One of our clients recently approached us having received an email from a “Cyber Security” company. The email informed them that they had been monitoring the dark web and had found 77 incidents of compromised material relating to their company and requesting they get in touch to find out what is. Our client passed this cyber securities companies details to us and we followed it up with them. There are many sites (haveibeenpwned, breach alert) that allow you to enter your email address and they will check it against a database of leaked credentials that have been released as a result of web services being breached. For example, if your email was one of those used in the LinkedIn breach of 2012, or as many 2015 divorcees will know, Ashley Madison, it will be in there. Our opening question to this company was, did you use sites such as these to gain this information. The answer was yes. Our next question was “are these from old breaches from years ago” and again, they were. So why didn’t they open with this information in their email? We didn’t ask that question because we knew the answer. Sales by fear, it’s not the right way to go about gaining clients and generates mistrust.
Of course there is a wider issue to be addressed concerning regular password changing, not reusing passwords, long passphrases being used, 2FA, biometrics, using work email for registering personal services, and password managers. I’ll post on that shortly … but sending a “crap you up” email isn’t the way to go about it, or for us to gain the trust of clients as an industry. It’s embarrassing ..
Lets not do that.