Right so hopefully I have hammered home a point for spotting whether an email is genuine blackmail or phishing.
Similar to a poker game, or real life blackmail
Someone approaches you in the real world and says “I have pictures of you doing something you shouldn’t be doing with someone you shouldn’t be doing it with”
You would see proof of the pictures
Someone emails you saying they have malware on your device capturing all your activity.
You would see proof of this malware being present, same as in the real world where you would see the pictures.
So back to our 3 points
- How the Crime is Committed
- What a Consumer can do to prevent it
- What the industry has to do to prevent it
How the crime is committed
So I rely on you being unable to identify what genuine blackmail would look like
I rely on you using consumer advice.
Personalising an email is incredibly easy, this can be gained from the significant number of data breaches we have seen, or for targeting individuals, I just need to trawl the internet for enough information.
Outside that, it is an exercise in creative writing.
If you can write well enough, you can make something insignificant have the appearance of world shattering consequences, even if you don’t prove that you have what you say you have.
Now one of the larger problems faced by consumers, especially for blackmail emails, is essentially the only going examples are the obvious ones. The successful ones tend to remain hidden, as if someone did pay, they are not going to tell people they were blackmailed into paying, that is an admission of guilt.
i.e. you wouldn’t pay if it was not potentially true.
So all I am doing with my approach is to try and bluff as well as I can to create believable doubt, then letting your imagination do the rest of the work for me.
I am successful in that attempt as you as a consumer do not understand what proof would be if malware were on your device, and you do not know what personal information actually relates to proof.
Now, if I were to give you the opportunity to reflect and research well enough, you could find that out, so I put a half life on the deal, I then back that up with another threat of “well, if you pay or if you don’t I benefit as you serve as an example to everyone else I am doing this to”, again, creative writing.
I like to call this approach a “Poker Game Narrative”
What a consumer can do to prevent it
The real trick here is just learning what Genuine digital blackmail would look like.
So if malware were present, or I had hacked a certain account, like Google, that will essentially tell me everything you have looked at and when you looked at it, the proof would be undeniable.
The way you understand what is proof is is by understanding what information has become “public domain” about you in the last 30 years from data breaches.
1. Anything about you
Things about you are not the same as ‘Things you do’
So in the case of blackmail, “Does not contain personal information” is a red herring, the fact that it has personal information means it is probably phishing.
So if an email contains any of this type of information, there is no evidence that malware exists on your device or that I have hacked an IMPORTANT account that would tell me your activity.
- Outbound communication, like emails you have sent does not count as proof
- Emails received from certain senders does not count as proof
- Name, email address, address and date of birth does not count as proof
- Drivers Licence numbers and passport numbers does not count as proof
- National Insurance Numbers (Social Security Numbers) does not count as proof
- Names associated to you, like friends or employees does not count as proof
- Information about services you use, bank accounts you have, mobile providers does not count as proof
- Information relating to your business does not count as proof
- Generic examples of activity that could apply to your devices and accounts does not count as proof, e.g.
- You use Just Eat
- You bought 50 Shades of Grey
- You bought Red Dead Redemption
- Personal information that only relates to certain things you use does not count of proof
- Does their proof go as far as “Everything you bought from Amazon”, in which case, it is not proof, it just means that Amazon has been hacked in this case/
- Generic Threats does not count as proof, it would need to contain the exact time, date, website, and video that you viewed along with any search terms that you entered.
- Having a “Webcam video of you” does not count as a threat, they would be able to send you a copy.
2. Things you do
If malware exists or an important account has been hacked, it may contain some of the items above, but they would be to such incredible detail, I cannot stress this enough, there would be no doubt in your mind.
If I had malware on your device logging your activity, I would be able to provide a comprehensive timeline of the things you have done, not just information about you, not just what you purchased, but what you searched for to find what you purchased at what time and what else you looked at that you did not buy.
That would be the level of granularity we are getting to.
Again, if you have a google account, this will highlight the type of granularity we are getting to
I will put it this way
If you received from me a genuine blackmail email as a result of malware, you would burn every device you own.
You wouldn’t just stop using naughty adult things on the internet, you would stop using the internet. You would cancel your broadband, you would potentially revert back 50 years to an analogue world.
That is the level of violation you would feel from a genuine blackmail attempt resulting from malware on your device.
Even if you hadn’t looked at sex sites or anything that could result in embarrassment or be considered illegal activity, you would still stop using technology just based on what I sent you.
