The number of data breaches keeps going up. Last week it was more than 1,000 Wendy's where credit card records got ripped off. Fraudsters quickly use the news release of a high-profile data breach to kick an extortion campaign into gear.
The recent uptick in email extortion comes from the data breaches at organizations like Ashley Madison, the IRS, Anthem, and many others where millions of records with (sometimes highly) personal information was stolen.
The public at large suffers from data breach fatigue and does not really care that much anymore, despite the two risks that can cause victims a lot of hassle and lost time, both for private and sometimes corporate credit cards:
- Fresh credit card data can be used for illegal purchases for goods that can be sold on the black market and turned into cash.
- Enough personal information could be stolen to allow the bad guys identity theft, which can cause significant trouble and years to correct these records.
The FBI's Internet Crime Complaint Center (IC3) warned that internet lowlifes are exploiting these data breaches by threatening to expose the victim's personal information to their employer, friends and family using social media unless the targeted person agrees to pay a ransom in Bitcoin. The recipients are typically given a short deadline. The ransom amount ranges from 2 to 5 bitcoins or approximately $250 to $1,200.
Lists of "fraud suckers" get sold online, and employees that fall for these attacks are going to be a future risk for themselves, their personal- and work environments as they can be blackmailed by other internet criminals. The FBI released some examples of extortion emails:
“Unfortunately your data was leaked in a recent corporate hack and I now have your information. I have also used your user profile to find your social media accounts. Using this I can now message all of your friends and family members.”
“If you would like to prevent me from sharing this information with your friends and family members (and perhaps even your employers too) then you need to send the specified bitcoin payment to the following address.”
“If you think this amount is too high, consider how expensive a divorce lawyer is. If you are already divorced then I suggest you think about how this information may impact any ongoing court proceedings. If you are no longer in a committed relationship then think about how this information may affect your social standing amongst family and friends.”
“We have access to your Facebook page as well. If you would like to prevent me from sharing this dirt with all of your friends, family members, and spouse, then you need to send exactly 5 bitcoins to the following address.”
“We have some bad news and good news for you. First, the bad news, we have prepared a letter to be mailed to the following address that details all of your activities including your profile information, your login activity, and credit card transactions. Now for the good news, You can easily stop this letter from being mailed by sending 2 bitcoins to the following address.”
As part of your ongoing security awareness campaign, I suggest you send the following to your employees, friends and family. Feel free to copy/paste/edit:
"Internet Criminals are using fresh news of big data breaches (like Wendy's last week) to send people threatening emails. These emails claim the criminals have confidential information about you that they will send to your employer, friends and family using social media. They threaten with possible divorce, court proceedings, losing your job, or worse.
If you get emails like this, delete them immediately. Do not click on any links in the email, do not open attachments that claim to show your confidential information, do not reply to them, and definitely do not send any money in any form, whether they want checks, wire transfers or payment in a new e-currency like Bitcoin. If you do, your data will be sold to other scammers who will continue to haunt you."
The FBI published some very helpful tips to protect yourself online:
- Do not open e-mail or attachments from unknown individuals.
- Monitor your bank account statements regularly, as well and as your credit report at least once a year for any fraudulent activity.
- Do not communicate with the cyber criminals.
- Do not store sensitive or embarrassing photos of yourself online or on your mobile devices.
- Use strong passwords and do not use the same password for multiple websites.
- Never provide personal information of any sort via e-mail. Be aware, many e-mails requesting your personal information appear to be legitimate.
- Ensure security settings for social media accounts are turned on and set at the highest level of protection.
- When providing personally identifiable information, credit card information, or other sensitive information to a website, ensure the transmission is secure by verifying the URL prefix includes https, or the status bar displays a “lock” icon.
Remember... Always Think Before You Click!
Now, if an employee replies that they have been a victim of this scam, tell them to reach out to their local FBI field office, and file a complaint with the IC3 at www.ic3.gov. Tell them to include the keyword “Extortion E-mail Scheme” in their complaint, and provide any relevant information including the extortion e-mail with header information and Bitcoin address if available. It's also a very good idea to get HR involved to help the employee cope with this new type of extortion.
Let's stay safe out there.
Founder and CEO, KnowBe4, Inc.
Do your users know what to do when they get a phishing email?
KnowBe4's Phish Alert Button gives users a safe way to delete suspicious emails while forwarding them to your internal security team for further investigation.