Category Archives: Scams

Good Password Practice

My customers are getting a lot of scam e-mails that say, in essence:

“I an a hacker and I know your password is tulip123. I have recorded you looking at porn. If you don’t send me £1,000 in the next 24 hours, I’ll send an embarrassing video of you to all your friends and contacts”.

In my example, the person getting the e-mail really does have a password of tulip123, so it’s all a bit worrying.

The e-mail is a try-on, of course: the “hacker” doesn’t have an embarrassing video of you. But how does he (or she, but I’ll use “he” here) know your password?

Well, he doesn’t. He’s not even a hacker; he’s most likely bought a list of e-mail addresses and password from somewhere, and is e-mailing each one to try to extort money. I guess it works, or at least the perpetrators think it will, because it’s very widespread.

Note he doesn’t say what password. Is he claiming he knows my mail password, my Amazon password, my PayPal password, my computer logon password, or what?

They’d all be different, right?

You can check if any of your passwords are for sale. Just put in your email address here. (I wouldn’t normally suggest putting your email address – and especially not a password – into a web page, but this one is well-known, has been around for a long time, and seems to be reputable. But as you’ll find, in the world of computer security, trusting the things are what they seem may be unwise.)

Here’s what I got:

As you can see, I’m on Linked In – and my email address and password (my credentials) were revealed in a “breach” that Linked In suffered in 2016. (I’ve since changed them.)

If I had used my Linked In password and e-mail address for, say, my Amazon account, anyone who had my LinkedIn credentials would also be able to log into my Amazon account. That’s why it’s very unwise to re-use passwords.

But what about the passwords themselves. I wonder how easy mine might be to guess? Well password-cracking programs exist, and they are pretty good. They are cleverer than you’d think – they start with common passwords – things like secret123 and welcome123 and pa55word – before going through all the combinations.

The same website that I mentioned above can also check all the passwords that have been revealed on the “dark web” and tell you how many times a password you are considering has been used and revealed. I tried tulip123:

And Tulip123:

And tuliP123:

So, here’s my four rules for passwords:

  1. Make each one different.
  2. Make them a random set of number, digits and symbols.
  3. Make them at least 12 characters long.
  4. Write them down in at least two places, and keep the list up to date.

All this means you’ll have to use a program to generate, store and back-up your passwords for you. Using a Password Manager is the only sensible way to handle passwords. I have an article on password managers here.

Finally, consider using Two-Factor Authentication (2FA) for important passwords. The most common form of 2FA sends a code to your mobile phone every time you log in from your computer, and you have to type in this code as part of the log in process. But don’t do this for mail if you use a mail program (sometimes called a mail client), for example Microsoft Outlook. In that case, see if your mail provider support the use of an Application Password when using a mail client. Gmail and G Suite do, but BT, Yahoo, Sky, TalkTalk and so on mostly don’t.

PS: When I ask people which is their most important password, they usually answer “the bank” or similar. In fact, it’s not: for most people, their mail password is their most important password. This is because once someone knows your mail password they can sit back and watch every mail item you receive (and possible every mail item you send). They can do this from their own computer anywhere in the world – they doesn’t need access to your computer. Now consider what happens if you forget the password to (say) you Amazon account … Amazon sends a link to your e-mail which will allow you to re-set your Amazon password. So anyone who knows your email password can probably change any other password to one they know.

Additionally, If someone else can read all your e-mails, consider what happens if you’re buying a house, say. The day before you are due to send your solicitor the deposit, you get an email from him/her (the solicitor, as you think) mentioning they have changed their bank, and would you send the money to their new account, as follows. It looks genuine, is signed in the normal way and with the right name, and has all the right logos, so you believe it … and lose you money. The person with your mail password saw you were about to send a large amount of money (by reading your email) and was able to see exactly how he or she had to make the fake e-mail look. He had a newly set-up account waiting (scammers often trick someone else into letting them use their account), you transferred the money to it, he transferred the money into Bitcoin and closed the account. No trace.

There are plenty of well-documented examples of this. Google found me these three, but there are plenty of others. Protect that email password!

How to avoid solicitor conveyancing email scam that costs house buyers

Property sellers warned not to email solicitors: ‘We lost £204,000’

More Reading


Password Cracking Evolution
Top Ten Password Cracking Techniques used by Hackers
Testing a Password Cracker

Password Strength Testers

These sites say they don’t store your passwords, or even send them over the Internet, but I haven’t checked them.

How do I know if an email is genuine?

Sooner or later you’ll get an email telling you you’ve won the lottery, ordered something you don’t remember ordering, missed a delivery, are due a tax refund, or that you need to “verify your account”. How do you know if you can trust these emails or not?

The first thing to know is that you can’t trust who the email says it’s from. Here’s a message from my spam folder:

It says it’s from someone called “Track My PPI”, whose email address is Maybe it is, maybe it isn’t, but I can’t tell from the email address that is shown.  This is no more reliable than the address written at the top of a paper letter – it’s created by the sender. If they are dishonest, it may well be a lie. Just because it’s “the computer” doesn’t make it true. Continue reading How do I know if an email is genuine?

How do I know if a website is genuine?

