How Cybercriminals Try To Extort Victims Online

By: Christine Persaud

November 17, 2020

Cybersecurity is a growing concern, especially as we rely more and more on digital channels to communicate with one another.

Photo by freebieshutterb;

And while you might be aware of some of the most common types of online scams, from phishing to bad links that install malware on your computer, imposter scams, identity theft, and more, the list is growing. And these scams don’t just impact the 18-55 working demographic: according to the Interac Cybersecurity Month Survey, seniors are actually deemed to be at the greatest risk of attacks, with 81% of Canadians believing them to be the most vulnerable demographic; while more than half (55%) believe that, with the recent shift to online learning, students might become bigger targets as well.

As the years go by, cybercriminals are getting more and more clever in their tactics, and we’re seeing new methods emerge, especially when it comes to monetary extortion. Here’s a list of some of the most common ones with tips from IT security software and services ESET on what to do if you ever find yourself at the wrong end of one of them.


Ransomware is unknowingly installed on your device through you clicking an infected link from an e-mail, social media post, instant or direct message. Once installed, ransomware encrypts your files or prevents you from accessing them, or even your computer itself. How do you get access back? Pay a ransom fee, hence the name. If you get hit by an especially nefarious group, they might engage in an act called doxing for extra leverage, whereby they search through your files to locate sensitive information or questionable photos and threaten to release them if you don’t pay up. You might think this won’t impact you because you don’t have any salacious photos or incriminating e-mails on your computer. But it could be as simple as an unflatteringly selfie you forgot to delete or confidential business file that could land you in hot water with your employer.

What to do? ESET recommends never, ever paying the ransom. Instead, look into if a decryption tool has been released for the ransomware strain on your device (if you aren’t technical enough to do this yourself, reach out to a professional or your company’s IT team). On the offensive end, keep important files backed up periodically and software up-to-date with the latest versions that might include critical security patches.

Hack and Extort

The name is catchy but the act can be terrifying. It’s pretty much identical to ransomware except the person gains entry directly into your device via a manual hack. Once in, the hacker will sift through everything on your device or in online accounts seeking out sensitive, potentially embarrassing, or valuable information. Once they find something they think could be worth a pretty penny, they steal it and send you an e-mail threatening to expose the data. They’ll give examples as well to confirm that they aren’t bluffing (though sometimes you may get hack and extort e-mails that are complete bluffs in hopes that a naïve recipient will give in to the demands.)

What to do? The best defense in this case is to work offense, says ESET, and prevent a hack from occurring in the first place. Keep your data encrypted so even if someone gets in, they won’t be able to decipher anything. Use strong passwords for all of your accounts, even the seemingly innocuous ones, and change them periodically, never using the same one for different services. Where possible, consider using two-factor authentication methods to gain entry into programs or devices, including biometric fingerprint, pattern unlocks, or even facial recognition in addition to a secure text-based password.


The offending party might try to gain your trust through sources like dating sites, convincing you to continue chatting through a separate messaging service (so the dating site won’t detect the potential scam). Then, it’s all a matter of human manipulation, using flirtation and other methods to try and get you to share intimate photos or videos that will eventually be used to blackmail you. Sometimes, the hackers bypass the manipulation altogether and simply hack right into your computer and hijack the webcam, secretly watching, waiting, and taking private photos or videos. Like with the generic hack and extort method, sometimes, the person is bluffing and doesn’t have anything at all but hopes that you have taken intimate photos or videos before, or visited pornographic websites, and the e-mail will be enough to scare you into paying.

What should you do? ESET recommends avoiding sending intimate photos to anyone. Even if you trust that person implicitly, their device could be hacked if they don’t take the proper security measures, putting your photos or videos at risk of being leaked. Keep security patches up-to-date on your devices, and use security software to provide added protection. As an extra step, you could also buy a cover for the webcam on your computer. There are some really cool ones including universal webcam covers that can fit most any electronic device. Finally, also install a good scam filter.

DDoS Extortion

This is short for Distributed denial of service attacks (DDoS) and most commonly targets businesses in an attempt to cripple their ability to provide services. Using a large number of machines organized into a botnet, the attacker will flood the target company with requests until the systems are unable to handle the onslaught and are sent offline. Think Elliott Alderson and Fsociety and their attack against E Corp. in the popular USA Network series Mr. Robot. The hackers can do this again and again, day after day, until the business suffers thousands, potentially even millions, of dollars in lost revenue. Want it to stop? You’ll have to pay up.

Whatshould you do? Again, the best defense in this case, says ESET, is an offense, which involves setting up a secure firewall to block unauthorized IP addresses from accessing the system. It’s also a good idea for businesses, especially those most vulnerable to attacks and attractive to hackers, to register with a DDoS mitigation service that can help protect the company from such extortion schemes.

Taking Advantage of the Pandemic

While these methods might not be outright extortion like the others, they are underhanded and immoral (not to mention illegal) ways of trying to steal your money. Since the COVID-19 pandemic has dominated our lives for the past eight months, fraudsters have found ways to profit from it. The Canadian Internet Registration Authority (CIRA) found in its 2020 Cybersecurity Report that a third of responding businesses said their company was targeted by a COVID-19-related cyber-attack, and three in 10 companies say they have seen a spike  in attacks since the beginning of the pandemic.  They might ask for donations to a phoney charity that claims to support COVID-19 relief funds, or send links with apparent COVID-19-related information. But really, they are using these tactics to gain access to your personal identity, which they can then use against you.

What should you do? If you wish to donate to COVID-19 relief, visit a reputable website or organization directly. Never click on a link in an e-mail, text or instant message, or social media post. The Interac survey found that 88% of Canadians believe opening e-mails from unknown senders is actually the riskiest behaviour you can engage in. When in doubt, contact the organization directly and find out if the e-mail is legitimate before giving out your credit card number. In terms of COVID-19 information, visit known news websites and apps to get your details straight from the source.

Bottom Line

It’s critical that we all take steps to protect ourselves from hackers, fraudsters, and cybercriminals who are finding new and creative ways to extort money, from promising to release intimate photos they might not even have to appealing to your philanthropic and charitable sensibilities.

The Interac survey found that 65% of Canadians say they have taken action to learn more about cybersecurity risks. Boomers feel the least confident in terms of being well-equipped to protect themselves, so reach out to a boomer friend, family member, or colleague and offer up help (or at least send them this article!)

“Our research shows that COVID-19 has fundamentally transformed cybersecurity,” says – Jacques Latour, Chief Security Officer, CIRA. “The threat landscape has changed, but, most importantly, the pandemic has created an environment of anxiety and uncertainty that cyber-thieves are exploiting. Now more than ever, cybersecurity is an issue no organization can ignore.”

This extends to individuals as well, and particularly those of the younger generations. While students are identified as a growing target base, only 18% of Gen-Zers say they have any concern, which makes it critical that parents discuss the important of protecting private information with their high school-aged children.

“The challenge now is to ensure this heightened awareness translates into a culture of cybersecurity that endures beyond the current crisis,” adds Dave Chiswell, Vice President, Product Development, CIRA. “While we hope to put COVID-19 behind us soon, cyber-threats are with us to stay.”


More on Cybersecurity

Leave a Reply

Your email address will not be published. Required fields are marked *