23
Nov 18

How to Shop Online Like a Security Pro

‘Tis the season when even those who know a thing or two about Internet scams tend to let down their guard in the face of an eye-popping discount or the stress of last-minute holiday shopping. So here’s a quick refresher course on how to make it through the next few weeks without getting snookered online.

Adopting a shopping strategy of simply buying from the online merchant with the lowest advertised prices can be a bit like playing Russian Roulette with your wallet, for the simple reason that there are tons of completely fake e-commerce sites out there looking to separate the unwary from their credit card details.

Even people who shop mainly at big-name online stores can get scammed if they’re not wary of too-good-to-be-true offers. For example, KrebsOnSecurity got taken for hundreds of dollars just last year after trying to buy a pricey Sonos speaker from an established Amazon merchant who was selling it new and unboxed at huge discount.

I later received an email from the seller, who said his Amazon account had been hacked and abused by scammers to create fake sales. Amazon ultimately refunded the money, but if this happens to you around the holidays it could derail plans to get all your shopping done before the expected gift-giving day arrives.

Here are some other safety and security tips to keep in mind when shopping online:

-WHEN IN DOUBT, CHECK ‘EM OUT: If you don’t know much about the online merchant that has the item you wish to buy, take a few minutes to investigate its reputation. After all, it’s not uncommon for bargain basement phantom Web sites to materialize during the holiday season, and then vanish forever not long afterward.

If you’re buying from an online store that is brand new, the risk that you will get scammed increases significantly.  How do you know the lifespan of a site selling that must-have gadget at the lowest price? One easy way to get a quick idea is to run a basic WHOIS search on the site’s domain name. The more recent the site’s “created” date, the more likely it is a phantom store.

-USE A CREDIT CARD: It’s nearly impossible for consumers to tell how secure a main street or online merchant is, and safety seals or attestations that something is “hacker safe” are a guarantee of nothing. In my experience, such sites are just as likely to be compromised as e-commerce sites without these dubious security seals.

No, it’s best just to shop as if they’re all compromised. With that in mind, if you have the choice between using a credit or debit card, shop with your credit card.

Sure, the card associations and your bank are quick to point out that you’re not liable for fraudulent charges that you report in a timely manner, whether it’s debit or a credit card. But this assurance may ring hollow if you wake up one morning to find your checking accounts emptied by card thieves after shopping at a breached merchant with a debit card.

Who pays for the fees levied against you by different merchants when your checks bounce? You do. Does the bank reimburse you when your credit score takes a ding because your mortgage or car payment was late? Don’t hold your breath.

-PADLOCK, SCHMADLOCK: For years, consumers have been told to look for the padlock when shopping online. Maybe this was once sound advice. But to my mind, the “look for the lock” mantra has created a false sense of security for many Internet users, and has contributed to a dangerous and widespread misunderstanding about what the lock icon is really meant to convey.

To be clear, you absolutely should run away from any e-commerce site that does not include the padlock (i.e., its Web address does not begin with “https://”).  But the presence of a padlock icon next to the Web site name in your browser’s address bar does not mean the site is legitimate. Nor is it any sort of testimonial that the site has been security-hardened against intrusion from hackers.

The https:// part of the address merely signifies that the data being transmitted back and forth between your browser and the site is encrypted and can’t be read by third parties. Even so, anti-phishing company PhishLabs found in a survey last year that more than 80% of respondents believed the green lock indicated that a website was either legitimate and/or safe.

Now that anyone can get SSL certificates for free, phishers and other scammers that ply their trade via fake Web sites are starting to up their game. In December 2017, PhishLabs estimated that a quarter of all phishing Web sites were outfitting their scam pages with SSL certificates to make them appear more trustworthy. According to PhishLabs, roughly half of all phishing sites now feature the padlock. 

-CHECK THE SHIPPING

Often times, items that are advertised at steeper discounts than other online stores make up for it by charging way more than normal for shipping and handling.

Be careful what you agree to: Check to make sure you know how long the item will take to be shipped, and that you understand the store’s return policies. Also, keep an eye out for hidden surcharges, and be wary of blithely clicking “ok” during the checkout process.

-DON’T TAKE THE BAIT

Be on guard against phishing and malware schemes that take advantage of shopper distraction and frenzy during the holidays. In years past we’ve seen both leverage emails crafted to look like they were sent from a name-brand store claiming that there was a problem with your order or some component of the shipping process.

