Extortion

Extortion scams are increasing in frequency and sophistication. The criminal contacts potential victims by email with a threat or claims to have compromising information that will be released to the public if the victim does not pay to keep it quiet. As 'proof' that the criminal has access to this material, the email includes sensitive information that only the victim should know, such as passwords. These attacks are becoming a new form of ransomware.

Attackers harvest stolen email addresses and passwords from past data breaches and use them in threatening email messages to add to the victims’ fears. They will either spoof the victim’s email address pretending to have access to it or claim to have personal or compromising information that they will use against the victim. Each email will contain payment demands with Bitcoin wallet details included inside the message.

Usually, extortion email messages are part of larger spam campaigns and are sent out to thousands at a time. Most of these emails will be caught in spam filters. However, like with many other types of email fraud, scammers are evolving their techniques to bypass email security and land in users’ inboxes. These attacks are becoming personalized and get sent out in smaller numbers to avoid detection. Attackers will use reputable email services like Gmail, vary and personalize the content of each message, and avoid including links or attachments — all in an effort to slip through security.

Extortion makes up about 7% of spear-phishing attacks, the same percentage as business email compromise. Employees are just as likely to be targeted in a blackmail scam as a business email compromise attack.

According to the FBI, the cost of extortion attacks was more than $107 million in 2019. On average, attackers ask for a few hundred or a few thousand dollars, an amount that an individual would likely be able to pay. Due to the large volume of attacks, the small payments add up substantially for attackers.

Extortion scams are under-reported due to the intentionally embarrassing and sensitive nature of the threats. IT teams are often unaware of these attacks because employees don’t report the emails, regardless of whether they pay the ransom.

There are a number of steps you can take to protect your users against extortion:

AI-based protection — Attackers are adapting extortion emails to bypass email gateways and spam filters, so a good spear-phishing solution that protects against extortion is a must. Artificial intelligence-based protection can identify attacks based on what normal communication looks like, including the tone of voice used by individuals. This allows it to recognize the unusual and threatening tone of extortion attacks, in combination with other signals, to flag it as malicious email.

Account-takeover protection — Some extortion attacks originate from compromised accounts. Be sure scammers aren’t using your organization as a launchpad for these attacks. Deploy technology that uses artificial intelligence to recognize when accounts have been compromised and used in fraudulent activities.

Multi-factor authentication — With multi-factor authentication (MFA) apps and hardware-based tokens, hackers will need more than just a password to access your accounts. While non-hardware-based MFA solutions remain susceptible to phishing, they can help limit and curtail an attacker’s access to compromised accounts.

Proactive investigations — Conduct regular searches on delivered mail to detect emails related to extortion. Search for terms like ‘Bitcoin’ to identify potential attacks. Many extortion emails originate from outside North America or Western Europe, so evaluate where your delivered mail is coming from, review any of suspicious origin, and remediate. Deploy technology that will automate threat hunting and remediation to stay ahead of hackers.

Security awareness training — Educate users about extortion fraud. Make it part of your security awareness training program. Ensure your staff can recognize these attacks, understand their fraudulent nature, and feel comfortable reporting them. Use phishing simulation technology to test the effectiveness of your training and evaluate the users most vulnerable to extortion attacks.