Extortion emails a go-go

Recent months seem to have seen a rise in extortion emails, designed to scare users into handing over their money.

Last month, the folks at the My Online Security website warned of a sextortion email campaign that pretended to be from the CIA.

The email claimed that your name, and personal details (including home, work and relatives’ details), had cropped up as part of an investigation into an international child abuse ring.

According to the email, the CIA knew that you had distributed and stored child abuse material, along with 2,000 others.

But never fear! Because a CIA operative working on the case has sent you this email, saying that he knows you’re good for a few quid and that for the knock down price of just $10,000 in Bitcoin he’ll remove our details!

Obviously delete the scary emails as they are nonsense: don’t respond to them, don’t pay. And ask yourself is it really likely someone from the CIA would contact you like this? (And would it be the CIA investigating such a case anyway? Somehow I don’t think so…)

But if that scheme didn’t fool you, maybe another one will.

Bleeping Computer warned of another extortion email earlier this month.

Here’s how the email began:

FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!

We Hacked network.
We Caught Communications.
We Backuped DATA And DOCUMENTS.
We send this mail to you in YOUR account.

After analyzing documents. We found Illegal activity – HIDING TAXES.

That we want?

I want two (2) Bitcoin
To wallet Bitcoin.
1Dz7DbQmE7SNm3C5mb9syPcctgZECcCEbL

That we do if you don’t pay bitcoin?

We send these Documents and roofs to your Tax Department.

You may like the idea that someone else is backing up your data for you (saves you a job, right?), but it’s not so good to hear that they have snooped through your files, and determined that your company has been cheating the taxman.

The email goes on to demand that two bitcoins are paid (currently about $10,000). If you aren’t prepared to pay? The alleged hackers say they will send the incriminating information they uncovered to the authorities, lock computers, DDoS your network, and install the WannaCry ransomware for good measure. And they’ll increase the ransom demand every day!

Ouch.

It’s enough to give you the jeebies… but again, it’s utter nonsense. They haven’t hacked your computers, they’re just trying it on.

The good news is that I expect most firms wouldn’t be scared into coughing up that kind of cash, and if they took the threat seriously at all would go straight to the police instead.

It’s easy for anybody with an internet account to send you an email claiming that they have done something, or found out some incriminating information about you. It’s even trivial (because of the way the internet works) for the extortionist to forge their email address so it might appear as if it comes from a law enforcement agency or even your own email account.

Don’t believe everything you read.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley •   @gcluley

Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Bluesky, or drop him an email.