One perennial phishing and malware scam that seems to kick into high gear around the holidays is spam that purports to have been sent by the U.S. Postal Service, FedEx, UPS or some other shipping service, warning of a wayward package.

When in doubt about such a message, visit the e-commerce or shipping site directly, and avoid clicking on links or attachments in email — particularly missives that warn of some dire consequences unless you act quickly. Phishers and malware purveyors typically seize upon some kind of emergency to create a false alarm that often causes recipients to temporarily let their guard down.

-SCOUR YOUR STATEMENTS

Some credit card companies offer cardholders that ability to use “virtual credit cards” — apps that generate a unique, ephemeral credit card number that is good for just one purchase or for a short period of time. The idea being that if fraudsters compromise the virtual card number, your bank doesn’t have to issue you a new card and you won’t have the headache that comes with entering new card details at all of the sites where you’ve set up automatic monthly payments.

These virtual cards are nice in theory, but I’ve never been a big fan. Probably because in many cases they require users to have risky add-ons installed and enabled — like Java or Flash Player. But, hey, if this works for you, great.

Most importantly, keep a close eye on your monthly statements. If I were a fraudster, I’d most definitely wait until the holidays to cram through a bunch of unauthorized charges on stolen cards, so that the bogus purchases would get buried amid a flurry of other legitimate transactions. That’s why it’s key to closely review your credit card bill and to quickly dispute any charges you didn’t authorize.

-BUDDY UP

If you’re planning to spend time with friends and family this holiday season, consider giving the gift of your time and helping out with a security checkup. This might involve making sure that new or old PC has up-to-date security software and the requisite software patches, or locking down their wireless router by enabling security features and disabling risky ones.

If you’re visiting parents or older relatives, consider helping them plant their flags at various online sites and services if they haven’t already done so, such as at the Social Security Administration, the U.S. Postal Service, or their wireless phone provider and/or Internet Service Provider (ISP).

You’d definitely make it off of Santa’s naughty list if you helped your loved ones take stock of which online accounts could benefit from more robust multi-factor authentication — and perhaps even guiding them away from SMS/text messages for multifactor toward more secure app- or key-based options, where available. You might even take a minute to explain the perils of re-using passwords across multiple sites, and see if they’re interested in using a password manager.

While you’re at it, ask your friends and family if they’ve frozen their credit files at the major consumer credit bureaus. If not, talk with them about what this entails and how it can help ward off identity theft. If they’re game, you might even consider helping them set it up and ensuring that freeze PINs are securely stored so the information is easily available when and if their credit files ever need to be thawed.

Tags: , ,

68 comments

  1. The Sunshine State

    I would add in, make sure you are going to a legitimate domain name and not a fake look a like with a SSL certification.

    • There is no “SSL certification”. You are confusing x.509 certificates with TLS (and its insecure, outdated, look-alike SSL)

      • This is a troll, right?

        ‘SSL Certificate’ does indeed often refer to an x.509 certificate, but the term is very much legitimate, even if colloquial in use.

        If you’re going to be this pedantic about terminology, it would behoove you to recognize that not all x.509 certificates are SSL/TLS, which is why a specific term (SSL certificate) exists to differentiate from a non-SSL x.509 certs.

  2. Everyone please remember that not all the merchants at Amazon are honest and legit. They sell stolen items, broken items as new, etc. The customer comments that regard the item for sale will often warn you of problems. The best deal is often not the cheapest deal.

    • In addition, many of Amazon’s reviews cannot be trusted. Many are low quality and biased. There are online Amazon review checkers that use algorithms to scan the reviews for suspicious patterns. Two such are https://reviewmeta.com/ and https://www.fakespot.com/

    • …AND that some of those great reviews on an item could be fake and or paid for.

      • Absolutely. I see ads around college campuses seeking to hire “reviewers”. They give the droid money to buy the product, too, so they get “verified purchaser” status.

        I’d bet the number of compensated reviews is very high.

    • And some vendors sell products in other countries and don’t clearly indicate that you’ll be stuck paying customs.

    • Follow the advice in the article to check the seller’s return policy, and don’t buy from them if they say that returns aren’t allowed due to the merchandise needing special packaging. Such claims are in my experience almost never true, and are often a set-up for shipping defective equipment, material different from what was ordered and similar scams.

