We had a Staff Member contact us recently to say that she had received a SPAM email that actually contained her Password! Naturally she was worried.

This new type of scam email has become quite prevalent recently and it can be quite alarming if you're on the receiving end of it. It will contain a password that you either currently use, or one that you have used in the past and the email will usually try and scare you into sending money to the scammer.

In the words of Douglas Adams…Don’t Panic!

How did they get my password?

When you see your password in the email, your first reaction is that you must have been hacked in some way. However, the way that the scammers obtain your email address and password is far less sophisticated than you might suspect. In most cases, usernames and passwords have been compromised and made publicly available for scammers to use from a website YOU have signed into. You can find out if any of your data has ever been compromised by entering your email address at a website called “';--have i been pwned?” https://haveibeenpwned.com/

In the case of the Staff Member. Her email address was on 7 websites that had reported a breach, including LinkedIn (breached back in 2012). The password was from LinkedIn.

This is why the password you see in the email might be a password you have since changed - they only have access to the data that was available at the time of the breach. If you have since changed your password, their data is effectively worthless.

What should I do?

If the password in the email is one you currently use for anything, change it immediately. Do not reply to the email, you should just ignore it. It's always worth changing your passwords and virus/malware scanning your devices if you suspect you have been compromised in any way, but there's no need to do anything else at this stage.

What can I do to protect myself in the future?

There's nothing you can do to prevent your data being compromised in a third-party breach, but you can take steps to protect yourself if it does happen.

Do not re-use passwords for multiple accounts - try and use different passwords for every single login you use.

Change your passwords on a regular basis. This will ensure that if your username and password is compromised, it can't be used for very long.

Use strong passwords. Use all the characters available - lowercase letters, uppercase letters, numbers and special characters. Use passwords that are not easy to guess. Pa55word! uses all the characters available, but is still very easy to guess.

Use 2 factor authentication where possible.

Do not store your passwords in plain text.

Use a password manager if you can. A password manager can securely store your usernames and passwords for all the services you use that require a login. You just need to remember one password to access the password manager, which makes it easier to use much stronger passwords that you never have to remember. Just make sure you use a very strong password to access the password manager and never write it down or use it for any other login.

Dashlane https://www.dashlane.com/, LastPass https://www.lastpass.com/ and Keeper https://www.keepersecurity.com/ are commonly used managers, but there are other solutions that you can use too.

Finally, if you still have any concerns, the Edcomtec Support Team will be happy to help with any questions. https://helpdesk.edcomtec.com.au/support/login or helpdesk@edcomtec.com.au