The Email That Knew Too Much: James’ Brush With Cyber Extortion

A clever new cyber attack is making the rounds, and a recent call with a friend (let’s change his name to James) highlights the insidious nature of this cybercrime. Knowing about these attacks ahead of time is the best way to defend against them. Read on so that you are not the next victim!

James had always considered himself fairly tech-savvy. Like most of us, he lived a large part of his life online—sharing photos of his family vacations, posting about his achievements at work, and occasionally leaving a review for his favorite local café. Little did he know, the very information he volunteered would soon be used against him.

Cybercriminals today are experts in using the open-source information we share online. They sift through the digital trails we leave behind, piecing together bits of personal data from social media, public records, and data breaches. All of this becomes the raw material for an elaborate con—a scam that would soon find James in its crosshairs.

One Thursday morning, James opened his email to find a message that sent chills down his spine. The subject line read, "I know everything about you." With a sinking feeling, he clicked on it. Inside was a picture of his house. The email continued with a chilling threat: “Don’t even try to hide from this. You have no idea what I’m capable of….I’ve got footage of you doing embarrassing things in your house (nice setup, by the way).”

James’ mind raced. How did they know where he lived? Was his privacy compromised? His sense of safety was shattered. The sender demanded Bitcoin—an untraceable currency—to prevent them from leaking “compromising footage” that they claimed to have. But James had never seen a camera in his home. Was this real, or just a sophisticated scam?

What James didn’t know at the time is that scammers often use publicly available information, like addresses and home photos from Google Maps, to trick their targets. They pair this with a sense of urgency and fear, creating a pressure-filled situation where people like James are more likely to act irrationally. In his panic, James didn't think to compare the image with Google Maps or to check for typical signs of a scam—like poor grammar or a mismatched email address.

As the fear set in, James started drafting a response. But just before he hit "send," something nagged at him. He recalled a recent news article about email scams that prey on people's fear, using snippets of personal data to create realistic threats. James paused and decided to take a breath. Instead of paying up, he decided to give me a call and we investigated together.

We checked the sender’s email address and noticed something was off. The domain wasn’t tied to any official company or organization. With a bit of research, we compared the image of James’ house to the one displayed in Google Map’s Street View. They were identical!

Relieved but still shaken, James realized just how close he had come to falling victim. The scammer had almost convinced him that his privacy had been breached. By using a combination of open-source data and fear tactics, they nearly tricked him into handing over money—money he probably would never have gotten back.

Following my advice, James immediately updated his passwords, ensured he had two factor authentication turned on for all his critical accounts, secured his home network, and promised to always “phone a friend” when under pressure from a cyber-attack. We also reported the scam to authorities, knowing that the more people who speak up, the harder it becomes for criminals to succeed.

James is also now more mindful about what he shares online. He double-checks the legitimacy of emails, avoids clicking on unfamiliar links, and keeps a skeptical eye on anything that seemed too threatening or too good to be true. He has become an email archeologist!

James almost learned the hard way that, in today’s digital age, vigilance is your best defense. Scammers are constantly evolving, finding new ways to exploit the very information we willingly share. But by staying informed and cautious, we can avoid falling into their traps.

Did you catch a scam recently? I’d love to hear about it in the comments. The more we discuss and share these crimes, the better armed this newsletter community will be to defend against them.

News Roundup

Microsoft Fumbles Logging...Again

From September 2-19, Microsoft failed to consistently collect log data for many of its cloud services, including Microsoft Sentinel, Defender for Cloud, and Pureview. In a customer notification, Microsoft blamed the problem on a “bug in one of Microsoft’s internal monitoring agents…” While there is no evidence of cyberattacks stemming from the incident, logs are a critical element to show instances of unauthorized access to networks and accounts. This comes nearly one year after the company withheld security logs from specific U.S. federal government departments that use Microsofts so-called secure, government-only cloud for hosting their emails, which resulted in a major breach of senior government officials.  

Russian Hackers Target Western Think Tanks and U.S. Officials

Microsoft and U.S. authorities have exposed Star Blizzard, a Russian intelligence-linked hacking group, for attempting to infiltrate Western think tanks, journalists, and former military officials through clever spear phishing attacks. Disguising malicious emails as trusted sources, the group sought access to sensitive internal systems to steal information and disrupt operations.

Persistent and elusive, Star Blizzard targeted U.S. military contractors and even the Department of Energy. Despite the crackdown, with over 100 domain names seized, experts warn: the Russian cyber espionage game is far from over. Stay vigilant!

