Advisory on Extortion Emails

Published on 28 Aug 2024

Background

In August 2024, SingCERT received at least 33 reports of extortion emails from individuals and organisations. These emails attempt to intimidate recipients into making a payment by claiming that the perpetrator (sender) possesses sensitive or compromising information about the recipient, and threatening to expose the information unless payment is made.

This advisory provides awareness on what extortion emails are, as well as guidance on what to do when receiving such emails.

Description of an Extortion Email

We have observed multiple variants of extortion emails, some of which were sent in languages other than English. Common to all variants are the following elements: 

  • Claims of compromise. The perpetrator will claim to have installed malware on the recipient's devices, including computers and smartphones, and that the malware has been used to record private and potentially embarrassing videos of the recipient. Alternate narratives may include claiming to have compromised the recipient’s email account, and having access to their emails and contact list.
  • Threats of exposure. The perpetrator demands a cryptocurrency payment and threatens to send the videos to the recipient's contacts if not paid within a stipulated time.

Examples of extortion emails are shown below:

Figure 1: Example of an extortion email

Figure 2: Example of an extortion note sent via email

As we noted above, some of these extortion emails appear to have been sent from the recipient’s own email account. To make their ruse more believable, the perpetrator will draw attention to this and claim to have accessed the recipient’s email account to send the extortion email. In reality, this is achieved through a technique known as email spoofing, which allows an adversary to manipulate the sender address and make the email appear as having been sent from a legitimate or trusted source — in this case, the recipient.

These extortion emails are typically indiscriminate — they contain identical messages and are sent out as part of a large-scale campaign using automated tools.

What to Do If You Receive an Extortion Email

Depending on the email authentication protocols of the email service you use, such extortion emails usually end up in the spam/junk folder. It is important to remember that the spam/junk folder serves as a filter for potentially harmful or unsolicited emails, and users need not be alarmed to find such emails there.

However, on occasion, an extortion email may successfully evade email filters. If you discover an extortion email in your inbox, consider the following: 

  1. Remember that this is likely a scam. The claims made in these emails are baseless, and the perpetrators have no real compromising information or videos of you. The email is part of an indiscriminate extortion campaign and does not specifically target you.

  2. Ignore the threat. Understand that these baseless claims are designed to intimidate and extort money from you. Do not reply to the email, and do not make any payment. Engaging with the perpetrators or yielding to the extortion will encourage them to continue their cybercriminal activities.

  3. Secure your accounts. If you have enabled multi-factor authentication (MFA) for your email account, you may rest assured that your account is secure. Otherwise, take additional precautions by ensuring that you have a complex passphrase and is MFA enabled for an additional layer of security. Review the recent security activity of your email account regularly to ensure that it is secure.

  4. Report the email. You can report the email to your email service provider or IT security team, which may help protect other users from spam and abuse. You can also report the incident to SingCERT at  https://www.csa.gov.sg/cyber-aid to help us monitor and counter these scams.

In the unlikely event that you are being blackmailed or held ransom by a perpetrator who provides verifiable proof of compromise, you should lodge a police report immediately. The police should be able to advise you further once they are able to establish the case. You can lodge a report directly at any neighbourhood police post or online at  https://eservices1.police.gov.sg .

Protecting Your Email Address from Spam

Cybercriminals and perpetrators of spam acquire email addresses for their campaigns from various sources, including data breaches, scraping publicly available information, purchasing marketing databases, or bruteforcing common email formats.

To protect your primary personal email address from spam, you should continually safeguard its privacy as part of good cyber hygiene. Be selective about who you share your email address with, and only provide it to trusted individuals and organisations. Refrain from sharing your email publicly, such as on forums or social media, where it can attract unwanted attention. 

Further consider using a secondary email address or alias. These can be used for websites that you do not frequent or consider non-essential. Should you start receiving unwanted emails through your secondary email or alias, you can dispose of them without worrying about your primary email being compromised.

For Organisations

Organisations should consult their IT security teams to ensure that robust filters are in place for their email servers. To further enhance email security, organisations may refer to our resources on: