Again, just to re-iterate, this is not where the email references loss of life or physical harm, we look at that on the next page.

Now specifically for Blackmail extorting information or money, where the threat is something like embarrassment “I will send your porn activity to your mum” type of thing.

Now for this scenario, we predominantly find online this type of advice

  1. You didn’t initiate the action
  2. It is not addressed to you personally
  3. You are asked for money
  4. Pressures you to act quickly or makes threats
  5. Poor spelling/Grammer (intentional typo before you go off on one)
  6. Comes from an official bank/government authority or pretending to be someone else

The fact is, this is all pretty irrelevant. Some scenarios they apply to, so let’s split them.

Point 6 is important for this definition

Am I pretending to be something I am not

So, is the person obviously blackmailing you, or are they pretending to be a company threatening a termination of service or a bank or a government authority?

Well, the chances are these come under our phishing email advice on this page

How I would Phish

The only exception to this really is when someone is pretending to be the police, the police will not fine you for stuff you do online, they will arrest you. Simple as that really. So if the ‘Police’ are asking for money via email or by locking your device, don’t pay it because it is not them.

Either way, report them to the action fraud team (google them)

The other scenario is

Am I openly blackmailing you or is it phishing?

So, the advice above does not help for this. You can spot someone extorting you, the problem with this advice is it implies that if they have certain information, that they can follow through on their threat, but this isn’t true in any sense.

In addition, if I did have malware on your device or had accessed your online accounts, it would be unlikely that blackmail would be my choice of attack.

That is the simplest way to spot phishing blackmail, because it just wouldn’t be beneficial to me to advertise that my malware exists.

However, let us assume that blackmail is my goal, If I am smart enough to access your accounts or create malicious software, the following would be the only real piece of advice we need.

The level of information and the granularity for a genuine blackmail email will be significant.

When we receive an email like this, we consider that the following is all public domain information.

Name, Address, Email, Passwords, Drivers licence numbers, passport numbers, dates of birth, national insurance numbers (social security numbers), work history, friends names, bosses name, twitter name, pets name, anything you can think about that is about you.

This being on a blackmail email doesn’t mean they know something about you or have something on you, it means that a company you use for a service either directly or indirectly has been hacked.

If the blackmailer has malware on your device

They would be able to describe your interests to a level of granularity that it would be likened to someone recording your every waking and sleeping moment, including dates and times that you searched for trivial stuff on the internet.

They would then be able to supply the content of the blackmail i.e. this is what I am blackmailing you with.

If the blackmailer has access to your online accounts

Same rules apply, that example was on the last page.

Something like Google tracks your activity beyond belief and reason, it doesn’t necessarily share this with other places, but if I accessed your account, I can tell you so much about you that no one should be able to know.

Not just the fact you are interested in something, but down to the date and time that you were interested in it.

I can also see all your passwords in plain text that google has stored.

But, if you have used Google Chrome for something like online retail shopping and you have a google account, the most likely thing I would do is navigate to your payments page and transfer money from your accounts via google pay, the least secure payment service on the internet to date.

Which begs the question

If the blackmailer has malware on your device or access to your accounts, why would they blackmail you?

They probably wouldn’t.

There are easier ways to steal your money than to tell about it.

Telling you about it just increases the likelihood that you can do something to prevent them.

The only reason they would adopt this route is if Plan A failed i.e. using your account information or putting malware on your device did not pay off, now I am going to go down a blackmail route.

If the malware stored your search and websites you visited and things you typed, it’s stored your access to your bank accounts, credit cards, paypal, email, online retail, iCloud, Gpay, bitcoin, everything you used while it was active is susceptible.

It seems like a very rare and unlikely scenario that I then need to blackmail you, also unnecessary for the vast majority of successful account hacks and malware scenarios.

But if they do resort to Plan B, it means they currently cannot access your funds, and would be able to prove that they have malware on your computer and a shed load of information about you that it simply should not be possible to find out from any other source.

So it would suggest that genuine blackmail arising from Malware would be an incredibly rare event, because if you put yourselves in the shoes of the cyber criminal who deployed the malware, why would they bother blackmailing you?

Other points you could consider, but these are more to build your confidence as opposed to prevent blackmail.

Cover web cams

If you are not using the web cam, cover it. I’m a Fox Mulder fan, so any built in ones for me have duct tape on them 24/7

This way if someone makes a threat about capturing you on a webcam, you know it’s not true straight away.

At the very least, don’t use webcam devices in rooms where naughty adult stuff happens.

Don’t take naked pictures of yourself

I obviously don’t do this, I’m a half shaven Wookie looking thing who thought the song “McDonalds McDonalds, Kentucky Fried Chicken and a Pizza Hut” was a balanced 4 course meal.

I know what you’re thinking, why am I denying the world by not flooding the internet with sex selfies, you don’t just give this away that’s why. You can buy this cow…

However, it’s your life, do with it what you will, but this is something that Malware or Account access can be used to gain access to which would likely then be used for Blackmail. Also don’t be confused between someone saying “They have pictures of you” with proof of having pictures of you.

In this case, the bluff is substantiated by your real life circumstances.

Make sure you set up online accounts correctly

So here, you need to make sure your google account isn’t tracking your activity to that much detail.

As far as I am aware, they don’t share this, they do use for Search Engine Optimisation i.e. your own browsing experience, but if you don’t know this exists or services like this exist on any account, it would be easy to take trivial information and then subsequently blackmail you with it.

So your google account could only contain harmless information, but I can use that to make it look like your device has been used for something it shouldn’t, then the evidence I have makes it look like you did it.

Back to the old favourite, ‘Misdirection’

On the next page, we will look at what the industry can do about this.


Previous PageNext Page

Back to How I Would Commit Cyber Crime