What you need to know about cyber extortion
Have you received emails with subject lines such as “Please can we work on this project?” or “Your abandoned fund at King Shaka Airport, Durban”? Hopefully you’ve got a spam folder set up and your email server automatically redirects these fraudulent emails. Unless you check your spam folder you may not even see them. But many people still fall prey to these cons every year. Most of us are wise to the advance-fee scam, also known as the 419 scam, after the section of the Nigerian Criminal Code that deals with fraud. (Many of the early examples of this type of cyber extortion originated in Nigeria, but South Africa is also known for a high incidence of advance-fee fraud.) However, hackers have moved on to more sophisticated means of extracting funds from innocent victims.
Although there are many forms of cyber extortion, most private citizens will not experience the ransomware attacks for millions of dollars suffered by large corporations such as Garmin. We are more likely to be the victims of “phishing” – fraudulent emails that look credible and invite us to click through to a fake link or pay a fake invoice. The fake invoice scam is usually targeted at company finance departments, but individuals are not exempt. You may receive a notification that your Microsoft or Google account is about to expire unless you take immediate action – i.e., pay for an upgrade. The amounts involved are small, and many people pay them because they fear they will lose access to their account. But for the cybercriminal, these petty sums add up when their victims number in their hundreds or even thousands.
What is cyber extortion?
Cyber extortion is defined in Section 10 of the Cybercrimes Act 19 or 2020. Cyber extortion occurs when any person unlawfully and intentionally commits or threatens to commit an offence defined in sections 3, 5, 6 or 7 of the Act – outlined below – for the purpose of obtaining an advantage from another person or compelling another person to perform or abstain from performing any act. Those sections include:
- Section 3(1) – any person who unlawfully and intentionally intercepts data, including electromagnetic emissions from a computer system carrying such data, within or which is transmitted to or from a computer system, is guilty of an offence.
- Section 5(1) – any person who unlawfully and intentionally interferes with data or a computer program is guilty of an offence.
- Section 6(1) – any person who unlawfully and intentionally interferes with a computer data storage medium or a computer system is guilty of an offence.
- Section 7(1)(a) and (d) – any person who unlawfully and intentionally acquires and uses a password, an access code or similar data or device for purposes of contravening the provisions in the Act is guilty of an offence.
In short, cyber extortion happens when someone accesses your data, website or computer system and demands payment from you. You may be threatened in the process, and these threats are particularly intimidating because your attacker is unseen and unknown.
What punishment can cybercriminals expect?
According to Section 19 of the Act, any person who contravenes the provisions of these sections is liable on conviction to a fine or imprisonment for a period not exceeding 10 years…or both. The court may impose a sentence which it considers appropriate and which is within that court’s penal jurisdiction, where a penalty is not prescribed in respect of that offence by any other law. However, the challenge is catching the criminals. They lurk behind the scenes, online, and may not even be in South Africa.
Cybercrime success for the Hawks
But law enforcement is catching up with cybercrime and there have been some notable successes. In Gauteng, the Hawks Serious Corruption Investigation team carried out a cybercrime search and seizure and executed warrant of arrests to four individuals accused of the following charges:
- Extortion
- Impersonation of a police officer
- Money laundering
- Forgery
- Uttering
The arrests were the result of an in-depth investigation into a case of extortion from several men who engaged with a clandestine online escort agency. The accused posed as police officers and told the victims that a case of rape and fraud was opened against them for use of fake money to pay the sex workers. Fake warrants of arrest were used to demand payment to make the cases “disappear”. The investigation revealed that a syndicate of inmates allegedly created profiles of police officers by using their personal information. From May to August 2022, the accused extorted a total of R1.32 million from the victims.
How can you stay safe?
You may not use an online escort agency, but you are not immune to being targeted by cybercriminals for extortion. The Hawks’ case is high-profile, but less sensational attacks happen all the time. Hackers rely on good old-fashioned human error and inertia. Do you use the same password for all your online accounts? You’ve just made life easy for a cybercriminal; if they infiltrate one of your accounts, they’ve got a free ride to all of them. Use strong, secure passwords for all your online accounts and make sure each one is unique.
Don’t open emails from unknown senders. Legitimate emails do sometime come from a new contact. But if the sender’s email address or subject line looks suspicious, it probably is. Delete it. If they are bona fide, they will find another way to contact you. Be careful opening hyperlinks if the sender is unknown. If you receive a WhatsApp message from a known contact but the content of the message seems unusual, your contact may have been hacked. Call them or SMS them outside of WhatsApp to ask if they sent the message. WhatsApp scams are on the increase. Enable two-factor authentication for greater security.
If you are a business owner, make sure you provide regular, relevant training to your employees. Training at induction and an annual refresher is not sufficient. Make training relevant to the role; a junior clerk may not need to know about software patches but they do need to know how to recognise phishing emails. Everyone needs to be aware of correct password management. Ensure all staff in your accounts department can recognise a fake invoice.
There is plenty of advice online about how to spot phishing and spear-fishing emails and messages and vishing calls (voice phishing), so we won’t go into more detail in this article. But it’s worth taking the time to familiarise yourself with the tactics and techniques cybercriminals use to try to trick you out of your hard-earned money. Don’t be a victim of cyber extortion. Stay safe online.
If you have been a victim of cyber extortion
If you have fallen prey to a phishing scam, don’t be embarrassed to report it. It is not your fault. Hackers are very clever and know just how to exploit human weakness. Every case of cyber extortion should be reported to the police, even if you think it is futile. Unless the police are made aware of these crimes when they happen, they will not be able to investigate them and they will not have a full picture of the scale of the problem.
If you need help with a case of cyber extortion, give Cape Town Attorney Simon Dippenaar a call on +27 (0) 86 099 5146.
Further reading:
The information on this website is provided to assist the reader with a general understanding of the law. While we believe the information to be factually accurate, and have taken care in our preparation of these pages, these articles cannot and do not take individual circumstances into account and are not a substitute for personal legal advice. If you have a legal matter that concerns you, please consult a qualified attorney. Simon Dippenaar & Associates takes no responsibility for any action you may take as a result of reading the information contained herein (or the consequences thereof), in the absence of professional legal advice.