An extortion scam involves an attacker sending an email claiming that they possess private or confidential information related to the victim and will release the information to the public if a payment is not made to their account. The attackers try and use panic as a way to extort money from the victims. They email usually reveals something private to the victim like 'your gmail password is XXXXXXXX' to establish authenticity. These scams involve several stages of preparation. The attacker will first tries to get his/ her hands on something private to the victim through social engineering or phishing. They then identify how to leverage this newly learned information. Finally, they send an extortion email to the victim. There are several ways to identify the authenticity of how the attacker came across this information. The emails can be sound convincing once you see yoour password in it. But, there are several ways in which an attacker gets their hands on such information. Let's take a look at a few: Below is an example of the extortion email tweeted by security researcher SecGuru.
Data breach
Your email and password were part of a data breach. Billions of users acoounts are compromised every year and all the email-password pairs are published on the dark web form minimal if not no fee. the attacker might have obtained your information from one of the breaches. In thsi case, you are not the only person who received this email. The attacker's script might have sent this message to every email ID on the list expecting a response from atleast a few of them. You can easily verify if your account was a part of the breach through https://haveibeenpwned.com/. You can also check if anyone else is receiving these emails through a simple google search. To protect yourself from such breaches:
- Keep changing passwords regularly
- Use strong passwords
- Use random passwords and use a password manager to store them
Phishing
You would have entered you email address and password on a phishing page. This is the most popular method to extract confidential information from a client. There are several surveys out there asking for personal information in exchange for gift vouchers/ promo codes. The information includes your full name, physical address, phone number and your login information. Not all of these surveys are authentic. To protect yourself from phishing:
- Scan suspicious URLs through Checkphish.ai before accessing them.
- Do not enter your personal information unless it is necessary.
- Block domains that keep sending spam/ scam emails.
Social Engineering
Social engineering is about manipulating people to get personal/ confidential information from them. Someone might have been watching you type in your password in a public place or overheard you saying it out loud to a friend/ colleague. To protect yourself from social engineering:
- Do not use public wifi systems
- Secure your devices through anti virus
- Be aware of your surroundings