I wouldn’t be saying “you sent this email on this date and time”
I would be saying “you wrote this email, then you fixed these spelling mistakes, you took that paragraph out, then you added this paragraph, then you inserted a picture, then you removed it, then you wrote x, y and z”
I wouldn’t be saying “you looked at this article on BBC”
I would be saying “you tried this search term, then you clicked the top link, then back, then tried this search term, then clicked this weblink etc.”
It would be a map of your activity, things you do not things about you.
3. Understanding the reality of an account hack or malware
If I successfully have malware on your device, I’m not entirely sure why I would be blackmailing you.
If I had accessed an important account of yours, I’m not entirely sure why I would be blackmailing you.
That is an important notion off the bat, the only reason to resort to blackmail at this stage is if I cannot access your funds which would be pretty unlikely. At this point, I can do anything I want really, I’m just not sure blackmail serves anything other than alerting you to the fact that malware is on your device.
Either way though, if blackmail was my crime of choice, the previous point around content would still apply.
4. Understanding what this advice applies to
So this advice does not apply to “loss of life” emails and threats, that is for the police to deal with.
So that is important, knowing who you should take advice from.
I can say using technical methods how I would commit the crime, but I’m not a criminal expert, I cannot tell you what to do if the crime is genuine.
Whatever happens though, always send a copy to action fraud so they can investigate and let people know.
What the industry can do to prevent it
If someone does receive an email blackmailing them, they get that lump in their throat and that feeling down the back of their neck, “by the pricking of my thumbs, something wicked this way comes” type of feel to the scenario.
However, demonstrating the substantial difference between genuine blackmail and phishing does show that where someone says that they have malware on your device or have accessed an important account, the standard phishing advice around this doesn’t apply.
All the information available online about us is personal, the information gained about consumers from data breaches can easily be used to convince people that they have information about you in a personal way.
Accessing something like a Google account can then be used to turn a bluff into something that seems believable by using harmless information to substantiate the threat.
There is also this illusion we present to consumers that this type of information cannot appear on an email sent out to a load of people. That they start “Dear Sir/Madam” as if we want to put peoples names in, that would mean writing all emails individually.
The fact is, if I have a data source from a data breach, I can automate these emails to seem like they contain personal information, are directed at the individual, I can do this via open source and free software, without it costing me anything. I can write 1 email, try a batch of 100, see what I get, then retry on different batches and amend my email content and structure.
In short, we cannot group different types of crime together, just because they are sent in the same format i.e. not all scam emails are the same, they do not have all the same advice to avoid them, BUT they can be categorised effectively.
Because in a scenario like this, if a consumer checks their email and sees an email with all of this information, especially point 2, it would imply that the blackmail is genuine.
- You didn’t initiate the action
- It is not addressed to you personally or contain personal information
- You are asked for money
- Pressures you to act quickly or makes threats
- Poor spelling/Grammer (intentional typo before you go off on one)
Because we would expect a blackmailer to initiate the action, we would expect them to ask for money, we would expect them to threaten us to act by a certain time, spelling and grammar is irrelevant, the fact that they addressed it to us or know a load of personal information simply serves to imply that the blackmail is genuine if we follow consumer advice.
Some of that we may only expect because of an overactive ‘Hollywood inspired’ imagination.
However, by taking the time to explain to consumers, how the attack is done, what a genuine blackmail attempt using malware would look like, the type of information that would contain, you are actually demonstrating that the content and structure is irrelevant, if they cannot tell you what you have done on the device or account to such incredible detail, they have nothing on you.
In short, the proof changes. Like I said, if I had malware on someones device and they received a blackmail attempt from me, the proof of malware that I send them would mean that they wouldn’t go online again, irrespective of what they do and do not use the internet for.
If you then do give short and simple advice without trying to educate consumer, it would be something like this
If you receive a threat about malware being on your computer or an account being hacked, it is very unlikely that the threat is genuine.
This is simply because, if malware were on your device or they had accessed an important account, there is no real reason to blackmail you to get access to your funds.
If Malware existed there are much easier ways to go about accessing your funds without alerting the consumer that malware exists and giving the consumer a chance to do something about it.
If malware existed, and blackmail was the choice of attack, this would imply a sophisticated cyber criminal, they would not need to rely on primitive means of contact or generic threats.
