Criminals use extortion emails to blackmail people. These criminals usually claim to have sensitive information or content that they threaten to forward to friends and family unless you pay.
The email will tell you that the sender has tracking software on your device and will make a vague statement about knowing you've visited porn sites. They also claim to have used your device's camera to capture you pleasuring yourself.
Extortion emails typically contain some personal data, like a password, stolen from a data breach. Even if the password is an old one, it can be shocking to learn that a stranger knows something private. Perhaps, what they are telling you is true!
From corporate data breaches to ransomware attacks and even personal extortion email scams—cybercriminals continuously find ways to steal data and money.
The 2021 T-Mobile data breach affected over 40 million users, less than a quarter of which were actual T-Mobile customers!
The most damaging case in recent memory is the LastPass breach, which seems to get worse every day. Even if it's not a password manager that gets attacked, most of these breaches lead to attackers stealing customers' personal data. The data stolen from breaches can be used to craft convincing extortion emails.
In this article, we will take a closer look at extortion emails and what you can do if they ever find your inbox!
What is Sextortion?
Sextortion is a type of extortion where criminals claim to have explicit content of you—usually nude, masturbating, or other sexually explicit content.
Sometimes users don't have explicit content, but information linking the victim to adult content like a cam site or dating website for married individuals—as was the case with Ashley Madison.
In the infamous Ashley Madison data breach, criminals only had account information linking the user to the website. This information could potentially ruin the victim's relationships or even bring public shame.
More than five years after the Ashley Madison data breach, criminals still contact users with sextortion demands.
With sextortion, the criminals usually have actual evidence of your actions—which they're happy to share with you via a short clip or screenshot.
Whereas extortion emails typically use minor details (like an old password) to bluff you into believing that the sender has more incriminating content or information about you.
What Are Some Examples of Extortion Emails?
Most English extortion emails are poorly written with many spelling and grammar errors. The emails are usually somewhat lengthy with lots of threats, and the sender tries to portray themselves as authoritative.
The email usually reveals something vague you're "guilty" of but could apply to many people, almost like a star sign.
It's important to note that if someone has incriminating evidence against you, they'll expose it because it'll ultimately increase the chances you'll pay!
Here is an extortion email example Malwarebytes Labs received from a victim:
"Hey, you don't know me. Yet I know just about everything about you...Well, the previous time you went to the adult porn sites, my malware was triggered in your computer, which ended up logging a eye-catching footage of your self-pleasure play by activating your webcam. (you got an unquestionably weird preference btw lmao)."
If you reply asking for proof, the sender threatens to send the video to 10 random people in your contacts list. The email shares a Bitcoin address where you should send $2,000 in Bitcoin.
In this particular email, the sender gives the recipient 24 hours to act. For anxious individuals, this sort of pressure could easily elicit a response.
Why Do Extortion Emails Work?
Priya Sopori, a partner at law firm Greenberg Gluster, says,
"They play on our basest levels of psychology. You will read personalization into any generic statement. And if you believe that there are hackers out there that know every aspect of your life, and maybe they even know your life better than you do, you might actually pay even if you've done nothing at all."
By the email's mocking tone, cybercriminals know precisely what buttons to push and how to make you feel ashamed, even for something you haven't done.
The humiliation that your friends and family might see you in the same light puts immense pressure on the victim to take action—paying the ransom to avoid embarrassment!
Who Uses Extortion Emails?
Hackers usually sell databases from data breaches on underground forums to the highest bidder, so it's difficult to say where your details end up.
Most of these databases end up with low-level cybercriminals who run similar rackets—like the IRS scams where fraudsters threaten to arrest you if you don't pay unpaid taxes immediately.
What to do With Extortion Emails
No matter how convincing an extortion email might be, never engage or respond with the sender. Any exchange could lead to the attacker learning more information about you.
You should also NEVER click any links or open attachments.
Most countries have cybercrime agencies. In the United States, the FBI has a division for handling cybercrimes. Report the extortion email immediately, even if criminals say there will be "repercussions" if you report them.
The authorities will usually have an email address where you can forward the extortion email. Once sent to the police, delete the email.
Change Your Passwords
Next, change the password for the account(s) where you use that password. Use a secure password generator and use a different password for every account!
You must never reuse the same password for multiple accounts. If attackers steal your password from a data breach, they can easily access the other accounts you use through what's called credential stuffing.
Should You Pay the Ransom?
Paying an extortion email ransom will not resolve the matter. If anything, it'll make your life worse in the long run.
Criminals will invariably approach you again for money, or worse, sell your details as an "easy target" to other criminals.
If you know the attackers have incriminating details or content against you, consult your local authorities on how to proceed with the matter. Do not attempt to reply or negotiate on your own!
How to Deal With Extortion Emails at Your Company?
Although less common, extortion emails also target businesses. The sender might run a similar scam, exposing a company password as "proof" that the criminals have more incriminating information.
Most companies have pretty robust spam filtering, so these emails never reach the intended inbox. But companies must react appropriately.
As with extortion emails targeting individuals, companies must never engage with the sender! Report the email to authorities and delete it immediately. Add that email address to your blocked senders.
Change Passwords Immediately
Even if the password the sender revealed is old, change your passwords immediately, especially if you have used that password for multiple accounts—poor habit companies should stop immediately.
Using a password manager like TeamPassword will prevent companies from using the same credentials more than once. TeamPassword's built-in password generator allows you to create strong passwords from 12-32 characters using uppercase, lowercase, symbols, and numbers.
Secure Company Passwords with TeamPassword
Here's how TeamPassword can help!
One Password Manager for Every Account!
Instead of sharing raw login credentials, each team member (including clients, freelancers, and contractors) gets a TeamPassword account.
Team members then use one of TeamPassword's browser extensions (Chrome, Firefox, and Safari) to log into social media accounts, productivity apps, marketing tools, and other web applications. Similar to how Google Chrome remembers your passwords.
So why not just use Google Chrome?
Passwords saved in your browser can be helpful for individual use but pose many security vulnerabilities and don't work well for sharing passwords securely.
Groups and Sharing
TeamPassword is built for sharing. You create groups for your various accounts, clients, or however you wish to distribute access.
Instead of sharing raw credentials, you add relevant coworkers to a group. This feature allows you to limit access to those who need it and prevents team members from sharing passwords, preventing unauthorized logins.
When a team member no longer needs access, simply remove them with one click. No need to change passwords every time someone leaves a project!
Two-Factor Authentication (2FA)
2FA is your second line of defense for secure password management. Even if attackers steal a team member's credentials, 2FA prevents them from accessing your TeamPassword account.
Activity & Notifications
TeamPassword's activity log lets you monitor or review team member's logins, including credential sharing, setting up new accounts, changing passwords, and more.
You can also get instant email notifications for all TeamPassword actions, allowing you to track sensitive accounts or data.
Get Your Free TeamPassword Account Today!
Don't let your company fall victim to extortion emails, credential stuffing, and other password vulnerabilities. Let TeamPassword take care of security while you focus on growing a successful business!
Sign up for a 14-day free trial to test TeamPassword with your team members today.