Debt Collection Extortion Attack Threatens Legal Action
This attack impersonated ACE Cash Express, a debt collection company, to attempt to pressure the recipient into agreeing to make a payment to fulfill a supposed outstanding debt. The email stated that a law firm had decided to press legal charges against the recipient after trying to reach them on a number of occasions. According to the email, if the recipient failed to respond within 12 hours, a court case would be registered and an email will be sent to the recipient’s employer, which could lead to a loss of income. The amount demanded by the attacker was $1,159; however, the email indicated that if the case went to court, the recipient could owe more than $7,400. A Gmail account with a username resembling an attorney was included in the email that the recipient could contact if they wanted to “resolve the case out of court.” The email was sent from an Outlook email address and, in order to hide the addresses of everyone receiving the email, the attacker BCC'd all of the recipients, so they couldn’t be seen.
How Does This Attack Bypass Email Defenses?
Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. This email was sent from an Outlook account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC.
How Can This Attack Be Detected?
All of the recipients receiving the email were BCC’d, a common pattern when attackers send similar attacks to many recipients. Natural language processing can be used to enable cloud email security solutions to detect themes and content commonly used in text-based extortion attacks.
What are the Risks of This Attack?
While extortion emails may be seen as relatively simplistic attacks, the fact that they’re still common means attackers are generating a good ROI from the campaigns. If a victim complied with the attacker’s demands, whether out of embarrassment or fear, they would be out more than $1,100. While this is not a direct business loss, this type of attack can distract employees from their work and in some cases, make them fearful of their future with the company.