If Malware existed it would demonstrate to incredible detail a log of your activity, times, dates, seconds that you carried out certain activity, from online shopping, to search terms you entered in google, videos you watched on youtube, comments you read on twitter, documents you opened, what you wrote in that document, spelling mistakes you made in emails, spelling mistakes you corrected, how many words you type per second, how long you spent reading an article, things that you do, not things about you.
You should always contact action fraud if you receive a phishing email, but you should also appreciate that no phishing advice applies when the subject matter pertains to “loss of life”, such as bomb threats and threats directly aimed at you or your company, you should always seek advice here from action fraud team and the police.
From a consumer side, I can fully appreciate that in this particular example, a lot of people would fall for it, there are more ways to extort someone than with their own activity alone.
It is not just as simple as whether or not you looked at something dodgy, if you are a business owner, you could have a family device, it could be a teenager in your house who accessed all of this, but the threat is how it reflects on you, not them.
It could be that I am threatening you via your employees activity, reputation is key in business.
My personal approach to someone threatening me has and will always be “well don’t let me stop you, in fact, send me what you have and I will add to my social media pages”, but it isn’t that simple for everyone.
So saying “Malware” seems to have quite a substantial threat, it works, people pay, but I feel that this is only because they do not realise the significant amount of proof someone can provide if Malware did exist on their computer.
Then not understanding what data has been leaked about them over the years, as that data is used to circumvent fraud advice, especially for phishing, as it implies if certain data or formats are present, then it must be real.
In the case of the blackmail one, consumer advice helps make the blackmail attempt seem real, when actually including information about you more likely suggests that it is not a real blackmail attempt. I can be a lot more convincing than that if I have malware on your device.
Then our consumer advice actually plays to the hands of the blackmailer, centred around “how to spot blackmail” or scam emails, but avoiding the obvious in this case
If malware existed on your computer, not sure why I would need to blackmail you to get your money.
Now if I could genuinely blackmail you with stuff I have found on your device, it wouldn’t be a small sum of money I would be asking for, you would have to have done something very very bad in order for me to veer away from just taking whatever is in your bank account and emptying your credit cards and deciding to go for blackmail.
Asking for a couple of grand because you looked at a bit of porn, I just don’t see the relevance when if the type of malware that would give me that evidence existed on your device, I can get more out of you than that, I mean, I can probably work out from the data I have when your payday is, just by virtue of your activity, so 01:00 in the morning on your next payday, your accounts get emptied.
I do then feel as an industry, we don’t get to these conclusions because while we want to give advice, we don’t really put that much effort into it.
So, if you re-create the genuine crime, then in this case for malware what you find is that if you are going to blackmail someone with the outcome of the malware
- The content is significant that I can use to blackmail you
- If I have malware on the computer, blackmail is a waste of time
Then your consumer advice becomes more appropriate
Then you ultimately come to the conclusion, that there is certain scenarios that you really have to take the time to exclude them from your advice.
So in this case, blackmail relating to loss of life, I’m a technical expert, my advice is centred around technical expertise, I’m not a criminal expert, so if someone is threatening physical harm in exchange for money, I can’t tell you whether it is real or not. All I can responsibly do is tell you to contact the police.
Anyway, I hope you found this helpful, links below to other such articles around cyber security.
If you have been reading the other articles as well, I really hope you are starting to see the themes that keep popping up, bad consumer advice leading to successful attacks, lazy approaches to cyber security leading to successful attacks.
Thanks for reading!
Side Note: From following my rules on this, I can’t publish one of the methods that would be so incredibly effective for blackmail.
My rules for publishing are
1. Has to be thought up in a couple of hours
2. I have to be able to implement it quicker than I can write these articles
Unfortunately I came up with it just after publishing this article.
Therefore following my own rules I would have to assume that it would count as training on how to be an effective criminal, as far as I can tell from looking online, no one is using this other method and I don’t want to encourage it or even put the idea out there, but if someone were using this particular method, we wouldn’t know as it would be likely that people would pay and would not come forward.
It has that slight of hand/misdirection feel to it that magicians use along with the way that they create the narrative, technologically it could only have been fairly recent that this was possible.
But, if you recall on the landing page for this section of the website, there is the “Falling Down” Scenario where “all it takes is one bad day”, so you never know, I may use it myself one day.
Seriously though, I am sending it along with any others I come up with to the “Action Fraud Team”.