Blackmail and sextortionIf criminals get hold of your personal information, you could become a victim of an email attempt to blackmail you with threats to expose your details in ways that could be damaging or embarrassing, or both. Or, you may find the threat is empty.
Wed 22 Feb 2023
6 min read
Blackmail scams occur when scammers send you emails claiming that they have accessed an account that is personal to you. You need to avoid falling for it.
What’s a blackmail email?
Blackmail is when a hacker or scammer threatens to publish a personal or private piece of information unless they get paid not to do it. It’s extortion, straightforward racketeering, attempting to extort money from someone by threatening them unless they pay up. There has been a recent wave of this kind of scamming activity.
The information they claim to have might be true, but it could also be false. Depending on the nature of the information the scammer has, or claims to have, they go on to threaten to send the victim’s family and friends whatever it is. Or else.
It’s important to stay calm in the face of such an attack. In many cases, it will turn out that the scammer does not have the information they claim to have and that they can’t actually hurt you.
These scams are predominantly delivered via email. As in most scams, the fraudster will apply pressure, such as giving you 48 hours to pay a large sum in bitcoin to an untraceable account.
The criminals typically claim that they have hacked a device, such as a phone or tablet. They may include a few snippets of personal information such as images of web pages you’ve visited, or even your username and password for a particular site. The email may appear to have come from your own account, but this is important to check. It’s possible that the scammer has ‘spoofed’ your email account. Just like ‘telephone spoofing’ we wrote about a few weeks ago, email spoofing is similar in that an email appears to be from your account when in fact its true identity has been masked. When an email account has been spoofed, it doesn't mean it’s been hacked. They try to make it appear to be from your account in order to convince you it’s a real threat.
However, it’s also possible that a hacker has managed to get some malware installed on your device. Perhaps during a phone call, you were persuaded to download an app or some software that masks more sinister code which enables the hacker to access all sorts of things on your device, phone or computer.
If they’ve managed to get your username and password for your device then your data can be seriously compromised and put you at risk. Not only can the hackers take screenshots of what you’re looking at, they can access all your contacts and interrogate saved passwords. Then, they can sell your data on the dark web, potentially exposing a slew of usernames and passwords you have for all kinds of online accounts.
The scammer may also claim to have got access to your photos, your contact lists, all your social media accounts and things like chat history. And then they say they will use it against you, or share it randomly.
Deep, dark web
If your username and password for an account has been hacked from a company server during a data breach, it can appear on the dark web where scammers can buy it very cheaply. If the scammer can piece together even just a few pieces of information they can use it to convince you they have access to everything. And if they’ve got your password and you use the same password across a variety of accounts, you could be in serious difficulty. They will try combinations of usernames and passwords and, too often, they get lucky.
If you receive a blackmail email, you might see your password in the email. Scammers do this because they know it will scare you and lead you to believe that the content of the email is genuine, which may make it more likely that you’ll pay the ransom. The password scammers use could be a password you use now, or it could be an older password that you haven't used for a while and they're just trying it out.
Watching you watching
Sometimes blackmail scams include the victim being told that their internet browsing has been monitored and that the scammer has installed some malware on your device giving them access to your device’s camera, its microphone and files. They may also claim to be able to access your keyboard. They can film you looking at your screen, or anything going on in the room behind you.
‘Sextortion’ occurs when hackers claim to have been watching you watching porn and using your camera to record you doing it. This diabolically invasive activity makes victims fearful, and scammers use fear as part of their malevolent social engineering to push people into doing things that they wouldn't normally do.
There have been reports of men in particular being tricked into sharing intimate videos of themselves on a live webcam, thinking they are sharing with a partner they just met online doing likewise. But then only to find that they’ve been recorded and now receive a demand for money or else the video will be sent to family, friends and work colleagues.
What should you do?
If you find yourself on the receiving end of a blackmail email, remember to stay calm. Scammers are lazy and they want to force you to reply and pay the ransom and make the threat go away. That’s why they apply such urgency, to stop you thinking.
Remember that, in most cases, they can’t hurt you.
- if you don’t reply to the email
- don’t pay them in any way
- delete the blackmail email
But get passwords changed right away.
Remember, if a scammer claims to have access to your account, it may be that they have bought your credentials on the dark web. They may be out of date - another reason to keep your password updated regularly, and they are just trying to scare you. Consider the use of password management apps to help you keep on top of passwords as well as making them unique for each and every site or app you use, and to remind you to update them often.
So, you shouldn’t immediately think some malware has got into your device. If you get a blackmail email, it may frighten you, but it doesn’t necessarily mean that you’ve been spied on, and no one has breached your computer.
Most of us know what good practice looks like for taking care of our passwords. Remember:
- always use different passwords for different accounts
- don't use the same password on multiple sites or apps. If you do, you’re more likely to be hacked. If you’re registered on a site that’s been breached and if you use the same password for all your accounts, hackers will use the leaked login details to their advantage
- change your passwords on all your accounts and apps regularly. If you have different passwords for all your various accounts, you’re less likely to receive blackmail emails
- use secure passwords that are not commonly used
- never use use private information in your passwords, such as pet or street names
- use a password manager to degenerate strong passwords and manage them for you. The bonus is you won’t have to remember lots of different ones
- use two-factor authentication
- never pay any ransom
- don’t reply to the email
- don’t open any attachments, it might contain real malware
- if the scammers show you a password of yours, double check to see whether it’s an old password
- if they show you a password that you’re currently using, change it right away
Keep your data close
As we’ve seen, scammers often get snippets of data about us that they can then try and weave into a scam to convince us they will do us real harm unless we pay up. But, if they can’t hold of that data in the first place, that reduces the chances of being targeted considerably
Scammers get personal data in many ways, but quite often as the result of data being hacked or stolen in data breaches. Millions of data records get sold on the dark web, and that could include your details, stolen from an unsuspecting company that has your information in its servers.
To reduce the chances of your data getting into the hands of scammers, you should get it deleted from any organisation that no longer needs it. You can get your data deleted from any company, in a single click, by using Rightly Protect. Our service is quick, simple and free.
Thu 05 May 2022
5 min read
Keep it secret. Keep it safe.
Many people, as many as 82%, reuse passwords on multiple sites. This creates a lot of vulnerabilities because if someone gets hold of one password, they could get access to all sorts of things from social media platforms to bank accounts. Take time to work out who has your password, minimise the risk and keep yourself protected.
Wed 12 Oct 2022
4 min read
Should a company data breach bother you?
October is Cyber Security Month. Just last month one of the biggest and most serious data breaches that has ever occurred, happened to Australia’s second largest telecom business. The breach has compromised almost half of the whole of the country’s population, leaving them exposed to serious risk of being scammed and the appalling prospect of identity theft. Could this happen in the UK? Have you ever switched provider? What happened to your data when you did?