Protect your business and your employees from sextortion scams.
Beware: These extortion scams are increasing in frequency, becoming more sophisticated, and bypassing email gateways.Barracuda Research analysis: 1 in 10 spearphishing attacks are extortion or sextortion attacks. Click To Tweet
Barracuda researchers have uncovered some startling new revelations about sextortion scams. In the past, sextortion scams were used as part of large-scale spam campaigns. Now, they’ve expanded in scope, even since Barracuda first highlighted this type of attack last fall.
A recent analysis of spear phishing attacks targeted at Barracuda customers found that 1 in 10 were extortion or sextortion attacks. In fact, employees are twice as likely to be targeted in a sextortion scam than a business email compromise attack.
Here’s a closer look at the research, more details about sextortion scams, and ways to protect your business from this type of extortion threat.
Sextortion – Attackers leverage usernames and passwords stolen in data breaches, using the information to contact and try to trick victims into giving them money. The scammers claim to have a compromising video, allegedly recorded on the victim’s computer, and threaten to share it with all their contacts unless they pay up.
In most sextortion scams, attackers use a harvested email address and password to prey on a victim’s fears in a threatening email. Often, attackers spoof their victim’s email address, pretending to have access to it, to make the attack even more convincing. Bitcoin is the form of payment typically demanded, with wallet details included in the message.
Sextortion emails are usually sent to thousands of people at a time, as part of larger spam campaigns, so most get caught in spam filters. But scammers are continually evolving their email-fraud techniques, including using social-engineering tactics to bypass traditional email-security gateways.
Sextortion emails that end up in inboxes typically do so because they originate from high-reputation senders and IPs; hackers use already-compromised Office 365 or Gmail accounts.
Sextortion emails don’t usually contain malicious links or attachments found by traditional gateways. Attackers have also started to vary and personalize the content of the emails, making it difficult for spam filters to stop them.
Sextortion scams are under-reported due to the intentionally-embarrassing and sensitive nature of the threats. IT teams are often unaware of these attacks because employees don’t report the emails, regardless of whether they pay the ransom.Sextortion scams are under-reported due to the intentionally-embarrassing and sensitive nature of the threats. Many employees will not report the attack, regardless of whether they pay the ransom. Click To Tweet
Common Sextortion Subject Lines
Barracuda’s research reveals that the majority of subject lines on the sextortion emails analyzed contain some form of security alert. More than a third request a password change.
Attackers often include the victim’s email address or password in the subject line, to get them to open and read the email.
Here are some examples of security-alert subject lines:
- email@example.com was under attack change your access data
- Your account has been hacked you need to unlock
- Your account is being used by another person
Here are some examples of password-change subject lines:
- Change your password [password] immediately your account has been hacked
- Hackers know your password [password] password must be changed now
Other common subject lines include references to a customer service ticket number or incident report.
Occasionally, attackers are more straightforward, using threatening subject lines:
- You are my victim
- Better listen to me
- You don’t have much time
- You can avoid problems
- This is my last warning firstname.lastname@example.org
Industries Most Targeted By Sextortion
Barracuda’s research identifies education as the industry most frequently targeted by sextortion and extortion, making up the majority of attacks. Government employees are the second-largest targets of sextortion. Business services organizations were the third-most-targeted industry.
The overwhelming focus on education is a calculated move by attackers. Educational organizations usually have a lot of users, some with a very diverse and young user base that may be less informed about security awareness and that may be less aware of where to seek help and advice. Given their lack of training and experience with the nature of these types of threats, students and young people can be more likely to fall victim in these attack scenarios.
4 Ways To Protect Against Sextortion Scams
AI-based protection — Attackers are adapting sextortion emails to bypass email gateways and spam filters, so a good spear phishing solution that protects against extortion and sextortion is a must. For example, Barracuda Sentinel has built-in components designed to detect these types of attacks.
Account-takeover protection — Many sextortion attacks originate from compromised accounts; be sure scammers aren’t using your organization as a base camp to launch these attacks. Deploy technology that uses artificial intelligence to recognize when accounts have been compromised. Barracuda Sentinel allows you to remediate in real-time by alerting users and removing malicious emails sent from compromised accounts.
Proactive investigations — Given the nature of sextortion scams, employees might be less willing than usual to report these attacks. Conduct regular searches on delivered mail to detect emails related to password changes, security alerts, and other content. Many sextortion emails originate from outside North America or Western Europe. Evaluate where your delivered mail is coming from, review any of suspicious origin, and remediate.
Barracuda Forensics and Incident Response helps with email searches, provides interactive reports on the geographic origin of emails, and helps you automatically remove any malicious messages found in mailboxes.
Security-awareness training — Educate users about sextortion fraud, especially if you have a large and diverse user base, like in the education industry. Make it part of your security awareness training program. Ensure your staff can recognize these attacks, understand their fraudulent nature, and feel comfortable reporting them. Use phishing simulation, such as Barracuda PhishLine, to test the effectiveness of your training and evaluate the users most vulnerable to extortion attacks.
Barracuda offers complete email security that protects your company from spear phishing and other email-borne attacks. Visit our corporate site here for more information.
Asaf Cidon is a professor of electrical engineering and computer science at Columbia University and a Barracuda adviser. He previously served as vice president of content security services at Barracuda Networks. In this role, he was one of the leaders for Barracuda Sentinel, the company's AI solution for real-time spear phishing and cyber fraud defense. Asaf was previously CEO and co-founder of Sookasa, a cloud storage security startup that was acquired by Barracuda. Prior to that, he completed his PhD at Stanford, where his research focused on cloud storage reliability and performance. He also worked at Google’s web search engineering team. Asaf holds a PhD and MS in Electrical Engineering from Stanford, and BSc in Computer Engineering from the Technion.