First and foremost, don’t bundle phishing attempts into one category and deploy wide sweeping advice.
It is very easy for a consumer to misinterpret something.
Blackmail is personal, it is the ruining of lives with personal information.
There are 7 billion potential consumers on the planet, you cannot expect them to respond or interpret consumer advice in the same way or to respond to a blackmail attempt in the same way.
So first thing is first, categorise Phishing a bit better
- Phishing – Marketing
- Phishing – Black-emails
- Phishing – Loss of Life emails
In this particular article, I am going for 3 distinct categories
So for us on this website, we have a separate article around Phishing which can be seen on this link How I would Phish
So now we have the other two to look at
Now our only involvement from the industry side should be centred around how to spot a fake attempt from genuine blackmail
Now when we bundle everything together, “Spelling mistakes”, “Personal Information about you”, it actually over-complicates the advice needed and doesn’t help in either blackmail phishing or loss of life phishing.
So the obvious identifier that a blackmail email is a bluff is the following
Does the email talk about malware?
If it does, it is phishing.
Reason being, it is incredibly unlikely that I would need to resort to blackmail if I have malware on your device that is currently working the way it would need to in order to blackmail you. I would also not need to contact you by email, I can be a lot more personal than that.
Now malware would be a group shot, so I could have it on tens or even hundreds of devices. If I resort to blackmailing 1 person, I risk exposing that my malware exists, which would then result in things like Anti Virus being updated to know about my malware and subsequently my malware would get removed.
The information from the malware would likely let me take your money without speaking to you. I don’t need to blackmail you to get your money if malware is on your device.
I honestly don’t see why I would resort to this option for 99 out of 100 people who had malware like this on their device.
I would then have to spend quite a large set of time going through all 100 to find enough incriminating evidence for 1 individual, there would be a lot to sift through in order to find the information I needed to blackmail them.
Short and sweet of that one is, why risk blackmail and why spend the time on it when malware will give me easier routes to access your money?
The other part is around proof, so in a rare occasion where it would make sense to resort to blackmail to extort money
What would suggest proof that the malware exists or an account has been hacked?
- The level of detail will be to such a granular level, that they blackmailer will be able to provide proof of time of day activities, including dates, times and videos you watched, to what you ate for dinner.
- https://myactivity.google.com/myactivity will give consumers an example of the type of content difference you would expect to see
- Proof DOES NOT include things like
- Outbound communication, like emails you have sent does not count as proof
- Emails received from certain senders does not count as proof
- Name, email address, address and date of birth does not count as proof
- Drivers Licence numbers and passport numbers does not count as proof
- National Insurance Numbers (Social Security Numbers) does not count as proof
- Names associated to you, like friends or employees does not count as proof
- Generic examples of activity that could apply to your devices and accounts does not count as proof, e.g.
- You use Just Eat
- You bought 50 Shades of Grey
- You bought Red Dead Redemption
- Generic Threats does not count as proof, it would need to contain the exact time, date, website, and video that you viewed along with any search terms that you entered.
- Detailed information about a single source of activity does not count as proof e.g. They list dates of purchases, but they relate to say “Amazon” only, or even online retail only. It would be more personal than that.
- Having a “Webcam video of you” does not count as a threat
The short advice around this one is the poker game advice, “Why Bluff when you have proof?”
Loss of life emails
All I can say for this is that none of the previous rules apply.
There are some that are so obviously flawed in their structure, but ultimately using standard phishing advice does not apply or help determine a phishing threat from a genuine threat.
So let’s say I was going to phish by pretending to be a former employee who was disgruntled.
Along the lines of “You have ruined my life, you sacked me with no reason, I haven’t been able to get a job, i’ve lost my home, my wife and kids, you will pay for me to get these back to me”
Now if there were a genuine former employee anonymously making this type of threat, living in this situation which essentially relates to a breakdown, you would expect erratic communications, spelling mistakes, poor grammar, demanding money, making threats, similar structure to other blackmail phishing attempts where it is talking at you as though you know exactly what you have done.
So it would be irresponsible for me to tell you how to spot one, however, if someone does threaten your life, contact the police and the action fraud team.
Drawing a line on what is ok and what is not for advice
So this is important industry advice on how the industry can change.
Some matters are for the police to deal with.
So I am an individual with digital expertise, I can tell you that if someone had access to one of your accounts or had malware on your device, there is a level of information that would be present to prove that the malware does indeed exist, or that account has truly been hacked.
This is not personal information, this is a descriptive log of your life, from websites you visited, both normal and naughty, to what you typed in the keyboard and what you clicked on the screen.
In short, I can use that to tell you whether you are being phished. Because if the email is not this detailed and you cannot ratify the times and dates that you did things, then it wouldn’t suggest that there is malware on your device or that an account you have has been hacked.
What I can’t tell you is how to deal with genuine blackmail, this is a police matter and concern, so the only advice I can give is for you to contact the police and/or the action fraud team.
So if you did receive an email to such a granular level of proof, dates and times you searched for and bought concert tickets, seat numbers, row numbers, how many you purchased, which ones you looked at prior to deciding on the ones you bought, what they cost along with what you ate from Just Eat, games you bought, petitions you signed on Change.org, petitions you didn’t sign, search terms you entered into Google, what page you clicked, what time that happened, the file structure on your computer, file names you opened, what you typed in those files, this would go on and on and on, not a single item would be incorrect.
It is not a case of “Well most of it is right” it is a case of all of it is right to such a substantial volume of items listed, in the hundreds, no mistakes in when and what you did.
So the advice I can give is
If that scenario did happen, all I can tell you is “Contact the police and action fraud team”
If that is not the scenario, then you are more than likely being phished
However, as soon as loss of life enters into it, the advice about phishing goes out the window, it becomes an individuals choice as to whether it is genuine, but either way contact the action fraud team and the police as they will still need to advertise that this is happening to people and spread awareness.
Summary is on the next page