    • I’d like to add to always sort the reviews and look at Most Recent. Many scammers on Amazon will sell a legitimate product (or pay for fake reviews) and get a 5 star rating. Then they bait and switch for a crappy product, but everyone just sees the 5 star reviews from several years ago instead of all the 1 star reviews for the past year.

      I also tend to look at 3 star reviews. Those are going to be the people who give the best feedback, they see potential or value in the product, except for this one thing.

  3. Outer Sopace Guy

    I’d also add to beware of merchants on Amazon who are brand new sellers (“Just launched” or similar in their description where the seller reviews would be).

    • Unfortunately, stars, reputation, and positive reviews of third-party e-commerce merchants and sellers mean nothing; they can be faked or bought. Physical addresses can be faked, too, using drop-ship and co-location arrangements.

      The best deal is to avoid third-party merchants and sellers entirely.

  4. CC is safer than debit card – got it.
    Where does PayPal or similar fit in this?

    • Nathan – the reason credit cards are labeled safe is because if there is a problem you are more likely to get help getting your money back… I don’t think Pal Pal will extend the same effort to help and, as you say, debit cards.. no safety net at all.

      • PayPal does a wonderful job of refunding any fraudulent actions. The drawback is the time involved…however, they’ve never left me wondering…when things went wrong with my purchases through them…and I’ve had several!

    • Nathan–I’ve had a PayPal account for nearly 20 years, and once gotten stung on a kitchen appliance purchased from some fraudster who never shipped nor responded to any emails.

      PayPal got my $$ back.

      Great website that eliminates the need for conveying a credit card number to anybody else, and whom I find extremely easy to do business with. I can xfer $$ back & forth from a secure bank account to PayPal in 3-4 days, and generally a real confidence builder.

      Full disclosure: I do not own PYPL stock, although I think I did own some stock several years ago.

      Highly recommended for secure purchases in the sometimes opaque world of online business.

      • PayPal is very buyer friendly, but very merchant hostile. PayPal will almost always side on the side of the buyer if there’s any dispute. That’s awesome… **if** you’re the buyer.

        • Yes.. PayPal will bend over backwards for the buyer. So will Ebay for that matter.. take it from a seller who has been burned by “not as advertised” (Those are the magic words.. just mention that and you’re getting a refund, don’t worry if it’s exactly as advertised or no returns or anything, they don’t care) meaning “didn’t do research, didn’t want perfectly operating product after purchase.” I offered to send them a video of me taking it out of the box and it working fine, and specified “no returns” in the ad. No dice, had to pay shipping both ways. They were “gracious” enough to give me a discount on the return shipping.. charged directly to my PayPal account which was already overdrawn because they refunded the guy’s money the second he asked. PayPal is FINE if you’re the buyer.

          • I would always assume using PayPal is the safest payment option. PayPal are also quick to ban fraudulent merchants so if a given site accepts PayPal it means it should be trustworthy.

  5. I agree, but before you make the buying decision, you have to read product reviews first, then you may search for this product and learn more about it’s reliability. I always carefully select products before adding them for sale on https://www.jodyshop.com/ just to guarantee customers safety and satisfaction first.

  6. As a consumer, I appreciate the tips KOS provides, including the warning to check out online merchants before using their websites.

    I’d like to suggest that folks should extend their investigation further, by checking who’s the actual seller on individual websites.

    For example, if the website is Amazon.com, check that “sold by” is listed as Amazon. On Walmart.com, look for “sold and shipped by Walmart.”

    On many large websites (like eBay, etsy, Amazon, Walmart, and others), third-party merchants/sellers can pay a commission to the owner for the privilege of selling their wares. When “sold by” isn’t who you expect, beware.

    Buying from a third-party merchant/seller carries significant consumer risk, because they may sell counterfeit or broken goods, they may ship from China (incurring damage through excessive handling by drop-shippers), and guarantees may not apply. It’s also nigh impossible to return goods shipped from China.

    • Etsy and eBay are entirely made up of third-party sellers. That’s the whole point of those sites. That said, you can check the seller reviews and sometimes item reviews to get a sense of what you’re getting into. But if you avoid third-party sellers on either site there’s no point using them at all.

