Blog

CyberScout is the nation’s premier consultative provider of identity and data risk management, resolution and education services.

This Blackmail Scam Brought to You by [Name of Data Breach]

This Blackmail Scam Brought to You by [Name of Data Breach]
January 25, 2018

Dave Eargle doesn’t have to imagine what it would be like to get an extortion letter in the mail, because he got one. “I know you cheated on your wife,” the correspondent wrote. “More importantly, I have evidence of the infidelity.”

The scam artist behind the letter claimed to have discovered the alleged cheating accidentally, “while working a job.” Then he (or she) admits to putting in more time than s/he “probably should have looking into” Eargle’s life.

It’s worth noting before going any further that the scammer is working on an assumption: That it isn’t very hard to “look into” a stranger’s life and find out enough about that person to scam them.

“Even if you decide to come clean with your wife about your cheating, doing so won’t protect her from the humiliation she will feel when her friends and family find out the sordid details from me,” the scammer tells Eargle, before getting to the bottom line: “If you want me to destroy the evidence and leave you alone forever then send $2,000 in BITCOIN.”

Sunlight Is the Best Disinfectant

Eargle is the public face of a blackmail scam that has been spreading like wildfire because he did the right thing. He notified the police and then wrote about the attempted fraud on his blog.

This extortion attempt is an analog (i.e., not computer-related) form of social engineering. It’s an emotional hack that relies on two things: Statistics and shame.

The stats on marital infidelity are always going to skew low for the obvious reasons. That said, the Associated Press and the Journal of Marital and Family Therapy reported in 2016 that 22 percent of married men reported cheating on their spouse. My very unscientific guess is that the real number is similar to the divorce rate: 40-50 percent. With those kind of odds, the letter campaign was targeted right.

The shame factor includes, of course, fear of divorce, and as such it’s a powerful motivation to do whatever the letter instructs. However, the blackmail scam was rendered less effective by an unknown. It had a name: Dave Eargle.

Eargle told CNBC, “’[My blog] had received maybe three, two hits a day,’ he said. ‘Suddenly, it jumped up to 200 a day during right after the waves [of letters], 200 a day, 300 a day’.” Because Eargle has become a hub for others who got the same letter, more is known about the scam.

Whoever is behind it seems to be focusing on men who live in affluent neighborhoods. The basics of the shakedown are consistent, though subsequent letters have demanded as much as $8,000 in bitcoin.

What happened here?

With the Equifax breach leading the way in a year that was noteworthy for a record number of data compromises, it’s almost a foregone conclusion that anyone can find out anything they want if they know where to look, or who to ask.

Social media allows strangers to find out way too much about their fellow strangers, including what kind of car a person drives, where s/he goes on vacation, and, depending on a person’s cyber-hygiene, where a particular individual lives, works and worships as well as an array of other personal details.

Remember, the letter warned that even if Eargle came clean with his wife, his friends and family would be contacted—made by possible by the information many of us make readily available via Facebook and other social media. Again, this is about probability. The number of social media users out there dwarf the number of non-users, so it’s a safe bet that the recipients of the letter are exposed enough to make the above threat a real danger.

That said, this scam only requires a name and address. Name and address are usually considered a relatively harmless form of data compromise since there is not much that can be done with the information.

The letter Eargle received mentioned the time spent looking into his life. Presumably, that time was spent figuring out where he lived, whether or not it was an expensive neighborhood and determining his marital status. If Eargle shared parts of his life online via his blog or social media, the scammer had even more information, and it is easy to use a zip code to identify affluent areas.

While the scam is not a form of identity theft, it almost certainly uses identity-related information to achieve its goal.

The takeaway is simple: Be Dave. If you are the target of extortion, report it immediately to law enforcement. And remember, data breaches provide criminals with endless opportunities to swindle, so never underestimate your vulnerability, and maybe consider using an alias.

 

Adam Levin is chairman and founder of CyberScout and cofounder of Credit.com, where this article originally appeared.

Offer 24/7 CyberScout Protection

CyberScout's partnership options help you safeguard the identity and privacy of your policyholders, customers, members and employees. Discover how a customized program can help build brand loyalty, customer retention, and quickly generate long-term recurring revenue.

Get Started