Published on 28 Aug 2024
Background
In August 2024, SingCERT received at least 33 reports of extortion emails from individuals and organisations. These emails attempt to intimidate recipients into making a payment by claiming that the perpetrator (sender) possesses sensitive or compromising information about the recipient, and threatening to expose the information unless payment is made.
This advisory provides awareness on what extortion emails are, as well as guidance on what to do when receiving such emails.
Description of an Extortion Email
We have observed multiple variants of extortion emails, some of which were sent in languages other than English. Common to all variants are the following elements:
Examples of extortion emails are shown below:
Figure 1: Example of an extortion email
Figure 2: Example of an extortion note sent via email
As we noted above, some of these extortion emails appear to have been sent from the recipient’s own email account. To make their ruse more believable, the perpetrator will draw attention to this and claim to have accessed the recipient’s email account to send the extortion email. In reality, this is achieved through a technique known as email spoofing, which allows an adversary to manipulate the sender address and make the email appear as having been sent from a legitimate or trusted source — in this case, the recipient.
These extortion emails are typically indiscriminate — they contain identical messages and are sent out as part of a large-scale campaign using automated tools.
What to Do If You Receive an Extortion Email
Depending on the email authentication protocols of the email service you use, such extortion emails usually end up in the spam/junk folder. It is important to remember that the spam/junk folder serves as a filter for potentially harmful or unsolicited emails, and users need not be alarmed to find such emails there.
However, on occasion, an extortion email may successfully evade email filters. If you discover an extortion email in your inbox, consider the following:
In the unlikely event that you are being blackmailed or held ransom by a perpetrator who provides verifiable proof of compromise, you should lodge a police report immediately. The police should be able to advise you further once they are able to establish the case. You can lodge a report directly at any neighbourhood police post or online at https://eservices1.police.gov.sg .
Protecting Your Email Address from Spam
Cybercriminals and perpetrators of spam acquire email addresses for their campaigns from various sources, including data breaches, scraping publicly available information, purchasing marketing databases, or bruteforcing common email formats.
To protect your primary personal email address from spam, you should continually safeguard its privacy as part of good cyber hygiene. Be selective about who you share your email address with, and only provide it to trusted individuals and organisations. Refrain from sharing your email publicly, such as on forums or social media, where it can attract unwanted attention.
Further consider using a secondary email address or alias. These can be used for websites that you do not frequent or consider non-essential. Should you start receiving unwanted emails through your secondary email or alias, you can dispose of them without worrying about your primary email being compromised.
For Organisations
Organisations should consult their IT security teams to ensure that robust filters are in place for their email servers. To further enhance email security, organisations may refer to our resources on: