Consumers throughout the country are receiving emails claiming that their computers have been hacked and that their online activity will be made public unless they pay money. What is so alarming to unsuspecting consumers is that scammers often provide an actual password previously used by the victim as “proof” that the account is hacked.
If you’ve received one of these extortion-type emails, don’t be alarmed. Realize that the email is likely part of a widespread scam and that the “hacker” probably doesn’t have any evidence of your online activity. Typically, the password disclosed to you is an old password obtained through a previous data breach.
Consider visiting a site such as haveibeenpwned.com, where you can conduct free searches of known data breaches to see whether your email address and potentially other personal information have been leaked. If you find that you are a data breach victim, your password might have been discovered through data from one of those online breaches and then used to scare you through the extortion email scam. This is why it is always a good practice to change your password after a data breach and to use unique passwords for every account. Of course, if you haven’t already, change your password for any accounts that the hacker knows.
Here are some related tips for creating and using passwords effectively:
- Always use a unique and complex password for each account, and do not switch back to passwords you have used previously. Using the same password for email, social media, banking and credit card accounts makes it easy for cybercriminals to cause serious damage in little time. A study by the University of Illinois suggests that three in five people use the same password across multiple online accounts, which means cybercriminals have plenty of opportunities to cause harm.
- Use strong passwords or passphrases. All passwords should be at least 12 characters long (the longer, the better) and include random special characters, letters and numbers. You may want to think of passwords based on a phrase that uses a combination of letters and numbers. For example, “My dog’s name is Brutus” plus a random number creates the password “MdniB239.” Or, try using a passphrase instead. A passphrase is a sentence or combination of words that is easy to remember but longer and more complex than a traditional eight- to 12-character password.
- Try a reputable password manager. If you have trouble remembering passwords or don’t have the time to put together a variety of passwords, try using a password manager. A password manager stores your login and password information for all the websites you use and helps you log into those websites automatically. The password manager encrypts your password list with a master password, which is the only password you have to remember. The type of password manager you choose will depend on your personal preference and whether you want to pay for additional services or features. Research your options to learn which password manager works best for you.
- Keep your passwords safe. Never keep passwords written on a list that you keep with your computer or mobile device. Avoiding this common mistake will keep your personal information safer if your device is lost or stolen. If you prefer to write down your passwords, store them away from your computer in a safe or a safety deposit box that only you and someone you trust can access.
- Don’t store your passwords in an unsecure location on your computer or mobile device. Many people keep their passwords in a single Word document, Excel spreadsheet or other unsecure location on their computer. Don’t do this. Cybercriminals know that passwords are frequently stored in these files, and they often look for such files when they first break into your computer.
- Consider using “two-factor authentication” for your online accounts, where it is available. Two-factor authentication is a security process in which users provide two distinct authentication factors to verify themselves. Two-factor authentication methods require users to provide a password as well as a second factor, usually an email or text message verification code, that is sent each time they try to access their accounts. This better secures your online accounts.
Also, be sure to disable any automatic login functions on websites, and always log off from every website and account when finished.
Consumers who suspect a scam or an unfair business practice should contact the Ohio Attorney General’s Office at
www.OhioProtects.org or 800-282-0515.