Government cyber agency warns about webcam blackmail scam

CERT NZ director Rob Pope. Photo / Supplied.

The government's Computer Emergency Response Team (CERT) is warning about a spike in webcam blackmail scams.

CERT, run by former deputy police commissioner Rob Pope, says the scam emails usually follow the same format, including:

• the email includes a previous password that you have used
• the email claims that you visited an adult website and that the scammer turned on your webcam and recorded what was happening
• the email claims that they have a copy of your website history
• the scammer threatens to email the video to all your contacts unless they pay a ransom between $1700 and $3000

"We can't confirm whether the video recordings actually exist, or if this is an opportunistic scam. We have not had any reports of scammers releasing a video when a ransom isn't paid," CERT operations manager Declan Ingram says.

Passwords are often genuine, Ingram says, but the scammer is only pretending to have gained access to your computer.

In reality, they've probably bought your password in a so-called "credentials dump" rather than hacking your computer. A credentials dump is when a major data breach takes place at an organisation such as LinkedIn or Ticketmaster (to name two real-life examples) then lists of logins are sold on the dark web.

CERT first warned about the scam in July and issued a fresh advisory this afternoon following a spike in complaints.

"We aren't able to share specific numbers of reports while a campaign is ongoing. However multiple reports are being received daily about this issue. This week we have received more than twice as many reports of webcam blackmail scams as the previous week," Ingram says.

"We know that scams like this prey on people being too embarrassed to seek help, so we assume that the reports we've received are only the tip of the iceberg."

CERT recommends you change passwords regularly and use different passwords for different services.

The agency says if you think you're the victim of a genuine blackmail threat, it should be reported as soon as possible because "digital evidence is fragile."

Law enforcement can be hard to navigate if you have a cyber complaint. CERT can report your case to police on your behalf to speed the process.

Report an incident via www.cert.govt.nz or call 0800 CERT NZ (0800 2378 69).

CERT recommends you check if your credentials are for sale by checking on this website.

CERT was created in April last year to deal with growing cyber-threats and received a $3.9m top up in this year's Budget, taking its total funding to $26.1m over its first four years of operation.