  7. Excellent article.
    Sent it to family members.

  8. Fraud scam are high profit business for fraudsters.
    I guess guys in africa or russia living well with fraud money

  9. Don’t neglect to ask your credit card company / bank to send you instant e-mails or other messages whenever a charge greater than $XX is placed on your account. This may not stop a fraud in the first place but it does give you an early warning of trouble.

    • AmEx (and possibly others) can be configured to send email for “card not present” transactions, e.g. online orders. I always open these to check that the amount charged is what I expect. And, if someone else should try a scam charge with my card, I’ll find out within minutes to a couple of hours.

      • Visa also provides this service (“Visa Alerts”). On my card, I get a text for purchases greater than 20 bucks. I arranged this through my financial institution. It doesn’t stop fraud, but would let me know immediately of fraudulent charges.

  10. Most of the people following Brian probably know this, but for the other readers, the trend today is to use a long pass phrase instead of a password. The more letters the better. For example instead of “password” use something like “ThisIsMyPassword” and mix in special characters, numbers, etc….

    • You can make a pass phrase that’s easy to remember and effectively impossible to guess by lying. For example, “My 3rd maternal uncle’s name is George.” I don’t have a third maternal uncle, George or otherwise.

      Lines from books, movies, poetry, etc. are not safe; the bad guys are onto that approach.

    • What!!! This is bad advice, using “ThisIsMyPassword” I am hoping I have misunderstood and this is a placeholder for whatever sensible solution an end user will use. Crooks and the software they use can crack this type of thing easily. A selection of random unassociated words is absolutely best. Even better use a password manager for passwords, you can make them stupidly complex and you don’t have to create them or remember them. I also like the look of U2F using one or more yubikey type products although their needs to be greater adoption amongst the big players but Google is offering it known as Google Advanced Protection.

      • Randomness in a password’s characters only has a marginal effect on difficulty to crack it, because it frustrates a dictionary-based attack. But that’s it. And it’s harder to remember a randomized password.

        Using a central cloud storage (or a sticky note attached to your cublice wall) for all your stupidly complex passwords just adds another attack point.

        The best password is long and easy to remember, so you’ll be able to use it without jotting it down.

        Here’s why a long password beats a complex one:

        https://math.stackexchange.com/a/1934499

  11. Debit cards offer the same protections against fraud that credit cards do that’s a fact

    • With a debit card you are in the uncomfortable position of asking your bank to please refund YOUR money that has been removed from your account. They do not have to do so immediately. They can investigate your claim. Do you need your money before they finish their investigation and refund your money? So Sorry, you need to be patient. Do NOT use a debit card. Use a credit card. Source: I investigated fraud cases while working in law enforcement.

    • The story says exactly this. But in practice it is not always the case, and the story again explains some situations where that is commonly so. You won’t ever have that experience with a credit card. Hence the advice.

      I’ll never understand why some people are so devoted to their debit cards. I find that most of the time comments like this one are left either by people who derive some kind of benefit that they’re emotionally attached to (like points or cash back with their debit card) or they are merchants who prefer debit transactions because they often incur lower interchange fees for merchants than credit cards.

      • You can also ask your bank for an ATM card instead of a debit card. That’s safer than having an ATM/Debit card with never-used debit feature, because any debit transactions are fraud by definition.

      • SorryNoCreditForYou

        some people cannot get a credit card
        their only practical option is their debit card

        that’s my situation. you just have to be more careful as to buying on the internet.

        myself do all my purchases on amazon, usually buying if actually sold and shipped by amazon. or if a third party amazon marketplace seller, then if the product is shipped by amazon. and of course after reading the reviews. as longtime amazon shopper, really had no problems. but as a longtime anazon shopper, myself know how to really scrutinize what is being sold on amazon and by whom.

        it’s the infrequent online shoppers who may have more problems getting suckered by shopping elsewhere willy nilly and may definitely need the protection of a credit card — if they qualify to have a credit card.

    • In the UK you have automatic protection if you buy anything costing 100 GBP by **credit card**.
      Unfortunately the same isn’t true of debit card transactions.

  12. Any commercial website in the EU has to publish a link to a valid postal address and contact number on their front page.

    If you don’t see that then the vendor is breaking one or more of their national laws.

    Its a quick check I recommend people do – it may well be an oversight/ignorance but its normally a good indication of a vendor who wants to cover their tracks when they fold.

