Someone contacted me to explain that attackers hacked a family member’s Instagram account and threatened to expose some embarrassing photographs unless they paid the bad actor more than a thousand dollars. I told them:
What he is experiencing is a common ploy. The bad actors probably didn’t hack his account, and I’m sure he reset his password just in case. The chances are that they don’t have any pictures. They certainly don’t have photos if whatever they claim happened didn’t happen.
The bullies are adept at social engineering, and their goal is to be terrifying. They’re incentivized because they make more money.
They commonly send information to make their messages look legitimate. They find passwords on the dark web and send those, where someone works, where they went to school, date of birth, and the names and ages of family members. That information is often easy to find, and bad actors having those details doesn’t mean they hacked an account. Often the entire information gathering process is automated. https://fosterinstitute.com/why-phishing-messages-contain-such-accurate-information/
The best thing is to avoid communicating with the bad actors and act like you never receive the messages. The bad actors will pick on someone else to try to get money from them.
I wouldn’t be surprised if he starts getting email messages from them.
Do this now: Be sure none of your email programs displays graphics or images when you open a message. On your iPhone or iPad, go to Settings > Mail and turn off “Load Remote Images.” If you don’t see that option, look under Settings > Mail > Privacy Protection > and choose “Block all Remote Content.” In Outlook, select File > Options > Trust Center > Automatic Downloads and choose: Don’t download pictures automatically. Note that the setting can move around, but a quick search engine search for “how to block email tracking” and the name of your device or application will produce fast results. Take similar steps for every device you use to check your email. This step will usually prevent the attacker from knowing you opened the email message, but you must change the setting before receiving the message.
Cover up the cameras on your computers, tablets, and phones if you do not use the camera often.
If you do receive one of these messages, print it out and save it in case you need it for evidence in the future. Do not forward the message unless you are confident that the transmitted message contains no graphics.
It is up to you to decide if you want to warn family, friends, and everyone else in your address book in case the attacker follows through with their threat. Reassure your contacts that the contents of the message are false.
Make a detailed log, and make copies of all email messages, phone calls, and text messages you receive from them. Submit a complaint at ic3.gov. Contact the police if you fear that your life is in danger. If the email message came from Gmail, notify Google, and they can investigate.
Visit www.haveibeenpwned.com to see if there is evidence that your password has shown up posted on the dark web.
Reset sensitive passwords and enable two-step verification on websites where you log in. Be sure you are current on all security patches on your devices.
Please forward this to everyone you know so that they will prepare for threatening social media and email messages.