Cyber criminals are sending victims their own passwords in an attempt to trick them into believing they have been filmed on their computer watching porn and demanding payment. Action Fraud has provided the following information and advice.
There have been over 110 of reports made to Action Fraud from concerned victims who have received these scary emails.
In a new twist not seen before by Action Fraud, the emails contain the victim’s own password in the subject line. Action Fraud has contacted several victims to verify this information, who have confirmed that these passwords are genuine and recent. The emails demand payment in Bitcoin and claim that the victim has been filmed on their computer watching porn.
An example email reads:
“I’m aware, XXXXXX is your password. You don’t know me and you’re probably thinking why you are getting this mail, right?
Well, I actually placed a malware on the adult video clips (porno) web site and guess what, you visited this website to experience fun (you know what I mean). While you were watching video clips, your internet browser started out working as a RDP (Remote Desktop) with a key logger which gave me access to your display screen as well as web camera. Just after that, my software program gathered every one of your contacts from your Messenger, Facebook, and email.
What did I do?
I made a double-screen video. First part shows the video you were watching (you have a nice taste omg), and 2nd part displays the recording of your webcam.
Exactly what should you do?
Well, I believe, $2900 is a fair price tag for our little secret. You’ll make the payment by Bitcoin (if you do not know this, search “how to buy bitcoin” in Google).
BTC Address: 1HpXtDRumKRhaFTXXXXXXXXXX
(It is cAsE sensitive, so copy and paste it)
You now have one day to make the payment. (I have a special pixel within this email message, and now I know that you have read this e mail). If I do not receive the BitCoins, I will definately send out your video recording to all of your contacts including close relatives, co-workers, and many others. Nevertheless, if I receive the payment, I’ll destroy the video immidiately. If you need evidence, reply with “Yes!” and I will send your video to your 10 friends. It is a non-negotiable offer, therefore do not waste my time and yours by responding to this message.”
Suspected data breach
Action Fraud suspects that the fraudsters may have gained victim’s passwords from an old data breach.
After running some of the victim’s email addresses through ‘Have i been pwned?’, a website that allows people to check if their account has been compromised in a data breach, Action Fraud found that almost all of the accounts were at risk.
Last month, fraudsters were also sending emails demanding payment in Bitcoin, using WannaCry as a hook.
How to protect yourself
- If you receive one of these emails, delete it and report it to Action Fraud.
- Don’t be rushed or pressured into making a decision: paying only highlights that you’re vulnerable and that you may be targeted again. The police advise that you do not pay criminals.
- Secure it: Change your password immediately and reset it on any other accounts you’ve used the same one for. Always use a strong and separate password. Whenever possible, enable Two-Factor
- Do not email the fraudsters or make the payment in Bitcoin.
- Always update your anti-virus software and operating systems regularly.
- Cover your webcam when not in use.
You can also find out more information about Sextortion on our advice page here
Contactless payments offer a fast and easy way to pay for goods in-store, but is it really as safe as they claim, and how can you keep yourself safe when using contactless?
The big contactless payment fraud myth
Many banks and consumers assume that contactless fraud is where money is stolen from your contactless card directly. It’s a theory seemingly backed up on social media every few months with images (as below, from Tumblr) and warnings posted of supposed fraudsters carrying Chip & PIN machines, stealing from seemingly oblivious members of the public.While this sounds, in principle, like a valid concern, it would be incredibly difficult for criminals to operate such a machine without being noticed almost immediately.
Chip & PIN machines need to be registered with a payment vendor and linked to a bank account before they can be used to charge cards – like how you need to register your mobile phone’s SIM card with a network before you can make a call. Since every transaction is monitored for fraudulent activity, and applying for such a device is a lengthy process with many safeguards to stop fraudulent uses, it’d be incredibly risky for any criminal to do this without drawing an incredible amount of attention to themselves.
Contactless “skimming” is a fraud risk
While there may be no hard evidence of contactless based fraud, this doesn’t take into consideration if card details are stolen via contactless for later use – better known as “skimming”. Using widely available technology, or even a smartphone app, criminals can wirelessly read data from your contactless card without charging you a penny. In most cases, the data includes the full 16-digit card number, the card type (Visa, MasterCard, or similar), the issuing bank, the expiry date, the card owner’s name, and in some cases (worryingly) a mini-bank statement. With this data, it’s possible for criminals to create a cloned card with the original card details for use at older ATMs, shops, or even websites with poor security checks. Alternatively, they could simply collect thousands of card details with the intention of selling them on to the highest bidder. As there’s no financial transaction taking place, there’s no record of how many times it’s been read wirelessly, where it was read, by whom, and what their motive was.
