails such as this one. They substitute the names, passwords, and email fields to make them appear personalized. In fact, these are completely automated programs that send out hundreds of thousands or even millions of emails hoping someone bites. And sadly, due to the sheer number of attempts, many people do. Why do people send out phishing emails? They do it to make money. 

If they send out 500,000 emails and only .25% reply, that's still 1250 people. Now lets say half of those people, 625, reply to the ransom by sending $2000, that's a huge number ($1,250,000) and that's why they do it. 

The best course of action is to periodically change your passwords. While people have accepted that this is good practice, and some services such as banks, and VCS, force periodic password changes, many people prefer to keep the same basic password pattern but merely change the number at the end. However, knowing this is a common practice, perpetrators will factor this into their brute force methods (again, automated scripts) and will try to see if they get a hit. So changing your password from $omeC0mpl3xP@s$w0rd to $omeC0mpl3xP@s$w0rd1 really doesn't do you any good. 

This is also a good reminder not to use the same password across multiple sites and services. If the breached password exists for some of your current services, you should immediately change it wherever it’s still active, even if only part of it is used. Even if it doesn't currently exist as part of a breach, there is a chance it's not "if" but "when."  So to mitigate this risk (and to drive the point home) never use the same password across multiple services.

Nowhere is this more important than when you're doing online banking. Passwords related to all financial information (i.e. banking, retirement accounts, investment accounts, budgeting apps, etc.) should be completely unique and complex. 

Many folks think it's impossible to remember all of these different passwords, and they're right. To help manage all of these different, complex passwords, we recommend using a password manager such as 1Password or LastPass. 

To check to see if any of the companies in which you do business have been breached, and if your credentials have been found to be on the dark web, please visit https://haveibeenpwned.com/ and enter any email to conduct a search.