You might hear about data breaches so often the cacophony of warnings becomes white noise in the background of your mind — something easily tuned out.
But even if a data breach doesn’t end with someone using your credit card details, that doesn’t mean you’re in the clear.
Because, depending on what kind of information is compromised, scammers and hackers can still find a way to use it against you.
Here’s how.
Big bad guys and little bad guys
There are two distinct types of cyber criminals to consider here.
Well-resourced masterminds do “the big job” first, Charles Sturt University Cyber Security Research Group’s Professor Yeslem Al-Saggaf says.
“They did the data breach, they sold [the details] on the dark web — their job is done,” Professor Al-Saggaf says.
That’s when the little guys swoop in.
They might use this information for their scam operations to trick you into handing over cash or impersonate you to take out dodgy loans in your name and pocket the money.
“The attackers usually have a motivation or a business model,” global innovation chair in cyber security at the University of Newcastle Professor Vijay Varadharajan says.
“They usually go for easy pickings or low hanging fruits, and most of the time they are driven by financial considerations.”
Sometimes this can happen a long time after a breach, sometimes they may strike while the breach is still in the news.
Threatening emails
Let’s look at last month’s Ticketmaster breach as an example.
One reader contacted the ABC about a threat they were sent by someone claiming to be a “professional hacker” who correctly quoted their Ticketmaster account password to them.
This threat appeared to come from their own email address and landed in their junk inbox.
The criminal said they’d gained control of their account and was “secretly monitoring all your activities and watching you for several months”.
“I can see absolutely everything in your screen and switch on the camera as well as microphone at any point of time without your permission,” the message said.
Then came the threats:
“I have made a video compilation, which shows on the left side the scenes of you happily masturbating, while on the right side it demonstrates the video you were watching at that moment.
“All I need is just to share this video to all email addresses and messenger contacts of people you are in communication with on your device or PC.
“Furthermore, I can also make public all your emails and chat history.
“I believe you would definitely want to avoid this from happening.”
The criminal wanted to be paid in Bitcoin to delete the information they claimed to have about the victim.
But the threat didn’t have the intended effect.
“I only use my computer to watch iView and Amazon Prime so I’m not concerned about the specifics of the threat,” they told the ABC.
What should you do when you get an email like this?
Professor Varadharajan says you should take it seriously.
He says you should:
- Immediately change your password for that account
- Inform the authority of the account — in this case Ticketmaster
- Immediately change the password for all other sites and services you’ve used this same password for — making sure they’re all different
- Inform the authorities of these services that your password has been compromised
- Keep an eye out for unusual transactions within the accounts that password had been used for
- Contact ID Care and let them know that your password has been compromised
He says it’s likely the person’s email account has been compromised.
“This may be something totally different or the person could have used the same password that they used in the Ticketmaster for his or her email system.
“There are several ways email systems can be compromised.
“One of the ways is clicking on a malicious link, by which some malware is installed in the email client, that is the victim’s machine, or opened an malicious attachment which was sent to them.
“Or even the person has gone to some dodgy website and browsed through certain documents or images or even clicked or downloaded something from this website.
“Once the malware is in the system it can infect several things including email clients.
“Alternatively, the email server could have been compromised — this is more serious in the sense that many people will be impacted.”
Can someone hack your camera and microphone?
Yes.
“Usually, some malicious software has got to be inside your system,” Professor Varadharajan says.
“For an attacker to get to your webcam or microphone, they have got to get to the system where these devices have been installed.”
Professor Varadharajan says there are cases of criminals spying on high profile people to ruin their reputation or to obtain sensitive information, but typically they’re targeting very important people.
So what if you’re just an everyday person?
“Essentially, most of the time, the criminals are interested in money,” he says.
And if they can’t steal it from you, they will try to trick you into handing over your money your credit card details
This is known as “social engineering”.
What is social engineering?
It could be directly threatening victims like the example above, but also by pretending to be a trusted contact.
Let’s say they find out you’re a customer of a certain bank — that’s a piece of information they can use to manipulate you.
Using a technique known as ‘spoofing’, scammers can make it look like a dodgy message they’ve written came from your bank’s customer service number.
It might appear in a thread of messages you’ve received from your bank before.
This tricks you into thinking it’s legitimate.
“It says ‘your bank has been breached, click this link to change your password’,” Professor Al-Saggaf says.
“You’re nervous, you’re scared, you click the link.”
In the example above, the scammer referenced last month’s Ticketmaster breach, mostly likely as a ploy to play on the receiver’s fears.
This is a tactic commonly used by scammers to manipulate victims.
Stock-standard scam formats
A quick online search of the threatening email above brings up a few word-for-word matches — mostly on forums where users seek help about scams.
Typically, these types of threats are rubbished by other users who point out flaws in the text.
The biggest critique is that the scammer isn’t very specific, something the reader who contacted us pointed out.
“The threat itself is vague, and I would have thought if it could display my password then it would at least be able to provide one link to a porn site I allegedly visited,” they said.
“If the hacker has all my videos, I hope my dogs inspire them to revise their life choices.”
Remember, blackmailing is a crime
The threat in the example above is one of the textbook tactics the federal government’s eSaftey Commissioner’s website warns about on its sexual extortion (otherwise known as ‘sextortion’).
“They falsely claim they have ‘found’ intimate images or videos of you saved on your device or in your account,” the website says.
“This person might even use one of your current or former passwords to make you believe it’s true, but you can never be sure if they really do have access.
The commissioner says blackmailing someone is a crime.
It advises stopping all contact with the person and not paying them.
“Blackmailers usually give up when they realise you won’t pay,” the website says.
“But if they do share your intimate image or video online, you can report it to eSafety and we will help get it removed.”
You can report online harms at the eSafety Commissioner website.
What can I do to protect myself?
Change up your passwords
“Use different passwords for different things,” Professor Al-Saggaf says.
It’s easy to forget passwords, so it’s a good idea to keep a list of all your accounts and passwords handy.
Keep up with software updates
Tech companies will often update device software to close unexpected cybersecurity loopholes.
Turning on automatic updates on your device is an easy way to stay on top of those.
But you have to keep updating software, because cybercriminals keep looking for new loopholes — meaning companies then have to come up with new fixes.
“It’s a game of cat and mouse between cyber criminals and victims unfortunately,” Professor Al-Saggaf says.
Cover your camera lens
Some laptops have little switches that allow users to put a physical cover over the lens.
Because while hackers can turn on your webcam remotely, you have to be able to physically touch the device to turn this switch off.
Professor Al-Saggaf keeps his closed.
If your device doesn’t have one, you can just stick something over the top of the lens.
How do you report a scammer?
People are encouraged to report scams to the National Anti-Scam Centre’s Scamwatch website, regardless of whether they’ve lost money or not.
You can report cybercrimes to police through the Australian Cyber Security Centre’s online reporting portal.
If you’re concerned you’re a victim of identity theft, you can contact IDCARE, a not-for-profit charity that describes itself as Australia’s national identity and cyber support service.
Loading…