Extortion emails back on the rise, says report
Emails are the bread and butter for cybercriminals, say experts, as they are the gateway to a victim's virtual identity, providing access to accounts, devices and online activity all at once. Protect yourself by using separate logins, different passwords, and added security such as two-factor authentication. (Getty Images/Fizkes)
We’ve all been there. A suspicious email pops up in our inbox requesting we click on a link, open an attachment, send money or respond immediately in some way.
It’s urgent, piquing our curiosity, even threatening or frightening us. Email scams aren’t new but we’re still falling victim to them with hacker’s methods increasing in boldness, sophistication and permeation.
Here are some typical scams to watch out for.
EXTORTION MAKES A COMEBACK
According a recent Symantec report, extortion emails—those that attempt to get cash from victims—are back on the rise, with the cybersecurity company blocking 289 million of them from reaching customers in the first five months of 2019.
Sextortion email scams, in particular, have risen in frequency since mid-2018, the report says. Hackers will threaten to release webcam footage of a victim visiting an adult website they claim to have accessed through malware. If the victim coughs up “x” amount of dollars (requests for Bitcoin are increasingly common), their “secret” is safe.
There’s also the “infidelity” scam when a hacker contacts an individual via phone, email, text, even a mailed letter, claiming to have damning information about an alleged adulterous partner and requesting a Bitcoin deposit to either keep the information mum, or release it to the individual who is apparently being cheated on. The United States Federal Trade Commission issued a warning about this type of blackmail scam in 2018.
“Hackers will make claims without actually having the compromising information in their possession,” says cybersecurity expert Imran Ahmad. “They are preying on the targeted individual’s sense of embarrassment and fear.”
Other extortion tactics include bomb threats and hitman schemes (“pay ‘x’ amount in dollars or a bomb will go off in your office or you will be killed”) or monetary demands from authorities (“pay ‘x’ or you will go to prison”). Once clicked on, these scams can infect computers with malware, ransomware and trojans for further information stealing.
“At that point the hacker has access to your computer,” Ahmad adds. “They can track every keystroke that you are doing dependent on what has been embedded.”
CREDENTIAL STUFFING ON THE RISE
Email addresses, and their associated passwords, are bread and butter for hackers, says Claudiu Popa, a certified security and privacy risk advisor, and CEO of Informatica Corporation. Why? Because, he explains, they are the gateway to a victim’s virtual identity potentially providing access to several accounts, devices and online activity at once.
“[Personal emails and their passwords] are by far the most valuable identity element, because they are used to not just uniquely identify you on the entire internet,” he says, “but are also used to validate accounts, track your location and devices, determine your behavioural patterns and preferences, store communications for years or decades, and generally represent the centre of your world.”
The activity—known as credential stuffing—involves hackers accessing email addresses, usernames, passwords and data-recovery information (including security questions) while targeting multiple accounts (email accounts, banking profiles) and platforms (social media).
“That trend is on the rise because people reuse the same passwords across a number of sites, and large data breaches are taking place more frequently,” says Popa.
Tried and tested, there a few common email subject headings still to be on alert for. These include those toned with urgency such as “Right now or else!”; tempting questions demanding action such as “Reach more customers now”; or those piquing curiosity, such as “Three quick ways to make $7,500 extra a week”, shares Popa.
More nuanced email scams include those mimicking service providers such as banks, retailers, mobile-device providers or travel companies, adds Ahmad. Users can be easily duped as the emails look authentic and include standard operating procedures such as order and password reset confirmations, notifications of suspicious account activity, and so on.
“It looks legitimate. The graphs are good. There aren’t any spelling mistakes in it,” he says. “You would be surprised how many people will have a hard time figuring out that the email is not legitimate.”
Cybercriminals are also piquing our interest via email subject headings, reports Symantec, by using our former passwords, phone numbers and emails, extracted from data-breach dumps.
FOOL ME ONCE
So, with articles like this one sharing the latest from experts, why do we open these emails, let alone click the links in them? They’re better drafted, more manipulative, and catchy, says Ahmad. Familiarity causes us to act.
“Human curiosity is what it is,” he says. “They draft their subject line with a hook that would encourage you to click or at least look at the email more.”
More sophisticated approaches such as mixing richer data, the use of AI, techniques to bypass defences such as two-factor authentication, and more computer power are also at play, adds Popa.
“Scams, tricks and fraud have been a part of human civilization and society forever. There’s nothing new here, not the Nigerian Letter scam nor the cup and ball tricks of street peddlers,” says Popa. “Without knowing about particular scams, it is difficult to anticipate them. You would have to invent every kind of trick in order to be able to prevent being scammed.”
IN YOUR HANDS
ON ALERT TO PROTECT YOURSELF
When it comes to personal email accounts, the biggest threat is identity theft, experts say. Cybersecurity experts Imran Ahmad and Claudiu Popa offer suggestions to protect yourself.
While this may seem obvious, we might need a reminder: Filter risky websites (using tools such as OpenDNS, advises Popa) and ignore sketchy emails and clickbait.
Use separate log-ins. Avoid using Facebook or Google credentials to log-into another account, when offered. “Though it is a bit more time-consuming, try not to use it, because if you get those credentials compromised, the hacker potentially has access to multiple different accounts,” says Ahmad.
Use two-factor authentication. When it’s offered, use it, says Ahmad. It’s an added assurance for protecting your personal data.
Manage passwords. An obvious one, but regularly update your passwords and use something more complex that’s tough to crack, reminds Ahmad. Avoid using one password for multiple accounts, adds Popa. That way, he says, if a site that you use gets breached, your other accounts won’t get hit.
Clear out your email box. Get rid of old or unnecessary invoices, receipts, statements or anything containing personal information if you don’t need them. “You will be surprised how many emails you have that contain [personal] information,” warns Ahmad. “Now imagine some third party going in and doing those searches on your behalf. It’s very attractive.”