Cyber-extortion: Why it works and how to fight back

The Internet is probably the most amazing thing ever invented. Never before has the entire scope of human knowledge been available for the asking. In spite of the countless benefits, however, the Internet also has a way of bringing out the very worst in people. After all, we have all probably been ridiculed by an online troll at one time or another, and who among us hasn’t had someone online try to scam them? As bad as these activities are, however, things can always be worse. Right now, one of the online trends that seem to be gaining traction is cyber-extortion.

What is cyber-extortion?

So what is cyber-extortion? Cyber-extortion can come in many different forms, but at its simplest, it is when someone online threatens some sort of harm unless you meet their demands. The demand is usually for money (commonly in the form of bitcoins), but an extortionist could conceivably demand just about anything.

Let me give you a rather horrifying example. Recently, I was traveling and was off of the grid for a while. Within minutes of regaining a cell signal, however, I received a phone call from a friend who said that he had been trying to reach me for days.

My friend then proceeded to ask me if I knew anything about bitcoins. In doing so, he tried to play it cool, but the simple fact that he had initially said that he had been trying to reach me for days told me that this was no casual inquiry. I answered by saying that yes, I do know about bitcoins, and asked what it was that he needed.

Ignoring my question, my friend began to ask me a series of questions about what a hacker realistically could or could not do to a computer. His first question was something to the effect of whether an attacker could cause data loss. At this point, I put two and two together and asked my friend if he had been hit by a ransomware attack. What I wasn’t expecting was my friend’s answer of “I wish.” Nobody wants to be attacked by ransomware, so I knew that my friend must have fallen into a really bad situation, although I couldn’t guess the half of it.

To make a really long story short, someone was trying to extort money from my friend. He had been contacted by someone who claimed to have hacked into his computer and captured compromising photos from his webcam, as well as screen captures to go along with the photos. The extortionist threatened to send the incriminating images to everyone in my friend’s address book unless my friend paid nearly $10,000 in bitcoins.

So obviously, this was a delicate situation. Before I tell you how the story ends, I want to take a step back and examine why cyber-extortion scams like this one work.

How extortionists get results

Extortionists know that if they want to get paid, their threat needs to do two things. First, the threat has to carry unacceptable consequences. This can be anything from threatening to expose an affair to threatening to kill a puppy. Whatever the threat, it has to be something drastic. Nobody is going to pay up if the threat is inconsequential.

Second, the extortionist knows that the scam has a much better chance of working if they can cause the victim to react with emotion rather than logic. That’s why in my friend’s situation, the extortionist didn’t just say “pay up or I will expose these photos.” Instead of keeping the threat short and sweet, the extortionist followed the threat up with lines such as “these photos will ruin your life,” “your wife will leave you and you will be fired from your job,” and my personal favorite, “don’t call the cops.”

Being that the extortionist needs to solicit an emotional response from their victim, they cannot risk giving the victim time to think through the situation logically, or time to speak to law enforcement. As such, any good extortionist will set a time limit. In my friend’s case, the extortionist essentially said that “if I don’t get my money by tomorrow, I am going to ruin your life.”

What should you do?

So how can you protect yourself in a situation like the one that my friend found himself in? Step No. 1 is to determine whether the threat is credible. I think that this is probably what my friend was trying to do when he was asking me about whether it is possible for a hacker to erase data, access your webcam, access your address book, etc.

In my friend’s case, the threat thankfully was not credible, but let’s suppose for a moment that it was. Imagine that someone had broken into his PC and could really do all of those things. The next consideration would then be what would actually happen if the extortionist really did follow through on the threats. Some of the questions that I recommended that my friend consider included:

• Realistically, how bad could the pictures potentially be? Is there really any chance that they would be so bad as to ruin your life?
• If the extortionist does have these photos, would he actually release them? Anyone who has ever hacked a computer knows that the odds of getting caught increase with each action that you take. As such, a nervous extortionist might choose to cut his losses and move on to an easier target rather than risk unnecessary exposure.
• Is there any chance that the extortionist is bluffing?

That last question is the really important one. Remember, an extortionist does not actually have to hack a victim’s computer in order to get paid. The extortionist only needs to make their victim to believe that their computer has been hacked. The flip side to this is that if the extortionist really has hacked a computer, then they are probably going to flex a little bit of muscle in an effort to convince their victim to pay up. This might mean presenting the victim with a private document that proves that their computer has been compromised, or perhaps remotely controlling the computer as a way of getting the victim’s attention.

Avoid becoming a victim

As previously mentioned, the threat made against my friend was not credible. The extortionist did not provide one shred of evidence that my friend’s computer had actually been compromised. Furthermore, a detailed forensic analysis of my friend’s computer did not show any signs of a breach. My guess is that the extortionist probably sent the same message to thousands of potential victims in hopes that someone would panic and pay up.

Even though the threat made against my friend was not credible, there are plenty of cyber-extortion and online blackmail scams that are real. The best way to avoid becoming a victim of these crimes is to adhere to common security best practices such as:

• Never blindly click on email links or open untrusted attachments.
• Keep your operating system, applications, and security software patched and up to date.
• Keep your webcam covered when you are not using it.
• Never do anything online today that could embarrass you tomorrow.

Photo credit: Shutterstock