Shane Chambers No Comments

It’s 2018, and phishing emails are just an expected part of life for email users around the world, containing all manner of malware within concealed links and dodgy attachments. Most of us can recognise poorly spelled phishing emails that lack any real context, but what happens when something more complex hits your inbox? What if a cyber criminal emailed you your password – a real password you’ve used – and told you that they had compromising videos of you and more? What if they said that unless you pay a Bitcoin ransom, they would share this incriminating footage with everyone on your contacts list? That’s exactly what has been happening to thousands of Irish users, to both personal and corporate email addresses.

Cyber criminals are ever trying to find newer, more sophisticated means to scam the general public and businesses through phishing

The emails being sent are part of a global email extortion campaign, with the passwords listed in these emails being genuine passwords that have been pulled from previous data breaches. Email address and password combinations are a commonly traded commodity on the dark web, the section of the internet used by criminals to trade all manner of illicit goods and services.

Criminals obtain vast lists of real user data, and will often leverage them for identity theft and account takeover attacks, as well as ransom/extortion attempts as we are seeing in this case. In some cases the passwords being used are quite recent, where in others the data may be a few years old. However, if users do receive one of these emails and it contains a password still in use on ANY website or service, they are advised to immediately change it, as well as implementing 2-factor authentication – a simple and highly effective way of ensuring that your accounts are only accessed by you.

According to SkOUT Secure Intelligence, a cyber security technology and solutions firm with its EMEA headquarters in Co. Laois, there has been a sharp rise in the number of extortion emails being sent across Europe, particularly to Irish inboxes.

“Recipients of these emails may feel coerced into paying the ransom. This is because the password referenced in the email was, in fact, one that they had previously used in an online account and that was tied to their email address,” according to SkOUT’s CTO, Jessvin Thomas. “The fact that cyber criminals have a lot of recent information may lead recipients to give up additional personal information, which in turn could lead to higher ransoms”.

We would urge anyone who receives an email like this not to engage with the criminals in any way – don’t reply to the email and definitely don’t open any links or attachments. Instead, report the email as scam and change the affected password if still in use. As general advice, we would always recommend enabling 2-factor authentication on your online accounts, particularly ones tied to sensitive data like your email, social media accounts and online payment services.

It’s highly important to be using distinct, separate passwords for each website or service you use. The use of passphrases has been recommended for users who struggle to remember complex passwords, as well as the use of password managers to help keep track of all the passwords for your various services. A number of free password managers are available for consumers, such as LastPass, and there are also paid enterprise-level services for businesses who want to encourage a better security culture within their organisation and reduce their risk.

Tech Guard has seen a number of these attacks hitting corporate email accounts for both small and large businesses, which can pose a serious threat to company security, and is especially worrying under the GDPR. As always, the first and most important step to reducing your risk from phishing is to train staff on a regular basis and follow up with simulated phishing emails.

This proven approach helps keep security top-of-mind and ensure that users can identify and correctly deal with phishing emails – as well as demonstrating to data protection authorities that you are being proactive about keeping your sensitive data safe.

Speak to Tech Guard today to inquire about our security awareness training and simulated phishing service!