Why Email Extortion Schemes Are Skyrocketing — And How to Protect Yourself Against Them

Why Email Extortion Schemes Are Skyrocketing — And How to Protect Yourself Against Them

Posted by HSSL Systems Integrators on Jan 2nd 2020

A confluence of technologies has made the scams easier and cheaper to launch than ever before

Sometimes in cyber security, everything old is new again. And that’s certainly the case with email extortion, an attack that’s been around for years, but has been experiencing a resurgence since 2018. In the scam, someone makes false claims to have hacked your webcam and recorded you, says they discovered you had visited porn sites, or claims they’ve uncovered other actions you’d prefer not be made public. Unless you pay up, the extortionist says, he’ll publish the footage or reveal what you’ve done in other ways. All untrue, but enough to scare most people.

The resurgence in these scams has been dramatic, starting in the middle of 2018, according to Symantec, which blocked nearly 289 million of these extortion attempts between January 1 and May 29, 2019. Statistics from the FBI’s Internet Crime Compliant Center (IC3) back up Symantec’s research. The ICC3 says in 2018 electronic extortion complaints rose 242 percent compared to the previous year. People paid the scammers $83 million, the FBI said.

In this article, we’ll delve into why the scam have become so popular, and how to protect yourself and your enterprise against them.

How Does it Work?

Extortion scams — sometimes called “sextortion” scams — are straightforward and easy to launch. A scamster sends out bulk extortion emails to hundreds of thousands or millions of people. The email threatens to make embarrassing information public unless the victim pays up. Payment is made via Bitcoin, allowing scammers to easily collect the money anonymously. Making the extortion believable is that the email may include a password that people have used to log into a site, making victims believe they’re been hacked and so better pay the extortion demand.

Cooper Quintin, senior staff technologist for the Electronic Frontier Foundation, notes that “sending along a password someone has used is not proof that the person has been hacked by the sender of the email. Usually the passwords have been taken in a data breach, and the scammer merely went through a database of stolen passwords and sent an email to every person in that database and included their passwords in the email.”

Why Has the Scam Become So Popular?

Why the sudden popularity of the scam? Experts say it’s because a confluence of technologies makes the scams easier and cheaper to launch, and easier for scammers to collect money from their victims.

“These extortion email scams are really just a new twist on an old play,” says Frank Downs, Director of Cyber Security Practices for ISACA, a non-profit information security organization. “It’s become very cheap and easy to send out millions of emails, so a scammer only needs a small percentage of people to pay up to make it worth their while.”

Because cellphones have become ubiquitous, he says, there’s far more potential victims than in the past, and many of them are people who didn’t grow up as “digital natives” and so are more likely to fall victim to these kinds of scams.

He also believes that the scams have become more popular because ransomware has become common and effective, and so scammers have decided to try a variant of it on easy-to-fool consumers.

The EFF’s Quintin adds that webcams have become standard hardware on new PCs, and cellphones have built-in cameras, so it’s easier to convince people that someone has hacked their PC or phone and taken control of their camera to take comprising photos or videos. And Bitcoin makes it easy for scammers to collect the extortion money without being tracked.

He also believes that the scams have become more popular because ransomware has become common and effective, and so scammers have decided to try a variant of it on easy-to-fool consumers.

Summing up why it’s become so common, he says, “It’s cheap to send out millions of emails and cryptocurrency makes it easy to get paid without being traced; extorting money via email is going after low-hanging fruit. So, the extortionists ask themselves, ‘Why not try it?’ And then it works, so they do it again.”

How to Protect Against Email Extortion

There’s some good news about email extortion: Unlike sophisticated cyber attacks, it’s relatively easy to protect against it. The most important rule is simple: Don’t pay the extortionist. His threat is an empty one, and you can safely ignore it.

Beyond that, Downs says, “Don’t answer emails from people you don’t know. Don’t click on attachments. Don’t click on links that look funny.”

Sometimes people in enterprises are targeted by extortion emails, and he adds that in those cases, enterprises need to educate their employees about the threats. In addition, he says, “Once an enterprise has identified an incoming threat like this, they need to block it and lock it. That includes updating their white lists and black lists so the emails don’t get through.”

Quintin says that if the email includes one of your passwords, you should immediately change it, because it means that the password has been exposed in a data breach and can be used to hack into one or more of your accounts. He also recommends making sure that you keep your phone and computer software updated with the latest patches, which can stop extortion emails from getting through in the first place.

“Following basic security hygiene is really the best thing you can do,” he concludes. “If you do that, you should be safe.”