Phantom Incident Scam Threatens Release of Corporate PII

Cybercrime that involves social engineering exists in many forms. One such scam, which we call Phantom Incident Extortion, evolved from consumer sextortion emails and has moved up to the enterprise world. By tracking these scams over time, some very obvious patterns emerge that can help prevent new targets from falling victim. 

We explain these patterns by looking at 4 different Phantom Incident Extortion scams that we have observed in the wild. We call these scams phantom incidents, as their success depends on convincing the target that an illegitimate (i.e. phantom) incident has occurred or will occur, and the only way to prevent its impact is to pay (hint: don’t pay!). 

3 Components of a Phantom Incident Scam

Phantom incident extortion has three main components and some peripheral tells. 

Engineered Legitimacy

A key component of a phantom incident scam is a piece of data that is unique and familiar to the victim. For example, an email address or list of user accounts. The appearance of this data gives credibility to the threat. It is designed to convince the victim that the threat is real, and not just contrived. 

Social Pressure

Phantom incident scams use different types of social pressure to coerce the target to comply with the extortion threat as quickly as possible. This pressure is often rooted in deadlines and threats of brand damage or costly consequences if the extortion payment is not made. 

Asymmetric Financial Offer

Another key component of a well designed phantom incident is that the demand is a slim fraction of the perceived cost of the threat. This compounds the social pressure, convincing the victim that paying is the cheap, safe way to deal with the threat.

Phantom Incident Example #1: Breached Employee PII 

In early November, a new type of Phantom Incident email began circulating. The scam begins with emails sent to senior executives of a company using multiple email variants (hoping one gets through). The email threatens to release data that was breached from the recipient’s company. Below is an example of the email:

In past day we have come across data pertaining to company you work for: [Recipient Company Name]. Data contains all personal identifiable information for every employee that works for this company including yourself. Data was leaked around [specific date]. This will happen when systems are in process of updating/ or if your company still uses an older version of [Certain common manufacturer] OS that no longer receives security updates.

What me and me organization do is buy hacked data on market to keep it out of hands of criminals who plan to use it unethically. We then will contact company or companies that this data belongs to and ask them to pay us exactly what we paid for data/ keeping data secure.

We wish that we could just delete data ourselves and it be over but unfortunately that is not reality. At this moment it is only possible to obtain data buy purchasing it and we need to recover our funds.

This market it was purchased from is similar to an eBay for hackers and criminals, sellers have ratings and reputations/ they are only allowed to sell data once and then permanently delete it. So rest assured that there is only one copy in existence.

We need you to consider ALL damage that could occur if this data got into the wrong hands/ or if your current or past employees found out that data was leaked. You are very fortunate that our organization exists/ There were [oddly specific #] bidders for this data.

We give you [specific #] hours from the time this email sent/ Till [specific date] your time. We paid [bespoke $]] USD/ that’s amount we need back. We only accept bitcoin as payment/ that’s what we use on market/ we need bitcoin back so we can continue our efforts for others.

We encourage you to not contact any legal counsel nor authorities until after our business is complete. It will delay your efforts to send us our funds and we do not allow that. If you do not meet the deadline your data will be sold back on market so we can recover our funding/ no exceptions.

We are in Sweden/ logged in from China on an encrypted mail server in Switzerland. A country with extremely strict privacy laws. No one can help you in time/ trust us. We consider this a courtesy service/ we are very busy so please do not waste our time.

We have attached an image for proof.

We also offer other services once this has been resolved.

We can track down how this happened and offer you ways to make sure this never happens again. There is small chance we can find out which group was responsible as well.

Just think about the impact this could have on the people that work for your company. You need to make the right choice and that’s the one where you choose the people over a company. Contact only people that can help you send us back our bitcoin and everything will go smooth and fast.

Our bitcoin address is: [btc address]

Engineered Legitimacy

In this phantom incident scam a small sample of employee Personally Identifiable Information (PII) is attached to the email (redacted from above example). This PII typically matches current or former employees of the company and normally includes social security numbers, so it looks legit and material. The likely source of this data is not a company breach though. Because so much PII is already available for sale, this scam simply picks from a large data set and filters it by employer. The resulting list of current ex-employee data creates the appearance of a breached employee PII. In reality, the limited data set was pieced together from various incomplete sources. 

Social Pressure

The consequences of sustaining a PII related breach are severe and include legal and regulatory consequences. A data breach can be a costly, brand-damaging event. Avoiding the incident by paying off an extortion demand is an appealing option versus dealing with the fallout of data breach disclosure, as Uber demonstrated. In this note, the victim is reminded of the costs and potential damages if this data is allowed to leak out. 

Asymmetric Financial Offer

Given the roughly $4 million average cost of a data breach, the option to avoid a data breach for a few thousand dollars seems very enticing. The offer uses a common negotiation tactic of picking a non-round, specific number for their demand (e.g. $32,500). The number adds legitimacy to the threat as its specificity implies it is representative of a legitimate transaction. 

