Blackmail is a common practice among cybercriminals. Although most of the threats are usually fake, many employees lack enough knowledge and are easily taken in. Therefore, it’s crucial to constantly raise awareness and talk about online scams – including sextortion.
The concept of blackmail is said to date back to the 16th century, but the internet has taken it to new heights. Cybercriminals use a variety of blackmail and extortion techniques to target victims—and while the threats are usually fake, your employees need to be aware of these scams.
Recently, so-called sextortion emails have been increasingly popular with criminals, usually going something like this:
“Hello, my friend. You don’t know me, but I know you very well. Better than you’d expect, lol. This is your password, right?”
Emails like these often show up in employee mailboxes. The blackmailer usually claims to have stalked the recipient via their webcam while they were watching some adult content—and demands that the addressee pay up or the hacker will tell their family and co-workers or share explicit videos taken from their webcam.
These threats are petrifying enough that recipients often don’t want to take a risk and will pay the desired sum—which is exactly what they shouldn’t do. Take a proactive approach to the problem and let your employees know that sextortion scams are becoming more common—and that you want to make sure that no one is victimized.
Explain the concept
Email sextortion scams are mostly swindles. They depend on social engineering, which is the psychological manipulation of people into performing actions or divulging confidential information. These extortionists try to look real, believable and confident—for example, claiming to have the victim’s password and access to their webcam—when often, they’re simply bluffing.
The FBI offers these tips to avoid being targeted in the first place:
- Do not open emails or attachments from unknown individuals
- Do not communicate with senders of unsolicited email
- Don’t store sensitive or embarrassing photos or information online or on your mobile devices.
- Ensure that security settings for social media accounts are activated and set at the highest level of protection
Tell them not to pay up
Scams are a great business: According to the FBI’s Crime Complaint Center, in 2018, extortion by email caused losses around $83 million, most of them coming from sextortion campaigns.
The main purpose of sextortion emails is to make the victim pay – preferably in Bitcoins, which allows the hackers to collect the money anonymously. However, these demands can be in the thousands of dollars – and once the target of the scam pays up, they may receive additional threats and demands.
This is why experts say a victim should never respond to demands for money (or information such as passwords, account information, etc.)
Talk about password best practices
The attacker may actually have the employee’s password, but that’s probably all they have. Mentioning a real password is just another technique to make the recipient feel nervous. Educate your employees on how the password market works. Explain that hackers often buy stolen passwords, which may have been revealed during a data breach, on the dark web at a fairly low price.
Most important, use this opportunity to remind employees of best practices when creating a strong password or passphrase. Explain that the password-selling business is exactly the reason why everyone needs to change their password periodically. As a business owner, you should strongly consider implementing two-factor authentication as an additional layer of protection.
Discuss how to react
If the criminal does indeed have the correct password, advise your employees not to panic—but to change that password immediately. They shouldn’t reply to the email or pay the ransom, nor should they click on any links or attachments in it. In addition, your IT person or internal security departments should be alerted about the email.
Cyber blackmail, sextortion and other online threats can be reported at the FBI’s Internet Crime Complaint Center.