Cyber-extortion: Why it works and how to fight back

The Internet is probably the most amazing thing ever invented. Never before has the entire scope of human knowledge been available for the asking. In spite of the countless benefits, however, the Internet also has a way of bringing out the very worst in people. After all, we have all probably been ridiculed by an online troll at one time or another, and who among us hasn’t had someone online try to scam them? As bad as these activities are, however, things can always be worse. Right now, one of the online trends that seem to be gaining traction is cyber-extortion.

What is cyber-extortion?

cyber-extortion

So what is cyber-extortion? Cyber-extortion can come in many different forms, but at its simplest, it is when someone online threatens some sort of harm unless you meet their demands. The demand is usually for money (commonly in the form of bitcoins), but an extortionist could conceivably demand just about anything.

Let me give you a rather horrifying example. Recently, I was traveling and was off of the grid for a while. Within minutes of regaining a cell signal, however, I received a phone call from a friend who said that he had been trying to reach me for days.

My friend then proceeded to ask me if I knew anything about bitcoins. In doing so, he tried to play it cool, but the simple fact that he had initially said that he had been trying to reach me for days told me that this was no casual inquiry. I answered by saying that yes, I do know about bitcoins, and asked what it was that he needed.

Ignoring my question, my friend began to ask me a series of questions about what a hacker realistically could or could not do to a computer. His first question was something to the effect of whether an attacker could cause data loss. At this point, I put two and two together and asked my friend if he had been hit by a ransomware attack. What I wasn’t expecting was my friend’s answer of “I wish.” Nobody wants to be attacked by ransomware, so I knew that my friend must have fallen into a really bad situation, although I couldn’t guess the half of it.

To make a really long story short, someone was trying to extort money from my friend. He had been contacted by someone who claimed to have hacked into his computer and captured compromising photos from his webcam, as well as screen captures to go along with the photos. The extortionist threatened to send the incriminating images to everyone in my friend’s address book unless my friend paid nearly $10,000 in bitcoins.

So obviously, this was a delicate situation. Before I tell you how the story ends, I want to take a step back and examine why cyber-extortion scams like this one work.

How extortionists get results

Extortionists know that if they want to get paid, their threat needs to do two things. First, the threat has to carry unacceptable consequences. This can be anything from threatening to expose an affair to threatening to kill a puppy. Whatever the threat, it has to be something drastic. Nobody is going to pay up if the threat is inconsequential.

Second, the extortionist knows that the scam has a much better chance of working if they can cause the victim to react with emotion rather than logic. That’s why in my friend’s situation, the extortionist didn’t just say “pay up or I will expose these photos.” Instead of keeping the threat short and sweet, the extortionist followed the threat up with lines such as “these photos will ruin your life,” “your wife will leave you and you will be fired from your job,” and my personal favorite, “don’t call the cops.”

Being that the extortionist needs to solicit an emotional response from their victim, they cannot risk giving the victim time to think through the situation logically, or time to speak to law enforcement. As such, any good extortionist will set a time limit. In my friend’s case, the extortionist essentially said that “if I don’t get my money by tomorrow, I am going to ruin your life.”

What should you do?

So how can you protect yourself in a situation like the one that my friend found himself in? Step No. 1 is to determine whether the threat is credible. I think that this is probably what my friend was trying to do when he was asking me about whether it is possible for a hacker to erase data, access your webcam, access your address book, etc.

In my friend’s case, the threat thankfully was not credible, but let’s suppose for a moment that it was. Imagine that someone had broken into his PC and could really do all of those things. The next consideration would then be what would actually happen if the extortionist really did follow through on the threats. Some of the questions that I recommended that my friend consider included:

• Realistically, how bad could the pictures potentially be? Is there really any chance that they would be so bad as to ruin your life?
• If the extortionist does have these photos, would he actually release them? Anyone who has ever hacked a computer knows that the odds of getting caught increase with each action that you take. As such, a nervous extortionist might choose to cut his losses and move on to an easier target rather than risk unnecessary exposure.
• Is there any chance that the extortionist is bluffing?

That last question is the really important one. Remember, an extortionist does not actually have to hack a victim’s computer in order to get paid. The extortionist only needs to make their victim to believe that their computer has been hacked. The flip side to this is that if the extortionist really has hacked a computer, then they are probably going to flex a little bit of muscle in an effort to convince their victim to pay up. This might mean presenting the victim with a private document that proves that their computer has been compromised, or perhaps remotely controlling the computer as a way of getting the victim’s attention.

Avoid becoming a victim

As previously mentioned, the threat made against my friend was not credible. The extortionist did not provide one shred of evidence that my friend’s computer had actually been compromised. Furthermore, a detailed forensic analysis of my friend’s computer did not show any signs of a breach. My guess is that the extortionist probably sent the same message to thousands of potential victims in hopes that someone would panic and pay up.

Even though the threat made against my friend was not credible, there are plenty of cyber-extortion and online blackmail scams that are real. The best way to avoid becoming a victim of these crimes is to adhere to common security best practices such as:

• Never blindly click on email links or open untrusted attachments.
• Keep your operating system, applications, and security software patched and up to date.
• Keep your webcam covered when you are not using it.
• Never do anything online today that could embarrass you tomorrow.

Photo credit: Shutterstock

About The Author

13 thoughts on “Cyber-extortion: Why it works and how to fight back”

  1. Hello! First of all, thank you for the info that you have already provided. I have an inquiry that I am hoping you will answer for me. How can you tell if your phone camera has been hacked and a threat is credible? I use anti-virus and security apps, but have read that sometimes such threats can go unnoticed by said apps. Any help you can offer would be greatly appreciated! Thanks!

