Episode #107: Here Comes the BRIBE
When hacking, phishing, and scamming get really, REALLY personal.
A.I. Notification: No part of this episode was written or edited by artificial intelligence. The image above was created using A.I., specifically the Flux Image platform.
Introduction
Over the course of my 2-plus decade career in tech, I’ve seen a lot of security threats, hacks, and phishing (or email) scams. But the past two weeks, I’ve gotten something new in my inbox that has the potential to scare the crap out of most people, so I want to help alert and reassure you.
Most odd, quirky, or not-just-right emails are scams. Most are poorly designed. But some have the ability to strike your heart with fear.
This is when knowing how to breathe, take a moment, and then look for clues is extremely important.
I needed this myself in the past few weeks, so let’s jump right in to break down what happened to me.
The Email
I received a relative bland looking email with an attachment from a name/address that I didn’t recognize. But… What I did recognize - right there in the body of the email - was my family’s correct home address and one of my phone numbers, also listed correctly. That got my attention quickly:
There was also an attachment as you can see, a PDF file. I clicked to open it and was, shocked, scared, and not initially sure what to do. Here’s what the PDF attachment said, in full, with my personal info redacted.
Read everything, then join me after the break below to discuss and debrief.
WTF Just Happened to Me?!
Let me break down what happened to me emotionally and why I made the decision to NOT pay this person a dime.
They Have My Real Info?!?
This person (it was, more likely, a group) had my email address, my HOME address, and a work phone number. All of that is shocking to see in an email. I felt angry, violated, and scared. After all, if they had my contact info, then they could call, write, or visit me. And we have a small child in our home.
So that was a lot. I needed to take a breath.
They Have Video of Me Doing WHAT?!
The PDF attachment explains that they placed malware on my PC that enabled them to covertly record video of me looking at pornography and ALL of my contacts. They could, they threatened, send videos of me looking at these sites to everyone I know.
Like the vast majority of people in the United States, I’ve looked at porn. Since I’m sex positive, that’s included watching solo and with my wife. So… I needed to take a breath here as well.
Although I’ve got zero issues with consenting adults making or watching porn, I’ve got more than a FEW issues with videos of me and/or my wife watching porn being shared with the outside world. Because, you know, #privacy
They Want HOW Much Money to Go Away?
They asked for $1950 to go away, a rather random (and large) amount of money for someone to - as they wrote- “not send this garbage to every single of your contacts”.
Not only don’t I have a spare $1950 lying around, but I also don’t have a BitCoin Wallet, because I don’t yet believe in the safety of cryptocurrency. Additionally, there was no way possible for me to give them what they wanted in “one day”.
They Have a Picture of My House?!?
This was the item that shocked me the most. The picture in their PDF attachment was, indeed, a partial picture of the front of my house. My initial thought: maybe they snapped the photo while driving past my house and simply wanted to be covert.
It was scary.
How I Proceded
After I took a breath, I took a closer look at what I’d been sent one thing at a time. I started with the scariest thing of all…
The House Photo
There was SOMEthing about that photo that didn’t make sense. Why did they take a picture of the side of my house? I mean… yes, it is CLEARLY my house in the image, complete with our child’s sidewalk chalk drawings. But it’s like they took the picture really quickly as they sped past in a car and then… kind of missed. The photo shows only a corner of our garage and then some of the side yard. It seemed like an odd way to threaten someone.
“Hey, here’s a picture of the corner of your house. Give me $1950.” I wasn’t buying.
I followed my “this looks like it was taken from a moving car” instinct and headed over to Google Maps, entered our home address and then clicked on the button at lower right to enter Google’s “street view”. Here’s what I found:
Look familiar?
Even more telling was something I found when I looked closer at the image in the PDF. There, I saw something I didn’t see the first time through my panic and fear: a watermark on image, letting me know that it was an image from Google.
At that point, I realized it was a scam and breathed easier again. Anyone who has my address can plug it into Google Maps and get the same image. Big whoop. However… these folks had still managed to grab a bunch of other PPI from me. I’d need to address that next.
The Personal Information
Somehow, these folks had my home address, phone number, and email address, however, when I stopped and thought it further…
The phone number they acquired is an old Google Voice number, not my personal cell phone number
The email they acquired is a secondary, rarely used email address, not my personal “friends and family” email address
The reason those two crucial and very private data from my life weren’t stolen is because I went out and classified those data as “top secret”, something I’ve urged EVERYONE to do here, here, and here on Medium.
I’ll do so again now: go out and get a second set of personal information to share. This includes secondary phone numbers, email addresses, and mailing address. Not only is doing so 100% legal, it’s 100% necessary in today’s digital age.
This email scam is exACTly the reason why. So here’s the brutal truth:
At this point, you should assume that your data will be stolen by hackers, put up for sale on the dark web, purchased by malicious hackers, and then used in email scams like the ones that were sent to me.
