Think your password has been stolen? Think again.

Brokers would be well-advised to tell their clients to keep a cool head if they are contacted by email from someone claiming to have stolen their password.

The latest online scam by cybercriminals uses stolen passwords from data breaches years ago to try and convince victims they have used the password to download spyware. The next step is often blackmail, by saying they have caught the victim looking at adult sites, for example. There are other variations of this scam.

“They will send you emails and divulge a bit of your password and say they have hacked into your computer, they have access to all your information and this password is evidence or proof that they have done this,” said Kevvie Fowler, partner of cyber risk with Deloitte Canada, in an interview with Canadian Underwriter earlier this month. “I’ve seen that and I’ve had a lot of clients, even board members, calling in a panic – ‘My iPad has been hacked and here’s the evidence of it.

“Really that password is part of a public breach from years and years ago, but if you look at that, it could be very believable to individuals.”

Fowler discussed such extortion attempts during a conversation in mid-October about major trends in cybercrime.

Cybercriminals continue to steal usernames and passwords at an alarming rate, intent on taking over legitimate consumer accounts, said Robert Capps, vice president and authentication strategist for NuData Security, Tuesday. Once they have account credentials, they try to use them on everything from healthcare to social media sites, and everything in between.

Capps recommends clients use password managers to keep passwords secure and to use unique passwords for each site they sign up for.

“In this latest scheme, cybercriminals are trying to blackmail consumers, making them think they have access to sensitive information or images, even if it’s not true,” Capp said.

He recommends ignoring these emails and flagging them as spam. “Also, if the password they send is a legitimate one, go and change all accounts using the same password – which, ideally, should be just one account.”