Lost and stolen cards can still work months after cancelling
When contactless payments were first rolled out, concerns were raised about pickpockets and thieves being able to use a stolen card, without verification, to make high-value purchases. Reporting a card lost or stolen, and reporting any suspicious activity on your bank statement immediately should theoretically block that card from being used fraudulently. However, there have been mixed reports from members of the public that their cards continued to work long after being reported as lost or stolen. Banks have complex security limitations in place to detect fraudulent contactless transactions, but consumers should keep an eye on their bank statements and flag transactions they don’t recognise immediately – even if the card has been cancelled. You should also keep an eye on your credit report for suspicious transactions.
What about ApplePay and Google Wallet?
When contactless payments first made their debut on smartphones concerns were raised about the security of card details being stored on, and transmitted from, a smartphone. The initial fear was that instead of a malicious person reading card details wirelessly from a wallet – which tends to reside in a limited number of secluded places, such as a pocket or a bag – they could read them from a phone – an item we tend to carry more publicly. Fears surrounding this potential threat quickly subsided, however, as the technology was showcased to only work in the specific context of paying for goods. In the case of ApplePay, for example, card details are only transmitted when the phone detects a Chip & PIN machine that is requesting payment, it requires either a passcode, or thumbprint, to complete the transaction, and the 16-digit card number transmitted is semi-randomised per transaction. These features give contactless payments via a phone another level of security in cases where the phone is either stolen, or a receipt is dropped at the point-of-sale terminal displaying the full card number.
Keep yourself safe from contactless fraud
Contactless payments offer a convenient way for consumers to pay for goods but, like most technology, come with a handful of security concerns that everyone should be aware, but not scared, of. With that in mind, here are some top tips to help keep yourself safe from contactless-based fraud:
- RFID-blocking wallets, or a few sheets of thick tinfoil, will block any wireless signal from leaving your wallet without your knowledge;
- Some banks offer non-contactless cards to their customers, but you have to ask. Contactless is very much the standard issue these days;
- Using systems like ApplePay and Google Wallet give an extra level of security when paying and don’t transmit your card details without your consent;
- Report any cards that are lost or stolen immediately to your bank, and keep an eye on your bank statement for suspicious transactions.
The success comes as a result of a scheme which gave vulnerable and elderly people devices which block the phone calls. More than 100,000 scam phone calls to the vulnerable and elderly have been blocked in a year, as a result of a £500,000 project, announced by Prime Minister Theresa May last April, saw 99% of unwanted calls halted. Thousands of devices were given to people at risk, including those with dementia. Between May 2017 and April 2018 108,918 calls were not accepted. The devices will not allow recorded messages, silent calls and calls from numbers not pre-identified by the homeowner. Eight in 10 had felt worried and 60 per cent felt threatened or scared. After the blockers were installed this fell to 17 per cent and 10 per cent.
Trading Standards’ Louise Baxter said: “Nuisance phone calls have a huge impact on emotional and physical health, not to mention financial losses.”
Digital Minister Margot James said: “We are determined to end the plague of nuisance calls ruining elderly and vulnerable people’s lives. Only last month we laid out plans to make bosses of rogue companies personally liable for up to £500,000 if their firm breaks the law.”
It is estimated that over five years the 1,500 call blockers given out will save consumers and taxpayers £18million.
- If it sounds too good to be true it probably is
- Never give out your bank details or send money unless you are certain you can trust the person who has contacted you
- If you receive a sales call you have not requested, be suspicious
- Neither your bank or the police would collect a bank card, ask for your PIN or come to your home to collect financial paperwork
- You shouldn’t have to pay money to receive a prize
- You shouldn’t have to pay money via Ukash or Western Union to claim mis-sold PPI
- If you are put under pressure to make an immediate decision be suspicious and politely decline
- Computer firms do not make unsolicited calls to help fix your computer
- Register with the telephone preference service on 0845 070 0707 to block unwanted calls
- If you’re still concerned, consider installing call blocking technology to reduce nuisance calls
Teenagers tell us that sharing sexual pictures and videos is not unusual. It can be risky but don’t panic, there are steps you can take if things get out of control.
f you’ve found out your child has shared a revealing pic or video, don’t panic. There are plenty of ways to stop things getting out of hand.
Watch these short films for advice on what to do next:
It’s important to keep things in perspective and plan how to talk to your child. Remember, however stressed and anxious you are feeling, they are probably feeling more so. Watch this film to find out how one parent coped.
