Extortion: When Scammers Shame and Scare Victims into Paying
Many of us are familiar with the most common types of scam e-mails in circulation and may even be able to spot a fake. Examples include requests for help from a West African prince who has been left destitute and who will reward you handsomely if you help him escape an evil regime, or the surprising news that you have inherited money from a long-lost relative.
Other examples include competition scams with the surprising news that you have won millions in the Italian lottery - that you didn't even enter; SARS tax scams requesting you to verify your identity; and the 'warning' that your Microsoft account will expire in minutes if you do not immediately update your details or upgrade your plan.
For most, the only reaction these e-mails get is a quick delete. However, extortion e-mails are more effective in eliciting a response from a potential target. Extortion is a criminal offence involving the use of threats, blackmail and intimidation to obtain a benefit, usually financial, from a victim who pays out of fear.
You may have heard of hackers targeting large companies with ransomware, disabling their computer systems or threatening to release confidential company information. The hackers hold the company's systems for 'ransom', demanding very large sums of money in exchange for 'releasing' the systems. In some cases, it is an empty threat or an attempt to test the response rate and strategy of a potential business target. Other claims are real and will trigger an immediate response from the specialist cybersecurity companies contracted to defend the institution.
Your inbox is much more likely to receive an e-mail from someone claiming that they have obtained access to your computer (and other devices) via a security vulnerability in your Wi-Fi network or a website that you visited. The e-mail usually goes on to say that the happy hacker has obtained your passwords, has downloaded your browsing history, has accessed photos and sensitive documents on your device or has been watching and recording you through your webcam. In many cases, the scammer will claim that they have evidence of you visiting adult websites and will even go into graphic descriptions of photo and video material of you in your most private moments. More recently, scammers employ artificial intelligence tools (like deepfakes) to create videos of 'you' in compromising scenarios and threaten to release these if you do not comply.
This type of attack usually catches the victim's attention and in a panicked moment many people do pay up to preserve their dignity. In truth, the vast majority of these claims are simply phishing expeditions, but they are effective for the following reasons:
- Scammers exploit our fear of shame and embarrassment, and deep-rooted stigmas about sex, often threatening to send the compromising information and footage to friends, family and colleagues.
- The e-mail sometimes refers to an actual password used by the victim.
- The e-mail may contain technical information such as router IDs, IP addresses or IT terms that create the impression that the scammer is serious.
- There may, by coincidence, seem to be truth in the claims if you have visited an adult website or do have intimate images on your device.
Though you may be thoroughly shaken at first, stop and consider the following:
- The poor grammar and spelling mistakes seen in almost all of these e-mails are the tell-tale signs that this is just a scam attempt and that your devices and information have not been compromised.
- Scammers create the impression that they have complete access to and control of your data and bank accounts to intimidate you into complying. Though possible, it is unlikely unless you have been exposed in a serious security breach. In some cases, they may have gained access to some of your sensitive information or passwords after you visited a vulnerable website or clicked on a phishing link.
- Scammers rely on the fact that many internet users do not have the sophisticated tech knowledge to determine if they have been compromised and to what extent.
- Many scams are designed by applying a statistical probability. For example, milllions of people visit adult websites. Scammers know that at least some of the many e-mails they send will reach a recipient that has visited an adult website. Notice that the descriptions, though graphic, are usually non-specific and could apply to anyone.
Should you receive such a threat, do not respond. Delete the e-mail and report the scam attempt on our website: https://yima.org.za/reportscam.
To protect yourself proactively against such attacks, download the YiMA browser plug-in. The plug-in passively identifies vulnerable or unsafe websites as you surf the net. Download here: https://chrome.google.com/webstore/detail/yima/cahmajcpiilipcdkbplihchpgojaldpn.
Implement two-factor authentication and refrain from using one password for all your online accounts. Ensure that you use strong passwords with a minimum of eight characters, including numbers, letters and special characters. Also consider changing your passwords from time to time. In addition, be cautious about using open Wi-Fi networks and do not click links on unfamiliar or insecure websites, or links in e-mails and SMSs received from unknown senders.
In the unlikely event that it becomes clear that a scammer truly is a hacker who has access to your information and is threatening you, immediately disconnect all your devices from the internet. Call your bank to ensure your accounts are secured, report the incident to the police for investigation and to YiMA, for awareness and prevention efforts. Remember that extortion is a crime and that you are not the one at fault.
Unfortunately, the services used by businesses to protect and defend themselves against cybercrime are not readily available to consumers, and currently there is no public service solution available to assist consumers after they have been hacked. The best option is prevention. Stay safe.