Extortion and sextortion - how they evolved to haunt us
/Extortion and especially sextortion emails are on the rise so what are they? Extortion emails are emails that use some kind of threat, which are sent to potential victims in order to extort money. Extortion correspondence may focus on different elements, such as exposing the victim’s activities in real life (e.g. cheating on a partner) or online (e.g. visiting porn sites or masturbating) to colleagues, friends and family. Some even threaten to harm or kill the victim, with blackmailers frequently asking for payment in cryptocurrency.
Extortion in cyberspace is not a new concept. As more and more data is stored electronically, potential for cyber extortion increases. In the past, cyber extortion typically affected businesses targeted by criminals using malware, which may disrupt or compromise operating systems, but this is now extending to private individuals. Sextortion is also not a new concept. In the past, victims were usually women and tended to be younger, blackmailed either by their ex partner, whom they met and dated in real life and who was in possession of private or sexual images of them, or a perpetrator they met online, who either obtained the images from the victim or by some other means. Research also shows that this type of crime is not all about the money, sometimes victims are blackmailed into supplying pornographic video of themselves and threats can be real. However, in recent times, it seems that (s)extortion attacks have evolved, targeting private individuals, who have never had any prior contact with their perpetrator, and asking for payments in bitcoin. The reason for this may be that bitcoin, as virtual money, has little or no legal regulation across different countries, making it a perfect choice for criminal activities.
Fear and shame
The new variants of extortion and sextortion emails frequently mention victim’s visit to porn sites, which was recorded (hacked) by the scammer, but sometimes they are kept purposely vague, referring only to a ‘dirty secret’. This could be a deliberate tactic as keeping the content vague allows the scammer to catch more victims, because vague content will be applicable to greater number of people.
Potential victims are threatened and the threats in such emails can be elaborate. Direct threats, such as telling the victim that the data collected on them will be distributed to friends, family and/or work colleagues and implied threats, which talk about shame a victim might feel if their secret was to be made public.
“I don’t think that playing with yourself is really awful but when all colleagues relatives and friends receive video record of it is definitely terrible news.”
Or in emails that refer to extortion that is not connected to sexual acts, such as those that inform the victim someone has paid to have them harmed and offer to reverse this for a fee, the threats are implied by explaining what the blackmailer does for a living:
“ I have got a personal website that includes all kinds of services which actually I give in dark net. Just about anything from totally wrecking a persons business to physical injury.”
Victims are also reminded about the potential breakdown of an existing relationship, should the ‘secret’ come out.
These threats serve a purpose – to evoke fear. Fear is a visceral influence, or a primal drive, under which careful thinking is compromised.
Fear has two components: physiological (e.g. adrenaline levels rise to prepare us to fight or flight a situation) and emotional. This emotional reaction to fear is usually unique to each person, with some people being more averse to fear while others even enjoy feeling some fear (e.g. watching a scary movie or doing extreme sports). Therefore reaction to this type of fraud will be highly individual and people may not be affected in the same way. For example, fear averse individuals may be more likely to comply with the requests in order to avoid the negative emotional response evoked by such correspondence. Additionally, these types of emails contain elements of shaming, which will further intensify the fear and which may have different cultural or societal meanings to different people. For example, while some people consider visiting porn sites to be shameful and would prefer this to be hidden from their friends and family, others may not think there is anything wrong with it and will therefore feel less fear when threatened with exposure of such behaviour on their part. Scammers also include references to social norms in such correspondence (e.g. ‘your taste is so weird’ or ‘you’re a big pervert’) in order to shame potential victims.
Persuasion elements
Additionally to evoking strong emotional response, sextortion emails use several persuasive components in order to encourage immediate compliance. Typically they contain an explanation on how the computer was hacked and the victim’s data collected. To most people who have limited cybersecurity or computer knowledge, these will appear credible. Look at this example:
” The hacking was carried out using a hardware vulnerability through which you went online (Cisco router, vulnerability CVE-2018-0296). I went around the security system in the router, installed an exploit there. When you went online, my exploit downloaded my malicious code (rootkit) to your device. This is driver software, I constantly updated it, so your antivirus is silent all time. Since then I have been following you (I can connect to your device via the VNC protocol). That is, I can see absolutely everything that you do, view and download your files and any data to yourself. I also have access to the camera on your device, and I periodically take photos and videos with you. “
I don’t know about you, but I don’t know enough about computers to know if this is possible and I know a lot about fraud. But I do have talented friends who work in cybersecurity, whom I often ask for advice. To most people who don’t have this luxury, this may appear highly credible.