Nude Selfies: Understanding Why – subtitled
Talking to your child
It’s a good idea to have ongoing conversations with your child about sex and relationships including nude selfies. It might be a bit embarrassing at first but this film suggests some ways to start it off.
Nude Selfies: Talking to your child – subtitled
When should I be worried?
Young people share nude selfies for different reasons and in different ways, and some situations are less risky than others. This film will help you risk-assess your child’s situation.
Nude Selfies: When should I be worried? – subtitled
Where to get help
Find out about organisations which can help you and your child.
Nude Selfies: Where to get help – subtitled
People found guilty of repeatedly uploading revenge porn will face the toughest punishments when new sentencing guidelines come into force.
It is the first time the Sentencing Council for England and Wales has given instructions to courts on dealing with those who humiliate others by uploading private sexual images and videos.
They also include guidelines for stalking and harassment cases.
The offence of disclosing private sexual images without consent – known as “revenge porn” – was introduced in 2015 and carries a maximum sentence of two years.
In 2016/17, there were 465 prosecutions for the offence in England and Wales.
What The Guidelines Suggest:
- Offenders who repeatedly post explicit material after it has already been taken offline should receive the harshest sentences, there is a trend of some offenders doing this.
- Those who set up fake social media accounts to embarrass their targets will also face stronger punishments, as they show “significant planning” has gone into the offence, says the council.
Also covered are a range of “intimidatory” offences, including stalking and harassment.
In these cases, tougher sentences are recommended by the council if there are aggravating factors, such as:
- abusing a position of trust
- sending grossly violent material to the victim
- impacting others, such as children.
The guidelines also take into account the crime of controlling or coercive behaviour in an intimate or family relationship – which can see offenders facing up to five years in jail.
This was introduced as an offence in December 2015 to tackle repeated domestic abuse, such as controlling victims over social media, spying on them online, stopping them from socialising or stopping their access to money.
The guidelines say that behaviour that results in debt or homelessness will be a possible aggravating factor, meaning a stronger sentence.
The guidelines will come into force on 1st October 2018.
Help & Support
- Those affected by domestic abuse, including coercive or controlling behaviour, should contact Refuge’s Domestic Violence Service Warwickshire Helpline on 0800 408 1552 (Monday – Friday 8:30am-8:30pm; Saturday 10am-4pm) to speak to one of their support workers.
- In an emergency dial 999.
- Those who have fallen victim to revenge porn can contact The Revenge Porn Helpline for free, confidential advice and support. More advice for victims of revenge porn can be found in our article.
- Victims of stalking and harassment can contact The National Stalking Helpline, and read our advice article here.
- Support and advice for anyone affected by crime can contact Warwickshire Victim Support on 01926 682 693 (Monday – Friday 8am-8pm; Saturday 9am-5pm)
HMRC has removed more than 20,000 malicious websites during the past year, but warns people to stay alert to the threat from online fraudsters.
The UK’s top police officer has blamed social media for normalising violence and leading more children to commit stabbings and murders. Met Police commissioner Cressida Dick told the Times social media sites “rev people up” and make street violence “more likely”. Fatal stabbings in England and Wales are at their highest levels since 2011.
What can parents do about social media leading children to violence?
Parents can remind the children and young people in your care that…
- Smartphones are everywhere. It is really easy for someone to take a photo or video of a young person involved in something spontaneous like a fight and share it with others online. This can have a permanent effect on their online and offline reputation. How would the video or image be viewed by a future employer or university recruiter?
- Drama between friends can seem so important at the time, but in a few weeks, they’ll look back and won’t remember why they were so concerned about it.
- If they hear plans of a fight, or something similar, spreading across their social media feeds, they should let an adult know about it. They won’t get into any trouble.
- It can be easy to get irate and self-righteous on social media and become caught up in an unhealthy group mentality. It could be because of someone’s comment that they found offensive, or to fight for a collective cause. But things aren’t always as they seem – often comments only seem offensive after being taken out of context, for example.
- When you’re part of a group, it’s easy to join sides and become aggressive. Advise your child that things can quickly escalate and move into the territory of group attacking or bullying.
- Young people should be encouraged to think before they post on social media, and be reminded that silly comments they’ll probably regret in the future can have a permanent effect on their online reputation.
What If your child has been involved?
- If you find out your child has been involved in a fight, the first thing you’ll worry about is whether they’re physically OK. After you’ve established that, you’ll need to have a serious conversation with them about why they got into a fight. Try not to seem too accusatory, or upset, as this may prevent them from opening up to you. As always, making sure all lines of communication are kept open is a priority with this kind of issue.
