What are Extortion Emails?
What are Extortion Emails?
Aimed at: Everyone
What are extortion emails?
An extortion email is an attempt by an attacker to force you into performing an action, such as transferring money to them. It is designed to make you react rashly in a panic, due to the embarrassing or uncomfortable content of the email, however in virtually all cases it is an empty threat.
How can you recognise an extortion email?
In the email the attacker will often claim that they’ve taken over control of your computer without your knowledge, that they’ve been monitoring your activities for some time and have gathered material that you may find embarrassing or sensitive, for example webcam recordings and browser histories. The attacker then threatens to release or misuse the material, unless you comply with their demands e.g. for payment. To make their email seem authentic, the attacker may offer "proof", such as stating that they sent the email to you from your own account (the From: address is your own email address) or including one of your actual passwords in the email. Notably the "proof" never seems to include any samples of the material that they claim to be in possession of.
How did the attacker send the email from my account?
They almost certainly did not. The original standards for email date back to 1982 and some of the design choices would never be repeated today. In particular, it is possible for the sender of an email to put anything they like as the ‘From:’ address, even if the address doesn’t actually belong to them. While it is possible that they may have gained access to your email account, it’s more likely that they’ve simply forged the sending address of the email.
How did the attacker get hold of my password?
Assuming that you recognise the password as being one that you have used yourself, there are several ways that it may have ended up in the hands of the attacker. None of these necessarily implies that the person sending you the extortion email has taken over control of your computer.
It’s an unfortunate reality of life on the internet that online services and websites will be breached from time to time, or that people will fall victim to phishing attempts. If either of these events happens, even the strongest passwords are exposed to an attacker.
- Perhaps it was a common password such as "Passw0rd" or "letmein" etc. and the attacker got lucky when they paired it with your email address.
- The password may have been used with an online service or website that had subsequently been breached, leading to the contents of their account database being exposed. The attacker took the email address and password from the breach and used it to personalise the extortion email.
- The device that the password was entered on had previously been compromised by an attacker and malicious software ("malware") was installed on it, which captured the password when it was entered and transmitted it to the attacker. Usernames and passwords gathered in this manner may be reused by the same attacker e.g. for sending out emails like this one, or may be traded or sold to other cyber criminals for their use.
- The password was accidentally revealed to the attacker by entering it into a fraudulent website, which masquerades as a legitimate one – a phishing website. These sites pretend to be either commonly-used services such as Google, Microsoft, Amazon, etc. or the organisation that the victim works for or has an association with. Usernames and passwords gathered in this manner may be reused by the same attacker e.g. for sending out emails like this one, or may be traded or sold to other cyber criminals for their use.
What should I do if I receive an extortion email?
- Do not respond to the attacker or follow their instructions. Seek assistance from a trusted source if you need to.
- If there are any other online services or websites that use this password, you must login to them and change the password immediately. Once an attacker discovers a valid username and password combination, they will try using it at a number of popular online services and websites to see if they can access those accounts as well.
- To limit the damage that an attacker can do with a compromised password, every account on every separate online service or website should have its own unique password. Remembering unique, strong passwords for the many accounts that a person might have is impractical, but this is where Password Manager applications can help. See https://ask.napier.ac.uk/article.php?id=241 for further information.
- Ensure that all your devices have reputable anti-malware software installed and that it is both operational and fully up-to-date.
- If you have any other questions or are worried about any other suspect emails, contact the IS Service Desk.