Now, this is one of the more fruitful scams for the internet when executed correctly.
My approach and rules change from traditional phishing methods.
So what is blackmail on the internet?
The same as it is in the real life, essentially, a poker game.
In the real world, if someone threatens you with an intended result of extortion, your mind goes through this process of fear in relation to losing out.
That is what Blackmail is, using fear of consequences to extort an outcome. The extortion could be anything, it could require you to hand over money, or it could require you to hand over secure log in details for your employer, the outcome could be anything from losing all your files, or reporting you to the police for something you have not done to embarrassment or loss of life.
The obvious ones are the ones we know about, the poor attempts at phishing blackmail often asking for large sums of money in relation to threats against your life or risk of loss of life, and then Ransomware which will often block your computer on start-up with the promise of unlocking your device if you pay money.
Whatever happens, when you receive something like this, notify action fraud police. Even if you don’t fall for it, assume other people will, so by letting them know, if it is a new scam they can let other people know.
Now in this article, we will not be looking at Ransomware, that is something slightly different as you would have in some way instigated the receipt of that software onto your device.
What we will be looking at is Phishing Blackmail and Email Blackmail attempts and whether the traditional phishing advice applies.
We need to consider
- How the Crime is Committed
- What a Consumer can do to prevent it
- What the industry has to do to prevent it
How the Crime is Committed
So first we will look at phishing blackmail, then we will look at targeted blackmail.
Step 1 – Google “How to spot a phishing email” this is what I follow when creating a phishing email
Step 2 – Google “how to spot a blackmail email” this is what I follow when creating a blackmail email
Now we need both, as people will often confuse the two.
What we find though, is that the advice is essentially the same
- You didn’t initiate the action
- It is not addressed to you personally and does not contain personal information
- You are asked for money
- Pressures you to act quickly or makes threats
- Poor spelling/Grammer (intentional typo before you go off on one)
- Comes from an official bank/government authority or pretending to be someone else
Point 2 is the killer here, that information, along with email addresses, passwords you use on accounts, drivers licence numbers, national insurance and social security numbers, passport numbers, dates of birth, address, previous addresses, services you use, credit cards, bank accounts, all of it, it all has the potential to be available from data breaches.
So what this does is gives me an in, because the advice is focused around spotting phishing, then when we put something like blackmail into the mix, what we are telling consumers here is
If the email is structured like this, it is phishing.
But what also says is,
If the email is not structured like this, i.e. it contains personal information about you, it is genuine blackmail.
That gives the illusion that I can follow through on my threat.
The reality is, that just isn’t true, so let’s look at the two scenarios, phishing blackmail and genuine blackmail from malware being on your device and how you would know the difference.
The threat itself
This is somewhat irrelevant, there are some that go out referencing sex sites, some that go out referencing access to your snapchat, apple account photos, cloud photos, some then imply a threat of loss of life.
“I installed malware on sex videos (sex sites) and do you know what, you accessed some porn website to have fun (if you know what I mean). While you were busy watching videos, (x y z etc.) I attained a complete list of contacts from your messenger, facebook and email etc…”
I will then go onto explain what I want from you, likely money, to be paid likely into a Bitcoin account, then I will tell you what will happen if you ignore this email, or don’t pay within a certain amount of time.
All of this bit is just creative writing.
Blackmail works when the threat can be substantiated, so how can I prove to you that this is genuine if I am phishing?
Companies House Approach
This is an approach I could take to target a high ranking official of a company.
Now, I would likely have to adopt an approach where I extort via embarrassment.
So what can I get from companies house?
- Role in company
- Registered address
- Accountants name or company name (often this is the registered address or the correspondence address)
- Date of Birth
What can I now get from there?
If I know the company name I can likely get to the company profile on LinkedIn and the companies websites
This will tell me
- Employee Names and contact information
- Main contact email
So how could I structure the phishing blackmail attempt?
Maybe something like
Dear Mr X
We are contacting you to let you know that we have great interest in you and your business, and we have been watching your activity closely.
We were able to install malware on your devices via correspondence you received from your accountants [Insert Accountants Name], from there this was able to transition to your personal devices, through either them accessing their work content on personal devices or using work devices to access personal content, such as checking their emails, through this method we have been tracking your collective internet activity both in their homes and at work.
Every time one of your devices or your employees devices, such as [Insert Employee Name From LinkedIn] and [Insert another Employee Name], has visited a website, we have recorded the website address and the page they landed, we have then also been tracking pictures that have been sent and received via various format from these devices.
Needless to say, when we compile this information we see a somewhat crude nature to you and your employees, the content of which will damage your business reputation and your brand.
We have created a video montage of these images and websites, whenever somebody thinks of [Insert Business Name], they will think of you and your staff as disgusting individuals and I doubt any person on the planet would risk shaking hands with a member of your business.
However, you can avoid this issue and protect your company image, all you need to do is make a minor investment of [Insert logical value in relation to Company filings] and all these problems go away.
What do you get from this?
- Protect your brand and company image
- Instructions on removing the malware from all devices, it can be done in a way that no one will ever know it was there, so no need to tell your staff about this.
- Access to the domain location where your files are stored.
Now you may be thinking about removing the malware yourself, or intervening via other methods, but I would like to give you the opportunity to research “Zero Day Flaw”, which will explain why I have been able to get malware on your devices and achieve my goals, irrespective of whatever security measures you or [Accountants name] have in place.
Now we understand that moving money can be difficult, so we expect a payment of [25% of asked amount] within the next 24 hours, the remaining 75% should be made within 7 days.
[Insert Payment Details]
We are professionals at what we do, we take time and consideration in our approach, we collate data and formulate it into a productive resource for our end goals.
