By Zoe Kleinman, Technology reporter, BBC News
Six weeks ago, a young woman called Zed (not her real name) was in a meeting at work when a message popped up on Facebook Messenger from a distant friend.
“Hey babe,” it began.
The friend asked Zed to vote for her in an online modelling competition, which she agreed to do.
But then – disaster. Adding her email address to the competition register had caused a tech meltdown, her friend said. She needed to borrow her email log-in to fix it quickly and restore her votes.
Zed was unsure. The friend begged – her career was at stake, she pleaded. Still in the meeting and powerless to make a call, Zed gave in – a momentary leap of faith.
Except it was not her friend that she was talking to – someone else had got into the account and was pretending to be her.
It’s a scamming technique known as spear phishing.
What is spear phishing?
“Phishing uses behavioural psychology to trick victims into trusting the attacker in order to obtain sensitive information,” said Paul Bischoff of Comparitech, who also talked to Zed.
“Spear phishing is less prevalent, but far more dangerous. Spear phishing targets an individual or small group of people. The attacker can gather personal information about their target to build a more believable persona.”
How do I protect myself?
Besides never sharing the credentials for your online accounts, a good way to stay safe is to enable “two-step authentication”. This means that users must enter another code besides their password, received for example by their mobile phone, to log in.
This can usually be set up in the security settings for your account or during the sign-up process. Two-step authentication is offered by Gmail, Hotmail, Apple, Amazon, Yahoo, Facebook and Twitter among others.
Within minutes, Zed watched in horror as she was locked out of one account after another, as well as her Apple iCloud where she stored all her data – including a photo of her passport, bank details, and some explicit pictures. The hacker took control of all her IDs as they were all linked to the email address details she had supplied.
The scammer also activated an extra layer of security, called two-step authentication, meaning that they received all alerts about her accounts and could reset them.
Then a man called. The number had a Pakistan area code.
“He started the call by saying he didn’t want any drama, he didn’t want me to cry, he wanted me to talk to him like a professional,” she said.
He sounded young, perhaps a college student, she thought.
He accused her of leading an “immoral” life. He had seen her photographs, he knew she had smoked and had boyfriends and was sexually active.
He asked her what her parents would think and was furious when she said they already knew.
“He claimed he had hacked thousands of women,” Zed says.
“He said 10 or 12 he had felt bad about because he couldn’t find anything about them that was ‘wrong’.”
Zed was not part of that group.
“He said he was happy when he hacked my account. That I deserved everything.”
He told her he would post the explicit pictures on her Facebook page – where she has more than 1,000 friends.
“I offered him money. I asked if I could pay. He said, ‘Don’t talk about money.’ He sounded irritated,” she said.
Instead, he wanted her to perform a sex act for him on camera.
“Either you do it for me or you do it for the whole world,” he told her – and uploaded one of the photos to Facebook.
Zed had already warned her boyfriend and parents who assembled an army of friends waiting to report activity on her account. Within 15 minutes it had been disabled by Facebook – but she still received concerned messages from contacts.
“A friend who is like a brother sent me a message – it wasn’t him who had seen [the photo] but a friend of his,” she said.
“I feel like I mustn’t think too much about how many people saw [the photos].”
The last thing the scammer said to her was, “Have a great life.”
“It seemed to me the only reason he was doing this was to morally police women and get them to do stuff for him,” Zed said.
“He wanted a gallery of explicit photographs of women. That seemed to be his motive.”
Zed does not consider herself to be digitally naive. She is a bright, articulate 20-something from India who works in the media industry on the US east coast.
“I have been tech savvy and on the internet almost my entire life – but I’ve never really seen the power of what people can do until now,” she says.
Regaining control of her accounts has been a struggle. It took Zed a month to get her Apple ID back after engineers created a bespoke questionnaire for her containing answers that were not stored in her account.
Gmail and Facebook have also been restored, but she has lost Snapchat and her Hotmail address – her central account which she had used for more than 13 years.
‘Chink in the armour’
“I feel for the poor woman – these scams are so easy to fall for,” said cybersecurity expert Prof Alan Woodward from Surrey University.
“I think what it shows is that security is a combination of people, process and technology. You can be very ‘savvy’ in any one or two of these but scammers are superb at finding novel combinations that, frankly, we just wouldn’t think of.
“I know it sounds so obvious but, regardless of who they are, you should not share your username and password. Give these scammers a small chink in the armour and they are sadly brilliant at getting in and running amok in your digital life.”
Zed still uses iCloud but does not store personal stuff on it anymore – and has activated two-step verification everywhere.
“I still see the value in the storage. But I will never ever give any information away again,” she said.
Zed originally decided to share her story on community site Reddit after trying to find others who may have been conned by the same man.
“I was really shocked to discover that I found absolutely nothing,” she said.
“I was hoping that speaking up about it would remedy that problem and encourage others to share their stories.
“It also felt like the only way to get back at him.”
As far as Zed knows, the scammer has not been caught.
“Cyber-criminals come in all shapes and sizes,’ said prof Woodward.
“Their motive is not always monetary gain. As we have sadly seen of late, revenge or just being plain malicious is a growing trend.”