Then there are time limits imposed (“you have 24 hours”), which add urgency. Urgency is a known persuasion technique. The key is to not allow the victim to properly think about it or share the news with someone who may advise them not to comply. Some perpetrators even draw attention to and apologise for the spelling mistakes, offering an explanation for their poor grammar.
”I am apologise for my grammar, I’m from China”
Since many people have come to associate bad spellings in unsolicited emails with scams, this may be a specific new technique to get around this association and make the correspondence appear more credible.
Frequently, such correspondence also includes references that equate scam victimisation to a normal transaction (e.g. ‘it’s confidentiality fee’) and scammers even plead with a victim not to hate them, as they are only doing their job.
“Don’t be mad at me, everyone has their own work.”
Some of the emails also point out that the amount asked for is reasonable and not likely to affect the victim a great deal financially. The amounts asked for vary greatly, from $200 to many thousands. This may make some victims, especially when amounts are kept low, more likely to pay the ransom and less likely to report it as frauds that result in smaller losses are not reported as frequently. Therefore, some scammers purposely keep the amounts low to avoid detection.
Bizarrely, some scammers also adopt a role of a friend or an advisor and offer the victim advice on security.
“I also ask you to regularly update your antivirus in the future. This way you will no longer fall into a similar situation.”
Sometimes they berate the victim like a friend or a parent would.
”It’s a pity that people did not learn to use the Internet safely. There are too many different specifications about safe Internet using - Proxy servers, the newest antivirus base, close that camera... In your opinion it is not necessary”
This is a known scam technique but feels ill placed for this type of fraud, especially as the communication is based on threats rather than exploiting social norms (e.g. where a scammer places a victim in a role of a friend and asks for help, or where a scammer acts as a friend to the victim in order to exploit them). However, I have found out that scammers sell ‘scamming manuals’ on the dark web for thousands of dollars so using this may just be ‘let’s throw everything in there’ approach.
Inducing helplessness
Perhaps the most worrying component of such emails is that they are designed to induce helplessness, or loss of control over the situation. Scammer reminds the potential victim that, although they can report the blackmail to the police, their efforts would be futile because they are located in another country or they are undetectable. Some also concentrate on the fact that investigation is likely to last a long time, therefore the victim will run out of time and be exposed. Therefore, they have little control over their situation apart from paying the ransom.
”At this point you may be thinking
‘I’ll just go to the cops’, which is why I have used a fake name fake return address and taken steps to ensure this letter cannot be traced back to me.”
“I am an immigrant, so there is no way out to find out my location precisely.”
“You are able to complain to police but I don’t think that they can solve your problem. The Inquisition will last for one year.”
Why is this important? If a potential victim feels helpless, they are more likely to remain passive, accept the situation and agree to the terms of the blackmail. Therefore inducing helplessness may be a deliberate tactic in such correspondence, designed to render the victim silent, discourage reporting and ensure compliance.
Making (s)extortion fraud prevention count
Often fraud prevention advice fails because it doesn’t adequately address the emotional reactions some frauds evoke. (S)extortion emails, when they reach a vulnerable target, evoke visceral influence (panic, fear). Telling someone not to panic in this situation is the same as telling a starving person not to think about food. Rationally it makes sense but not when you are in a highly emotional or visceral state. When one is in a visceral state, they focus on addressing the goals associated with the current state. Persuasive elements such correspondence is likely to use will further impair judgments and influence decision making. Finally, such emails induce helplessness. In this state, potential victim is likely to surrender the fight and this is even more true of people averse to fear. Therefore simple warnings may not be sufficient. So what should be done?
Fraud prevention practitioners should concentrate on explaining persuasive elements in such correspondence instead of issuing authoritarian warnings (e.g. ‘never respond to such emails’ or ‘don’t panic’) as they are more likely to be effective when someone receives such correspondence. For example, research found that when people get explanations about why security advice is important, as opposed to vague warnings, they are more likely to listen to it. Explaining the reasons for emotional responses evoked by such emails and how they impair judgments may reduce impulsive reactions people typically have in such situations. Pointing out the fact that these ‘visceral’ reactions are temporary and scammers use them in conjunction with time limits in order to take advantage of the visceral (i.e. irrational) response, may teach people to be more aware of how their emotions affect them and teach them to wait it out. Finally, explaining how scammers purposely induce helplessness in such correspondence will empower victims to fight and not flight the situation and report or share their experience with others, who may offer knowledge vital for making optimal decisions.
This article is based on thematic analysis of 60 different extortion emails. I will be presenting the results at the 9th Annual Counter Fraud and Forensic Accounting Conference at University of Portsmouth, UK on 6th June. Hope to see you there.