- If there is footage of your child in a fight – whether they’re the perpetrator, or the one being targeted – it isn’t something you want online for other people to see. Find out who posted the content, and ask them to take it down. If the incident is linked to school, they can help you do this. If the person who posted the content is unknown, contact the social media platform to ask them to take it down. Find out how here (link is external).
- It may be that you can’t control the spread of the footage. If that is the case, support your child. As with all bad experiences, there are lessons to be learnt. Make a plan together of how they will avoid situations like this in the future. Good plans usually focus on getting rid of negative influences and avoiding high risk situations. Discuss with them how they can spend more time on positive friendships and activities.
- If your child sees this sort of content on social media and tells you about it, remind them that this sort of violence is never acceptable, even if it is a joke or prank and the chances are that somebody has got hurt. Encourage them to always report the content to their school, as well as the social media network they’re using. Instagram in particular has a very strong stance against bullying.
- Both resorting to physical aggression as a way of dealing with a problem, or fighting just for the ‘fun’ of it, may point to a deeper emotional issue. You may want to ask them if there’s anything else in their lives that’s worrying them. Remind them that it’s very important they find other ways of dealing with problems, such as communication, negotiation and compromise, as carrying this violent behaviour into adulthood could get them into serious trouble in the future.
You may feel your child needs professional help with anger or other problems. Young Minds has some good advice (link is external) on anger, aggression and violence in young people and what parents can do to help their children.
Officers have responded to several reports of a caller claiming to have arrested suspects who were in possession of bank cards belonging to the victims, before asking for confirmation of their card details.
If you or your family get a phone call like the ones we’ve described, hang up – do not provide any personal details or hand anything over and call police on 101. You can also report it to Action Fraud at www.actionfraud.police.uk or 0300 123 2040.
Last week showed how much more work we need to do to enforce our policies and help people understand how Facebook works and the choices they have over their data. We’ve heard loud and clear that privacy settings and other important tools are too hard to find and that we must do more to keep people informed. So in addition to Mark Zuckerberg’s announcements last week – cracking down on abuse of the Facebook platform, strengthening our policies, and making it easier for people to revoke apps’ ability to use your data – we’re taking additional steps in the coming weeks to put people more in control of their privacy. Most of these updates have been in the works for some time, but the events of the past several days underscore their importance.
Making Data Settings and Tools Easier to Find
Controls that are easier to find and use. We’ve redesigned our entire settings menu on mobile devices from top to bottom to make things easier to find. Instead of having settings spread across nearly 20 different screens, they’re now accessible from a single place. We’ve also cleaned up outdated settings so it’s clear what information can and can’t be shared with apps.
A comparison of the old settings menu (left) and new settings menu (right).
New Privacy Shortcuts menu. People have also told us that information about privacy, security, and ads should be much easier to find. The new Privacy Shortcuts is a menu where you can control your data in just a few taps, with clearer explanations of how our controls work. The experience is now clearer, more visual, and easy-to-find. From here you can:
- Make your account more secure: You can add more layers of protection to your account, like two-factor authentication. If you turn this on and someone tries to log into your account from a device we don’t recognize, you’ll be asked to confirm whether it was you.
- Control your personal information: You can review what you’ve shared and delete it if you want to. This includes posts you’ve shared or reacted to, friend requests you’ve sent, and things you’ve searched for on Facebook.
- Control the ads you see: You can manage the information we use to show you ads. Ad preferences explains how ads work and the options you have.
- Manage who sees your posts and profile information: You own what you share on Facebook, and you can manage things like who sees your posts and the information you choose to include on your profile.
Tools to find, download and delete your Facebook data. It’s one thing to have a policy explaining what data we collect and use, but it’s even more useful when people see and manage their own information. Some people want to delete things they’ve shared in the past, while others are just curious about the information Facebook has. So we’re introducing Access Your Information – a secure way for people to access and manage their information, such as posts, reactions, comments, and things you’ve searched for. You can go here to delete anything from your timeline or profile that you no longer want on Facebook.
We’re also making it easier to download the data you’ve shared with Facebook – it’s your data, after all. You can download a secure copy and even move it to another service. This includes photos you’ve uploaded, contacts you’ve added to your account, posts on your timeline, and more.
The Road Ahead
It’s also our responsibility to tell you how we collect and use your data in language that’s detailed, but also easy to understand. In the coming weeks, we’ll be proposing updates to Facebook’s terms of service that include our commitments to people. We’ll also update our data policy to better spell out what data we collect and how we use it. These updates are about transparency – not about gaining new rights to collect, use, or share data.
We’ve worked with regulators, legislators and privacy experts on these tools and updates. We’ll have more to share in the coming weeks..