Beware of Quishing: The QR Code Scam Catching People Off Guard

Imagine sitting down at a restaurant, ready to browse the menu. You scan the QR code placed neatly on your table, expecting to see the list of delicious dishes. Instead, you’ve just fallen victim to quishing—a new form of cybercrime that tricks you into visiting a fake website designed to steal your personal information.

Quishing involves cybercriminals replacing legitimate QR codes with malicious ones, leading you to fraudulent sites that capture login credentials or install malware on your device. With the rise of digital payments and contactless menus, scammers are using these codes to bypass normal security measures, capitalizing on our trust in this convenient technology. Always double-check the QR code’s source and be cautious about scanning codes in public places

$400,000 Home Scam Warning: Tech Exec’s Real Estate Nightmare

Rana Robillard, a Silicon Valley executive, lost her life savings in a real estate wire fraud scam while purchasing a home. After receiving what appeared to be legitimate instructions from her mortgage broker, Robillard unknowingly sent $400,000 to a cybercriminal. Her story highlights the increasing sophistication of real estate scams, where fraudsters hijack communication channels to trick victims into sending large sums through wire transfers.

Robillard warns that the growing use of AI will make these attacks even harder to detect. Stay cautious, always verify payment details, and don’t fall for last-minute changes!

Cyber Gangs Laughing at Law Enforcement? Here's Why Prosecution is Struggling

Ever wonder why the FBI doesn’t simply descend into the Dark Web and stomp out all the cybercriminals? Sadly, it’s not that easy! Cybercriminals are exploiting the slow pace of law enforcement, operating with near impunity. Despite growing attention on national security and increased funding, law enforcement agencies (LEAs) are struggling to keep up. These highly organized cyber gangs are technically advanced, financially well-backed, and often shielded by countries that refuse to prosecute them.

Overwhelmed LEAs, facing a backlog of cases and limited resources, are falling behind in the fight against cybercrime, allowing criminals to grow more brazen. Without reforms and better public-private partnerships, experts warn the internet may soon resemble a lawless battleground​

Visa Sounds the Alarm: Cybercrime Could Overtake Global Economies by 2025

Visa revealed that it thwarted $40 billion in fraudulent transactions last year, thanks to major investments in AI and security technologies. The payments giant has invested over $10 billion in technology over the past five years, with $500 million dedicated to AI. However, the bigger picture is alarming: by 2025, cybercrime is projected to cost the world $10.5 trillion annually, potentially rivaling the GDPs of top global economies. As criminals get more sophisticated, Visa’s efforts show just how crucial advanced defenses are in the fight against digital fraud​

News Alert: Hive Systems' 2024 Password Table is Now Available

The Hive Systems 2024 Password Table has just been released, giving a fresh update on how secure—or vulnerable—your passwords might be. This detailed guide shows how quickly common passwords can be cracked based on length and complexity, offering insight into how to keep your accounts protected.

With cyberattacks becoming more sophisticated, now’s the perfect time to check if your passwords are truly in the green!

Check out my recent podcast appearance

Check out my appearance on the Dinis Guarda Podcast. Dinis and I discuss my journey from the FBI to my deep dive into the world of cybersecurity. We also explore the dark web’s impact, counterintelligence strategies, and the evolving landscape of corporate security, how to mitigate cybercrime risks, the challenges posed by social engineering, and what the future holds for cybersecurity roles.

Are you protected?

Recently nearly 3 billion records containing all our sensitive data was exposed on the dark web for criminals, fraudsters and scammers to data mine for identity fraud. Was your social security number and birthdate exposed? Identity threat monitoring is now a must to protect yourself? Use this link to get up to 60% off of Aura’s threat monitoring service.

Have any questions about cybersecurity or a topic you’d like me to cover? Reply to this email or comment on the web version, and I’ll include your question in next month’s issue! Let me know which of the weird stories is your favorite.

Thank you for subscribing to Spies, Lies and Cybercrime. Please comment and share the newsletter. Together we can make the world safe from cyberattacks, especially if they invade your privacy.

Warmest,
Eric

Let's make sure my emails land straight in your inbox.

Gmail users: Move this email to your primary inbox

On your phone? Hit the 3 dots at top right corner, click "Move to" then "Primary."

On desktop? Close this email then drag and drop this email into the "Primary" tab near the top left of your screen

Apple mail users: Tap on our email address at the top of this email (next to "From:" on mobile) and click “Add to VIPs”

For everyone else: follow these instructions