Imagine investing heavily in the creation of an online business. You’ve paid web designers, SEO service providers and content writers. You’ve set up a secure payment system and cultivated a loyal group of followers. Your profits are tied, quite obviously, to your website. If the site goes down for even a few hours, you lose money.
Now imagine opening an email to discover a nasty surprise: hackers are threatening to launch a Denial of Service attack on your website. Pay them $15,000 and they’ll leave you alone. You ignore the email, believing it to be spam, and a week later your website does indeed go dark. You lose a week’s profits.
Then you get a second email: “pay us $30,000, or we’ll attack again.” What do you do? The crooks have proven they can do the damage they claim. They may be a world away, in a country where they feel safe from your own country’s law enforcement.
Do you contact the police? Pay off the extortionists? Or watch as your business crumbles under multiple DoS attacks?
In a theoretical discussion, these questions are easy enough to answer. You’ve done nothing wrong, so you go to the police. In reality, when a business stands to lose thousands of dollars a day in revenue, $30,000 may not seem that high a price to pay.
Online extortion is increasingly common, although no one knows exactly how widespread the problem is. After all, one of the results of a successful extortion scheme is the victim doesn’t dare go to the police. And it’s not just big business that’s getting hit by virtual protection rackets. Crooks are also leaning on individuals.
Here’s a more personal scenario. You receive an email from someone claiming to have control of your home or work computer. They threaten to erase your hard drive, or, more disturbingly, flood your computer with child pornography and then alert the police. A small fee of $25 will prevent all this from happening.
A vaguer, perversely inspired email simply claims the sender knows about your secret, correctly assuming that a certain number of people who receive the email will, indeed, have guilty secrets.
Such emails are more likely to be mass-email scams than serious attacks, but when it comes to extortion, the threat doesn’t have to be effective — the victim just has to think it is. And like any Prohibition-era protection racket, if you pay once, the blackmailer continues to lean on you as often as possible.
So how do you respond? Do you risk your personal reputation and business by defying that blackmailer? Or do you pay, assuming that the payment isn’t worth the cost of retaliation?
Online businesses are especially vulnerable — a DoS attack can cripple a website for weeks, wasting the investment the business has made in the website and SEO for ecommerce. Individuals are safer. If the threat is vague, it’s likely the extortion email is a scam. Ultimately, it’s up to the individual or business to decide to ignore, fight or give in to blackmail demands. And none of those decisions offer easy solutions.