People should familiarize themselves with common forms of extortion in order to avoid falling victim to these attacks, according to Amer Owaida at ESET. Ransomware might be the most well-known form of digital extortion, but Owaida offers a useful summary.
“The basic premise is that your device will be infested by ransomware using one of the various tactics hackers employ, such as duping you into clicking on a malicious link found in an email or posted on social media or shared with you through a direct instant message,” he explains. “After the malware makes its way into your device: it will either encrypt your files and won’t allow you to access them, or it will lock you out of your computer altogether, until you pay the ransom. It is also worth mentioning that some ransomware groups have added a new functionality; a form of doxing wherein they traverse your files looking for sensitive information, which they will threaten to release unless you pay them an additional fee. This could be considered a form of double extortion.”
A second form of extortion is related to this last point: hackers can simply steal your data and threaten to publish it unless you pay a ransom. While ransomware groups have recently adopted this tactic as well, a data breach alone can be devastating to an organization.
Two more forms of extortion are sextortion and sextortion scams. Sextortion is traditional blackmail conducted via the Internet. These schemes often begin on dating platforms with the attacker catfishing the victim in order to obtain sensitive photos. In a sextortion scam, meanwhile, the attacker is bluffing. In many cases, the scammer will send out emails en masse informing recipients that a hacker has obtained embarrassing footage of them via their webcams. If the scammer sends out enough of these emails, at least some of the recipients will fall for the ruse.
A fifth type of extortion involves launching DDoS attacks against an organization until the victim pays a ransom. These attacks can go on for days, potentially costing the targeted organization hundreds of thousands of dollars.
In all of these cases, victims should avoid paying the ransom. Not only will paying an extortionist fund further criminality, it also puts you on their radar as someone who’s willing to pay.
“There are multiple steps you can take to lower the risks of ending up in the crosshairs of cyber-extortionists,” Owaida concludes. “For starters, you should always implement cybersecurity practices both in your work and personal lives, which include some of the advice we already mentioned such as using two-factor authentication and keeping all your devices patched and up to date. You should also avoid recycling passwords– since those are responsible for many account compromises – use strong passwords or passphrases, and avoid oversharing information that could be used against you.”
New-school security awareness training can help you and your employees put this advice into practice.
ESET has the story.