  2. I have never actually heard a credible incident in which a phone camera was hacked. It would theoretically be possible to control a phone camera if you could sneak a rogue app into the app store and trick people into downloading it. My guess is that if your phone camera were hacked, you would probably see a very noticeable drop in battery life. The phone may also feel warm to the touch at times when it otherwise wouldn’t.

  3. Hello, What should i do if the hacker really hacked my phone camera. He was sharing some of my personal pics to me to prove. and asking huge amount to avoid sharing them with my family & friends.

  4. I am sorry to hear about your situation PRu. I am assuming that your phone does contain a contact list, and that the hacker would have a way of reaching out to your contacts, right?
    Let me ask you this… If the pictures got out, how hard would it be to deny their authenticity? Are you in any of the pictures? Are there recognizable backgrounds? Could you claim that the pictures have been photoshopped? Those aren’t exactly my preferred options, but the hacker is holding all of the cards in this case.

    There is one thing that might work, but I can’t make any promises. Offload all of your phone’s data to an external hard disk, and then unplug it. From there, do a factory reset on your phone and change the password on all of your accounts (especially any cloud accounts and your email account).

    The hacker is probably trying to extort money from other people besides you. If that is indeed the case, then the hacker may not have taken the time to download all of your data to his own device. Downloading all of the data from lots of victim’s phones would be time consuming and it would make it hard to keep track of which data goes with which account. The hacker is probably counting on being able to log back into your account any time that he wants. If you backup and then erase all of the data, and then change all of the passwords then you may be able to stop this guy in his tracks.

  5. Thank you for the information on the previous questions if I was on a website on my cell phone what is the possibility of a hacker getting a video or a photograph of me while I am on the website

    1. It can be done, but unless there is malware installed on your phone I think that the chances are pretty low. I would recommend doing a malware scan. If you don’t find anything then you are probably good.

  6. Thank you I did a factory reset yesterday there’s no malware on my phone now but they couldn’t tell whether it was on previous any other suggestions you might have since they are looking for close to $10,000

  7. Yes, I do have one more suggestion for you. If you still have the email, try Googling phrases from the message. Be sure to put the phrases in quotation marks so that Google will look for the exact phrase. Chances are that you will find that it was a mass message sent to thousands of people, and that the sender doesn’t actually have anything on you.

  8. I got the following email. Let me say that the password they say they have is used on some sites but not many. My social media accounts are not that password so how can they share it? I have never used the computer camera and actually I’m hardly on the computer. Should I be worried? The message is below. Also I have a mac and it automatically updates.

    Hey, I know your password is: my password to some sites was here.

    Your computer was infected with my malware, RAT (Remote Administration Tool), your browser wasn’t updated / patched, in such case it’s enough to just visit some website where my iframe is placed to get automatically infected, if you want to find out more – Google: “Drive-by exploit”.

    My malware gave me full access and control over your computer, meaning, I got access to all your accounts (see password above) and I can see everything on your screen, turn on your camera or microphone and you won’t even notice about it.

    I collected all your private data and I RECORDED YOU (through your webcam) SATISFYING YOURSELF!

    After that I removed my malware to not leave any traces.

    I can send the video to all your contacts, post it on social network, publish it on the whole web, including the darknet, where the sick people are, I can publish all I found on your computer everywhere!

    Only you can prevent me from doing this and only I can help you out in this situation.

    Transfer exactly 800$ with the current bitcoin (BTC) price to my bitcoin address.

    It’s a very good offer, compared to all that horrible shit that will happen if I publish everything.

    You can easily buy bitcoin here: http://www.paxful.com , http://www.coingate.com , http://www.coinbase.com , or check for bitcoin ATM near you, or Google for other exchanger.
    You can send the bitcoin directly to my address, or create your own wallet first here: http://www.login.blockchain.com/en/#/signup/ , then receive and send to mine.

    My bitcoin address is: 1NWh772kEQeX2MPAM877qK7LaN7CEcWyE1

    Copy and paste my address, it’s (cAsE-sEnSEtiVE)

    I give you 2 days time to transfer the bitcoin.

    As I got access to this email account, I will know if this email has already been read.
    If you get this email multiple times, it’s to make sure that you read it, my mailer script is configured like this and after payment you can ignore it.
    After receiving the payment, I will remove everything and you can life your live in peace like before.

    Next time update your browser before browsing the web.

    Mail-Client-ID: 6669429713

  9. Hello, I am currently being cyber extorted over a picture I sent someone. The hacker is threatening to show this to my family which would be a very big deal. How can I get them to stop. I was very scared and I ended up paying them yesterday but I do not want to deal with them today and I’m thinking of ignoring any of their texts.

  10. I am assuming that you have verified that the threat is credible and that they really do have a copy of the picture? I’m not sure what to tell you, especially since you have already paid them. They will likely keep asking for more money for as long as they think that they can get it. Unfortunately, I don’t really have a good answer for you.

  11. cybersecuritylawsrc

    cybercriminals are more coward criminals, cyber crime victims should be cool and report to police without any delay.

  12. It’s a sad experience to lose your money to these wallets…I lost mine to Paxful in Dec 2021. A huge amount was stolen but I was lucky to recover it back after weeks of mails with no positive response from Paxful. I finally met a tech guy who tracked and recovered my trading $ with my stolen coin. If you have a similar issue, you can reach out: Jimfundsrecovery at consultant dot com.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top