Extortion Email Attacks | Stewart Title Blog

If you’ve ever received an extortion email attack, it may have left you wondering: How do criminals get my email address?


Let me explain how it works. There are some services, both legal and illegal, that collect valid business email addresses to use for their own purposes. Those that are collected legally are usually used for sales, marketing, and advertising. Those that are collected illegally, along with email addresses that were leaked in past security incidents, end up for sale on the Dark Web. Criminals buy these emails in bulk – usually by the thousands or sometimes millions – and use them to send malicious or extortion emails.

Often, crooks will use bots to build targeted email lists. Publicly available records make it easy to determine what the email format is at any given company (e.g., joe.doe@company.com or jdoe@company.com). Once the criminals have an employee list, whether it’s purchased or stolen, they can build a potential users list. Next, they need to validate them. This is where the bots come in.

You may have unknowingly witnessed this validation process in action. If you've ever received an email with "hi,” a blank space or some other nonsense in the subject or body that does not seem to relate to anything, it’s an email address validation. Any invalid email address will return a non-delivery report to the sender, and the bot will then remove the address from the list. Once the perpetrator has a good list, he then can use it or sell it.

Lastly, the majority of threatening emails claiming that your computer is infected or is being monitored, or that an attacker has compromising materials on you, are nothing but false, empty threats. Whether an email like this shows up at work or at home, the "delete" key is your best friend.

As always, think before you click.