Whether you pay this amount or not, we benefit. You are not the only company we have targeted, however, if you choose not to pay then we get to use you as an example to all other companies we are targeting.
The information we have collated will be sent to all your employees on linkedIn, all of their contacts, it will be published via multiple methods of social media and video hosting sites like twitter and YouTube, creating a #tag for your company name which will spread quickly and rapidly across the internet. Finally, we have quite a large list of email addresses at our disposal, as you would expect from people in our nature of work, we will then send an email out to all these addresses with the content we have.
Thank you for the time taken to read this
Your friendly neighbourhood hacker
End Email Example
That was an exercise in creative writing, that was my first take write, I’ve not proofed it or refined it yet, so about 10 minutes worth of work to structure the email, about another 10 minutes to find out this information online.
Once the email is structured correctly, using the insert tags I can spend a day trawling companies house and the internet for information, using a business directory as a data source, targeting specific businesses and industry types where we are most likely to find an affluent social media presence coupled with a lack of internal IT knowledge.
But ultimately, I have not proven that I have done what I said I did with Malware.
Now if I am targeting an individual, it is harder to sell the consequence, but easier to back it up with information to give the impression I have hacked your life.
This is due to past data leaks, so a similar email to the above but the information can contain
- Your name
- Date of birth
- Drivers Licence Number
- National Security Number
- Passport Number
- Account names
- Associated people (for financial information i.e. co-mortgage holders)
- Previous passwords
On a phishing shot, I can automate that pretty quickly in such a way that it is personal and believable to a large set of people. The same way marketing emails are legitimately automated.
However, I can back this up further by going through your online footprints.
None of that actually indicates that I know anything about you or have done anything to you, it is all just creative writing at this point and all it proves is that a company you used at some point has had a data breach, dependent on the information present, this could be an employer, credit score/reference company, lender, mortgage broker.
But, it is not identifiable by all of the advice you are given, asking for money and making threats would be part of genuine blackmail, the rest of this email even though automated bypasses your consumer advice.
So how would you know if I genuinely had something on you?
What about Genuine Blackmail
Now this is an example of the difference between phishing blackmail, and genuine blackmail.
If I had Malware on your device, or I had access to an online account, the proof I can provide of this is substantial
- Your current and up to date passwords for loads of things stored in plain text
- Your search history
- Your purchase history
- Granular down to the click activity
Now we need a visual aid for this Key Logger example, google Chrome is not far off a key logger, it is not necessarily malware, but it has a lot of similar behaviours.
So if you have a google account logged into google chrome, go to this link
This isn’t what is stored on your computer, this is what is stored against your Google account, so if you log into a different computer with the same account, you would still see this activity. So if I hack into your google account, I can access this information anywhere in the world irrespective of what device you have or where it is.
So, if someone had malware on our computer, they would be able to see a lot more activity than this.
But let’s say they hacked our Google Account instead, what would the email look like?
Start Email Example
How you getting on with Red Dead Redemtion 2 for the PS4, What about Sonic the Hedgehog for steam? Love a bit of retro gaming, been looking for a old style controller though, can you recommend one, oh sorry I just saw the one you use.
I think playing Red Dead whilst enjoying Honey Jack Daniels from Tesco’s purchased last Thursday and 13:56 and delivered today at 15:12 is really cool, do you do that as well?
Course you do, I can see that.
Do you prefer Dominoes Pizza or Pizza Hut? Well considering you switched to Pizza Hut in April, I would go for that one, not a fan of the Nachos though, can see you like them, but they are really bad in my opinion.
Also, you should consider better passwords, I mean these are not very secure
NowTV = [Passwords google stores in plain text]
Reed.co.uk = [Passwords google stores in plain text]
It’s ok though, I have enhanced your profile on reed by adding a message telling all potential recruiters to “check their privilege”, you can log onto to see this.
“One two three four five
Hunt the Hare and turn her down the rocky road
And all the way to Dublin, Whack fol lol le rah!”
I love Irish music, I see you do as well, at about 15:54pm today, High Kings are pretty good, do you know what Rocky Road to Dublin is about? Course you do, you looked that up at 16:02pm today.
But enough small talk, can you explain to me why you think these search terms via google are appropriate?
[List of naughty search terms]
How do I know all this? Well check who the email is from, I’m you….
[Insert Blackmail here]
End Email Example
Did you see it? The important bit?
The substantial difference between a phishing email and a genuine blackmail email, did you see what it was?
The level of granularity I can get to for genuine blackmail via digital methods is substantial.
If there were key logging malware on your device, I would be able to tell you to the exact second you were looking at something, even down to the point in time you clicked the link, not only that, I can tell you pretty much everything you have done down to the key stroke and mouse click for the entire time you were on the computer.
I would be able to describe your behaviour beyond a shadow of a doubt, I would be able to send to you irrefutable evidence that you have been a subject to my hack.
Online Blackmail is a poker game, but there are only two scenarios
- Obvious Bluff
- Definitive Proof
I have no reason to bluff when I have proof.
So advice like this, It is not addressed to you personally, well it is just irrelevant
No matter how much personal information is present, the information I have would not be about you if malware existed, it would be you.
So if there is Malware on your device, or if I have access to one of your accounts, the content of the email would make you feel like “There is a camera in my home watching my every move”
Now, this should not be confused with “Threats to loss of life”, where you receive a bomb threat to extort money out of you, these are police matters, we cover how these should be handled on the “What the Industry can do about this” page.
In short though, if the threat is loss of life, you should not be taking advice on what to do from someone like me, or anyone for that matter who isn’t the police, that is a different ball game with a different potential consequence.
Anyway, on the next page we look at what you can do to spot my Black-email attempts.