In fact, don’t just assume it: EXPECT it.
Expect it. In today’s world, massive data breaches now regularly expose the personal information of billions of people all at once. This is why I continue to pay for DeleteMe (affiliate link), a service that scrubs my personal, private information (PPI) from the internet.
“The service you’re paying for obviously isn’t working, David!” you cry. “They got your actual home address!”
True.
However, my personal cell phone number and email address weren’t captured. And given that both of those data have FAR more ability to disrupt my life - I’d call that a win.
As for my home address, we purchased it within the past two years. As a result, there are all kinds of newly emerging public records relating to that sale — and ALL real estate sales — on any number of public-facing county, city, and state record databases.
I wouldn’t expect those data to be scrubbed just yet. They will eventually, though. So I’m very happy to continuing paying for services from DeleteMe.
Given every thing that happened, the obvious question still remains…
What Did I Do?
In a word: nothing.
Within a week, I’d received another 4 or 5 identical emails. It’d become clear that this was simply a scheme to part as many people as possible from as much of their money as possible.
I wrote back to one of these emails in an effort to get additional information: I asked for additional time to open up a Bitcoin Wallet.
But I never heard back. I didn’t expect to. Scams like these aren’t built around responding to individual requests: they’re built on raw numbers. If a malicious hacker group purchases the personal information of, say, 250,000 people and only 1% of those targeted respond, that’s still 2500 people.
At $1950 a pop, that email scam netted them $4.875 million dollars.
It only takes a little bit of time and nets a massive return on investment. Which, of course, is why these kinds of scams will be around forever in our now fully-connected digital world. So…
What Should You Do?
Here’s everything that I believe you should do before, during, and after a scam like the one I’ve just described.
Before You are Scammed
Have your data scrubbed from the web. I pay for DeleteMe (affiliate link) to continuously scrub our family’s PPI from the Interwebs. I also use and like Incogni (affiliate link) for this service as well.
BACK UP YOUR DATA. Do not wait, do not pass “GO”, and do not pretend like it can’t happen to you. Back. Up. Your. Data. I pay for iDrive (affiliate link) to do this over the Internet so that I don’t have to carry around a back-up drive with me. If I’m online, my data is being securely backed-up.
Start using TFA or two-factor authentication. I wrote how and why in Episode #36. Go back and re-read that now. Then implement it. It’s 100% free.
Get and then use a second set of data. I use 33mail (affiliate link) to create an endless stream of traceable email addresses and Google Voice to create additional phone numbers. Then, when anyone who is NOT a family member or VERY close friend requests those data, I provide them with my secondary contact info. This includes doctors, lawyers, accountants, financial advisors, colleagues, teachers, students, neighbors, and more.
Check-in with your bank and credit card companies. Each lender has different rules and protections should you be the victim of a scam. Learn what those are NOW and have an easily findable list of numbers to call when you need them later.
When (Not If) You Receive a Scam
Take. A. Breath. You’ll be tempted to act immediately. Don’t. Wait a day. Chill out. The world isn’t going to fall apart.
Trust your instincts. If it looks or feels like a scam, it probably is. Do NOT respond and certainly never give away any banking or credit card information.
Take a closer look. If it looks legit, dig deeper. Check the sender’s email address. Does it represent the company in question? Check the links in the email by hovering over them. Do they point to the company’s actual website? Remember: scams are designed to work with massive numbers, not massive accuracy. If you look even a BIT deeper, flaws will appear to help you understand that it’s a scam.
When in doubt, ask a digitally savvy or knowledgeable person. After all of that, if you’re still unsure, ask a trusted friend, family member, or law enforcement for help making a final decision.
What To Do After a Scam
The scams won’t stop and, quite honestly, prevention and preparedness is the best thing to do. This is why you should feel free to do nothing in response to a scam. However, if you’d like to be proactive in order to possibly bring someone to justice you can:
Mark the sender as spam.
Report the sender to the email provider they used to email you. Here are links to pages on Google, Yahoo, and Microsoft for how this can be done. Apple’s got a great page devoted to educating yourself and what to look for so that you are NOT scammed.
Report the incident to the FTC (Federal Trade Commission) via their reporting page.
And that, my dear friend, is a wrap for today’s episode. Thanks for being a part of our community and, as always… surf safe! 👍🏼 👌🏾
Popular Past Issues:
Which secure routers to purchase and WHY.
My recommendations on the best VPN providers.
My favorite, free tool to keep email addresses private.
A crash course on keeping your devices updated.
Our Current Recommendations
My e-book on home tech: “Screw The Cable Company!”
The online backup software I use: iDrive (affiliate link)
The service I use to delete my data from the web: DeleteMe (affiliate link)
The VPN software that I use: Nord VPN (affiliate link)
The email anonymizer that I use: 33Mail (affiliate link)
The secure router I use at my home: Synology RT6600ax (affiliate link)