  13. I always use a temporary cc number that my issuer offers specifically for online transactions/shopping.

  14. “basic whois search”

    On the very rare occasion I consider shopping at a website I’m unfamiliar with, in addition to running it through whois, I do lookups for any highly questionable but easily noticed aspect:

    Website-listed physical address vs physical address listed elsewhere at sites I’m familiar with/trust.
    Google the company name+city.
    Better Business Bureau—often lists email-network site & physical address (for comparison.
    Trustpilot (website)
    url void
    WOT
    Domain-network for spam.
    Secretary of State online of the state the business is registered in.

  15. I very much appreciate this article. Thank you, Brian Krebs.

    1. I make it my practice to check the security certificate configuration of “secure” web sites using the Qualys company’s SSL Server Test at https://www.ssllabs.com/ssltest/

    I prefer sites that get a grade of A (or, better, A+).

    Of course, the SSL Server Test does not test the web site’s internal processes (end-to-end encryption, employees using 2FA, etc.).

    2. I also like to test my browser environment using the Qualys’ company’s Browser Check (I have installed the extension for a more thorough check): https://browsercheck.qualys.com/

    On my Mac, this check found a downlevel version of Silverlight, which I promptly updated. Every time I go to this link with the same browser, the check is run automatically. Nice!

    3. I think it’s fair to warn people about using any shared network for secure communications. By shared network I mean not only a WiFi network that allows others to use it (password or not!), but an Ethernet network in, say, an apartment building that allows multiple tenants to use the network. On Windows, make sure network discovery (and file and printer sharing) are disabled for that network. On Mac, check your sharing preferences. On Android and iOS, I’ve read about file manager that allow file sharing across a network (on Android, see ES File Explorer; on iOS, see the Documents app). It’s not clear to me what security risks for online shopping arise from using these apps.

    If in doubt about your computing device or the networks you have available, here are some possibilities that might provide better security. I would welcome any hard-nosed skeptics commenting on these notions:

    a) Go to a public library where you must sign in with a library card to use a public-access PC. This establishes a new login session on that computer. When you “exit,” the machine reboots and resets itself to a pre-established “clean” state. I’ve seen this done using Faronics Deep Freeze on SOME local libraries (usually the larger ones because of subscription costs).

    b) Use a cell phone network (using either a cell phone or another device with a data plan, such as an LTE laptop) and NOT using WiFi to communicate (turn off WiFi while doing this). Apparently 4G LTE is fairly difficult to hack into, and 5G will be even more secure. See https://www.nytimes.com/2018/08/10/technology/personaltech/security-wifi-lte-data.html

    c) Use a VPN when on any shared network. My preference is to use a VPN even on my home network.

    These are just my thoughts based on cogitation and careful reading. It’s impossible to guarantee one’s security arrangements, but one can make them better. I’m all in favor of continuous improvement!

    • You forgot to mention the tin foil hat. But how to purchase one online without having one to use to make the purchase?

    • a. “public library…When you “exit,” the machine… resets itself to a pre-established “clean” state”

      I’ve seen different library public (etc) PCs, in different library (etc) organizations, in various U.S. states, that are not clean upon first login–malware at first login. I’d never use a login to a website on a public pc without first antivirus-scanning it.

      • Good point. I readily admit that I have been trusting these computers, but the results of recent full system scans are not available to the public.

    • I have a couple of additional points to make:

      1. Consider using OpenDNS on all devices including the router. For a home network, you can set up a free OpenDNS account and restrict certain types of web sites. This has the possibility of blocking some malicious web sites.

      Note: OpenDNS and a VPN are incompatible. I prefer a VPN. but if somehow a VPN fails (on my smart phone and my tablet the VPN app sometimes does not load and connect consistently), then I’d like my DNS requests to go through OpenDNS.

      2. If your budget can afford it, consider a premium version of your antivirus program. As I understand it, in general the free and paid versions of antivirus programs use the same scanning technology, but the premium versions provide additional functions, like scheduled scans and real-time protection.

      Focussing solely on malicious web sites, I wish I could find test results for the various products that offer real-time protection.

      The AMTSO does not seem to have a standard for blocking malicious web sites.

      Again, of course, I welcome helpful comments on these points.

  16. Such useful information has to be shared and spread around to as many as possible.Only if sharing buttons for facebook,twitter,linkedin,digg and whatsapp had been given,that much better.Regards

  17. Maybe it’s too obvious but I would add to the article – everyone should have text alerts setup for all their card and accounts, every single charge. This way you can spot and report any suspicious activity right away and not at the end of the month.