Click to enlarge

Sooner or later everyone gets an email saying you have to “verify your account” and warning of the dire consequences if you don’t. These are always a scam.  No-one genuine will ever ask you to verify (or “re-verify”) your account. Sometimes you might have to verify your email address (by click on a link in the email) but you’d never have to verify your account. Here’s a screenshot (left) of a typical “verification” page. It says it’s from Apple, but it’s not.

You’d get to this site by clicking on a link in an email that “Apple” sent you. We’ll look at that in a later post, but for the minute let’s look at the web page. Continue reading How do I know if a website is genuine?

Am I about to download a virus? (Part 1)

There are lots of good, useful things you can download from the Internet for free. Unfortunately, there are also a lot of things that will harm your PC, pop-up fake warnings, mess with your search results, and so on.

How do you tell a good download from a bad one?

The same applies to e-mail attachments – how do you tell a safe attachment from a dangerous one? Continue reading Am I about to download a virus? (Part 1)

How do people get their PC infected with viruses?

Usually, bad things on your PC these days aren’t technically viruses, they are trojan horses, worms, adware, key loggers, search hijackers and so on. Generically we call bad things that you don’t want on your PC “malware“.

Get one item of malware, and it will install others. Look at the dates.
Get one item of malware, and it will install others. Look at the dates.

Most infected users have in fact downloaded the malware themselves, and clicked “OK” on lots of boxes in the process. They do this because the malware installer claims to be something useful (it’s lying). Often people download things that claims to be a Security Scanner, a Registry Cleaner, a Speed Maximiser, a PC Tune-up Manager, a Driver Updater, or a utility that claims to Fix Unreadable Files or Fix Download Problem (or they leave a box ticked that offers a “free download” of something apparently useful. Virtually all of these fake products are downloaded from professional-looking and convincing sites … judging a site by how professional it looks is always unwise. Malware distributors make enough money to be able to afford excellent websites! (Even if these things did what they claimed and didn’t also install malware, they would be pointless. They sound technical and important, but they’re not. For 99 percent of users, registries don’t need cleaning, drivers don’t need updating, and so on.

Too good to be true?
Too good to be true?

If your PC is slow, a few simple things you can do yourself will be much more effective that any spurious “PC Tune Up” program.

Some good advice from reputable sources:
The Guardian newspaper 1
The Guardian newspaper 2

The Telegrapgh newspaper
WikiHow website

Another thing to watch out for is where you download legitimate software from. The thing you want (iTunes, VLC, Microsoft Security Essentials, Flash Player) may be legitimate and useful, but are you getting it from the right place? Getting it from the wrong place may mean you download something undesirable as well. Do your research before you download.

iTunes is made by Apple, and can be downloaded (free) from the Apple website. This isn't the Apple website!
iTunes is made by Apple, and can be downloaded (free) from the Apple website. This isn’t the Apple website!

And finally, watch out for adverts that look like warnings, and unusual search engines that may look like Google. Don’t trust what they are telling you, especially if they want you to download something.

That's an advert, not a warning or error message. And the search site isn't Google.
That’s an advert, not a warning or error message. And the search site isn’t Google.

Good luck out there – keep your wits about you!

A new scam?

I see clever trojans and other malware all the time — a considerable part of my work involves removing them from people’s PCs. The “FakeAlert” trojan is especially common: it warns you in various convincing and intrusive ways that “your PC is infected” and offers you a link to download and install a “removal program”. If you install this software it will “find” all sorts of terrifying things which it says are downloading pornography and stealing all your passwords, credit card details, and so on, and offers to remove it … once you have register the removal program for about 50 dollars via your credit card.  And it doesn’t find malware which actually is there.  The PC becomes increasingly unusable until the fake software is removed, which can be quite tricky (which is why people pay me to do it, of course).

Three customers whose PCs I’ve removed this malware from have subsequently had phone calls from someone who says he’s from something like the “Windows Support Group”, telling them their PC is infected and offering to remotely connect to the PC to remove the infection.  All these people were called at home, on numbers they don’t reveal to people. They report that they had assumed the call was from Microsoft, but how did Microsoft know their PC was infected, and how did Microsoft get their phone number?

Presumably the trojan searched the PC for phone numbers in documents and reports it back the the bad guys, who are now calling the numbers. Brazen or what? (With permission, I searched one customer’s PC for their secret phone number  and found it in an old CV.)  One of the customers had the presence of mind to ask for a number so they could call back — and reported the number to me. So I called it …

“Adam” told me they had offices all round the country, and were one of the largest PC support organisations and had been going for well over ten years. He gave me a website address which I later checked — it had been set up three weeks previously. I asking him if I could drop my PC off, but he said their insurance didn’t allow it, and it wasn’t necessary because they could connect remotely if I co-operated by downloading a program.  I asked him how much this service would cost, and he said he couldn’t say, even roughly, until he’s had a look at the infection. I said someone had told me that he’d called them to offer to do this, but how did he know they had an infection? He said it “was reported to us”, but couldn’t or wouldn’t explain further.  I asked him where he was, he said he was in London, I asked for the address. It took him a long time to find this, and when I asked him for the nearest (or any) tube station, he didn’t know. He didn’t know what the weather was like in London, either.

The whole thing seemed highly suspicious to me, so if you get a call like this, ask questions!