What is an Extortion Email? An extortion email is one that claims to have access to usually pictures or videos showing users in a compromising situation or looking at something that may be a source of embarrassment.
These scams have ramped up in recent years as criminals (we won't use the word Hacker because Hackers are not criminals), have found a lucrative market for this type of extortion.
Here's how it works
A user is sitting at their computer when they receive an email along the lines of:
"I'll begin with the most important. I hacked your device and then got access to all your accounts... Including (email address here) It is easy to check - I wrote you this email from your account. Also, I have an old password for the hacking day: 2734"
You get the point.
So the user fearing that they will be "exposed" will send the ransom and hope that the criminals will leave them alone. There is no evidence that this will stop the emails and may even encourage the criminals to continue these email threats.
So how does this happen? It's easy to say the user was looking at an inappropriate website or downloading from a torrent site. A more plausible answer is that the email provider was compromised and the emails and passwords stored stolen.
The degree of security that service providers utilize various widely. And to be fair, anyone can be compromised; this is not only a "small business" issue.
So what can users do to fight this type of scam? As I said, no one is entirely safe; there are things
What can be done?:
- If you receive an extortion email, alert your manager or email provider immediately.
- Change your email password, use a password manager to create a new and more complicated password. Do not use previously used passwords.
- Use filters to send these emails to a junk folder or trash. We have to keep in mind that these emails are phishing scams and as with most other spam should be ignored. For filters, use filters that contain the subject line, specific words, or if these do not work, try using a filter that includes sent from and enter your email address.
Your email provider should have a protocol in place to deal with these issues on their side; we will not try to list here.
It depends on who the provider, but as a paying customer, do not take "there is nothing we can do" for an answer.
This last point is especially important for managers and CTOs. If your provider tells you there is nothing they can do to combat phishing attacks, you may want to look for a different provider.
A note for managers and CTOs:
- If possible, enable parental controls on all company devices. Parental controls will prevent users from accessing inappropriate sites.
- Employees should be made aware from the start of their employment that no one in the organization should be visiting questionable sites on company computers.
- It should also be standard practice to require an administrator password to install programs.
Aside from the steps listed above, education is an essential way to combat phishing and extortion attacks.
Some examples of this:
- Strong passwords
- Do not visit unauthorized websites
- Do not plug in unauthorized devices
- Alert management if suspicious emails or messages appear
- Utilizing filters
Lastly, if users are still concerned about being spied on via their webcam, consider doing the following:
If the webcam is built into the computer, use a cover, i.e., tape.
If the webcam is a peripheral connected by USB, unplug the webcam until you need to use it.
When not using the computer, turn it off.
The most important thing users can do is not send anything the criminal asks for, whether it is Bitcoin or PayPal or any form of payment. Unlike ransomware, where your system itself is compromised, these emails are scare tactics. You would be sending a ransom payment for something that more than likely not happen.
There is no way to be 100% safe online. But we are all responsible for doing what we can to do as much as we can to protect ourselves, our companies, our data, and our families.
Writer Bio: I have been in the tech industry for over six years working as an IT Administrator. My content focuses on Cyber Security, Cryptocurrency, and Privacy. For more of my work, please visit my website: dragonwolftech.com and find me on Twitter: @dragonwolftech
- Microsoft.com, 2019. https://support.microsoft.com/en-us/help/12439/microsoft-account-set-content-restrictions-on-windows-10-and-xbox-one.
- Boyd, Christopher. "Sextortion Bitcoin Scam Makes Unwelcome Return." Malwarebytes Labs. Malwarebytes, February 11, 2019. https://blog.malwarebytes.com/cybercrime/2019/02/sextortion-bitcoin-scam-makes-unwelcome-return/.
- "Sextortion Email Scams Rise Sharply." Dark Reading, 2019. https://www.darkreading.com/attacks-breaches/sextortion-email-scams-rise-sharply/d/d-id/1335377.