Cyber criminals are increasingly turning to phishing tactics to blackmail victims into sending them large sums of money – and this latest phishing email scam is no different.
In fact, IT security firm Symantec reported that almost 300 million extortion scam emails were blocked in the first five months of 2019 alone!
Neuways wrote about a similar ‘career-ending phishing campaign’ earlier this year. This new method differs slightly.
There are a few ways you can combat this latest threat, however. We can run a dark web monitoring scan and see if you have actually suffered a breach. In the meantime, you can use our phishing awareness resources to arm yourself with knowledge.
What do the criminals want?
Hackers are buying up breached passwords on the dark web and using them as ‘proof’ that they have access to the victim’s private photos, videos, accounts, and webcam.
Phishing emails are typically used for a few reasons – money, a vehicle to harvest credentials, or a means to deliver malware.
They’re straightforward to conduct, and with a 1 in 10 chance of success, a phishing email can be incredibly lucrative for a cyber criminal.
In this new case, it’s purely about the money.
The criminals behind this type of campaign are relying on your embarrassment for a successful extortion.
The message is typical of phishing – great urgency and fear-mongering, followed by a ‘simple solution’ that can take all of the fear away.
The latest phishing email extortion scam
How does this latest phishing email scam work?
This phishing email scam begins with a bold opening gambit.
It actually includes the victim’s password in the subject line, reading “You got owned – [victim’s password].”
The hacker then claims to have gained access to your private photos, videos, and accounts via previously installed malware.
The password, according to the hacker, is proof that your photos, videos, and accounts are compromised.
Unless you have used the same password for every account for years, this is highly unlikely to be the case. But in a high-pressure situation, the hacker’s hope is that you panic and act irrationally.
If your credentials have previously been involved in a breach, they could end up on the dark web. Therefore, it’s not impossible for a criminal to have acquired one of your older passwords.
However, this does not mean that they have access to your photos, videos, and accounts. And it certainly doesn’t mean that they have access to your webcam.
It’s simply a way for the hacker to generate panic and urgency among their victims.
The next stage of the phishing email is the threat – blackmail.
In this situation, the hacker claims to have used your webcam to record you watching pornographic material. Or they might claim to have unearthed and be in possession of private photos you do not wish to be in the public domain.
In the state of heightened panic, they threaten to leak your personal information onto the web.
“We both know that your life won’t be the same,” reads the email.
Naturally, there is a solution…
A one-time payment, typically in Bitcoin, and all of the fear and anxiety will go away.
By creating a fictional problem, the hacker then manufactures a very real solution. Pay the problem away – to them, naturally!
They will typically present themselves as an agent of benevolence, offering you ‘a chance’ to prevent this from happening. Not only does this imply that this fictional ‘hack’ is your fault, but that the actual perpetrator can offer you a way out.
On the face of it, it’s an obvious attempt at a shakedown on behalf of the criminal. But in the moment? If you’re not prepared for this type of attack and feel under duress, this option might feel like salvation.
In this particular incident, the criminal argues that this ‘is a very good price, compared to living hell’.
To raise the stakes, the hacker will often give a limited amount of time for you to make the payment. This is to create urgency and try and extract payment before you reflect upon this situation and consult someone else, such as the police.
After all, embarrassment is a real motivator.
‘After I have received the payment, you never will hear from me again’
Reassuring, perhaps. But not true.
People who pay up are far more likely to be targeted again in the future.
From the cyber criminal’s perspective, willingness to co-operate indicates either gullibility, weakness, or wealth. All three are desirable attributes to a cyber criminal because they can be exploited.
How to protect yourself against phishing email scams
Firstly – arm yourself with knowledge.
Phishing emails used to be predictable and easy to spot. And in many cases, they still are. However, some of the more sinister phishing attempts are well-crafted and targeted towards an individual.
So, how do you know if it’s a phishing email? We’ve compiled a detailed phishing email awareness hub for you to share with friends and colleagues. However, a brief overview of what to look out for is as follows:
- Clickbait subject
This might be a direct demand or a claim that a ‘critical security incident has occurred (or words to that effect). Also look out for excessive use of punctuation!!!!
- Poor spelling
Professional communications rarely contain spelling errors. On the other hand, phishing emails ar oftun put together qwickly and tend to be fool off speling mistakes.
- Unnecessary sense of urgency
Phishing emails often contain THREATS, openly or passive. You’ll also find that they result in a DEMAND for payment as recompense. They want you to act IMMEDIATELY.
In the meantime, it’s well worth consulting a Dark Web Monitoring service. It’s a straightforward way for you to find out if personal or business data is for sale on the dark web.
If you know your data is out there, you can act before a breach happens.
Dark Web Monitoring delivers peace of mind and puts you back in control of your data.
If you’re concerned about phishing, email us at
email@example.com or call us on 01283 753 333.