  18. Also beware of “too good to be true” deals on eBay
    – often fraudsters laundry money that way by getting paid from you, as a buyer, and then ordering the same thing (full price) from legitimate merchants (even Amazon) and paying using a stlen credit card. They get money from you and you get your order paid by a stolen card.

  19. Krebs, in one of your future articles, please dissect the myth of credit monitoring services and “dark web scanning” offerings from major banks.

  20. There is a ton of great advice here both in the article and the comments! I’ll just add, if in any doubt go buy a prepaid card with cash at your local store.

  21. luar biasa info webnya bosku. Jangan lewatkan kesempatan ini.

  22. I really like using a virtual credit card. I use the banks website to generate the one time card. No information is stored on my computer. I have the option of setting a dollar limit or dollar limit and time limit. I usually make the dollar limit, one dollar more than what the charge it.

    Over the years, I have never had a problem with someone, stealing my CC. I also use Paypal. This works well when I am selling something, because the Post Office accepts PayPal.

  23. Re the use of debit cards, my husband and I switched to using debit cards over credit cards about a year ago per the advice of Dave Ramsey in his “total money makeover” book – it is so easy to purchase on credit card and worry about paying for it later, but much harder to pay by debit card because you must have the money in your account to buy the item. Now we use debit cards for almost every purchase with the exception of travel (simply because our credit card offers benefits if there are problems while traveling). We have become debt-free over the past year (with the exception of our mortgage) simply by cutting out credit cards. We follow every precaution we can while using our debit cards and hope that there are no issues!

    • You may want to have a small stash of cash in an alternate account/bank that is not attached to that debit card. If your card/account is compromised 1.) They have just sucked out your money and you may have to wait for it to reinstate, 2.) your card will probably be disabled (which has happened to a friend of mine on a friday evening when the bank was closed and she needed to get her kids some medicine). I love listening to DR, but stay very vigilant with your card (especially at fuel stations or get a credit card only for fuel stations).

      • Hi Shirley, very good advice re an alternate account.

        As to your question on the Pay Apps, I do not use them (yet)… I’m a slow and careful adapter. 🙂

  24. Would you also advocate using one of the Pay apps from your phone when possible at stores (Samsung Pay, CitiPay, etc.)? I have a technical problem and can’t get it to work, but, I would like to use this feature and seems safer than providing your physical card.

    • I’ve gotta ask, why?

      The only advantage to using a mobile token payment system is that you keep your credit card number away from the merchant. They’ll still track you through CCTV, facial recognition, loyalty numbers, and the name on your payment method.

      It’s not faster. In fact, I’ve found it to be slower to get the app ready, make a fingerprint match, type the second factor password, wait on the cellular network, etc. Chip/swipe takes 2 seconds. (I hate being on a line behind some nerd slowly paying by phone).

      It’s not going to protect your financial rights more effectively than just using a credit card alone. Credit cards already have amazing consumer protections.

      By sharing your financial data with a mobile intermediary, you are giving up the right to privacy normally associated with financial transactions. You really want Apple, Samsung, and Google to add your finances to their databases about you?

      https://www.creditcards.com/credit-card-news/mobile-payment-security-risks.php

  25. Buy a prepaid Visa(or whatever) debit card for 100 dollars or whatever. Dont register it. Use it one time the full amount or close.

    Walmart debit card that I had registered got hacked. Just use them one time.

    Or use something like:

    privacy(dot)com

  26. Just an additional tip, last night I got a phone call “from Amazon” about a delivery. They cited some numbers purported to be the last X digits of an Amazon order and then started by asking for my name. I asked them for the order number, the rep fumbled a little and then said the same numbers… then asked for my name. I immediately hung up because it sounded shady.

    The thing is Amazon WAS having trouble and that was their international call center calling me to find out more information to relay to the driver. The driver eventually called me directly and dropped off the package.

    In my case, it was fine, but I could totally see this being an elaborate scam to get you to “confirm” sensitive information.

  27. Not directly related…but today I got an email from someone telling me they had my password (a very old one thank goodness) and threatening to tell my contacts I visit porn sites (LOL) if I didn’t send them bitcoin. I marked it as spam but now wondering if I should take it more seriously? The password was never used for this email, which was curious, as well.

Leave a comment