Other Tells

Genuine data exfiltration extortion negotiations are long drawn out processes involving the victim purchasing a sample to validate the legitimacy of the data and enumerate the content. This exchange takes time, and extortionists that actually apply this tradecraft know that. It is never a quick, immediate payment without further proof. In this case, the example data also had some inconsistencies. The alphanumeric order was slightly off. It also included an employee that joined the company AFTER the date of the breach specified in the note. 

Phantom Incident Example #2: Customer Data Breach 

A similar version a phantom incident that involves the threat to release breached customer data. The target of this scam is almost always B2C companies with very low barriers to signup. For example, Uber and Bird, or online retailers. The key difference in this variation is how legitimacy is engineered. 

Rather than creating a legitimate seeming data set from scraped data dumps, the attacker creates a relatively large group of fake accounts on the targets website. These accounts are created over a period of time and have unique emails, names, and passwords. The scammers aggregate the details of this manufactured user data and claim it has been breached. When the company receives the threat, and validates the data, they find that the accounts exist and match the sample provided by the scammer. This raises major alarms, as the company previously believed their user data was fully encrypted and that such a breach would be impossible. But it is all a ruse engineered by the attacker. 

This sort of scam has common tells. Often the scammer will get lazy and leave easily discernible patterns in the accounts that were created. Additionally these accounts typically never log in to the service or make purchases. 

Phantom Incident Example #3: DDOS Extortion Threat

Over the summer of 2019, a group known as Cozy Bear began threatening companies with crippling DDOS attacks. The threat was often followed by an actual small DDOS attack to demonstrate their ability. The extortion email looked like the below:

We are the Cozy Bear and we have chosen [Victim Company] as target for our next DDoS attack.

Please perform a google search for “Cozy Bear” to have a look at some of our previous work.

 Your network will be subject to a DDoS attack starting at [a day 2-3 days after receipt of email] morning.

(This is not a hoax, and to prove it right now we will start a small attack on [legit IP address of victim] that will last for 30 minutes. It will not be heavy attack, and will not cause you any damage so don’t worry, at this moment.)

 This means that your website and other connected services will be unavailable for everyone.

 We will refrain from attacking your servers for a small fee. The current fee is 2 Bitcoin (BTC). The fee will increase by 1 Bitcoin for each day after deadline that passed without payment.

Please send Bitcoin to the following Bitcoin address:

 [bitcoin wallet address]

 Once you have paid we will automatically get informed that it was your payment. Please note that you have to make payment before the deadline or the attack WILL start!

 If you decide not to pay, we will start the attack on the indicated date and uphold it until you do, there’s no counter measure to this, you will only end up wasting more money trying to find a solution (Cloudflare, Sucuri, Imperva and similar services are useless, because we will attack your IPs directly). We will completely destroy your reputation and make sure your services will remain offline until you pay.

 Do not reply to this email, don’t try to reason or negotiate, we will not read any replies. Once you have paid we won’t start the attack and you will never hear from us again.

 Please note that Bitcoin is anonymous and no one will find out that you have complied.

Engineered Legitimacy 

The DDOS traffic in these attacks is legitimate and occurs on an IP address of the target. This tangible credibly is more compelling than other phantom incidents. However, the larger crippling attack never follows. Why? Because purchasing small blocks of DDOS traffic and target IP addresses is extremely cheap. Most companies have never been DDOS’d before, so even a small DDOS demonstration of 2-5GB per second, can be quite alarming. This is the goal of the first attack. 

Social Pressure

The extortion email uses a combination of time pressure and the business interruption to pressure the target into a hasty decision. The email states the target’s worst fears out loud (destroyed reputation and offline services) to hammer home the anxiety. 

Asymmetric Financial Offer

Given the average cost of a corporate DDOS attack is roughly $2.5 million dollars, the offer to avoid the attack for 2 bitcoins (roughly $15,000 at the time of this example) seems like an obvious choice for the victim. 

Other Tells

Unlike ransomware, where the attackers ARE typically the only ones capable of decrypting data, the CDN vendors mentioned in the email are actually capable of preventing DDOS attacks, and most security professionals know that. 

Phantom Incident Example #4: Sextortion Scam Emails

The original phantom incident has been around for a few years but seems to make the rounds anew every couple of months. Sextortion emails attempt to convince recipients that their computer has been compromised. Below is a sample ‘sextortion’ email:

Title: “I’m aware that <password formerly used by recipient here> is your password,”
Body: You don’t know me and you’re thinking why you received this email, right?

Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).

BTC Address: []

(It is cAsE sensitive, so copy and paste it)


You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immediately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.

Engineered Legitimacy

The title of these sextortion emails frequently contains a KNOWN password to the victim. How? If you have been using the internet for more than a few years, prior passwords have likely been leaked and are floating around in breach dumps. Massive data sets of these passwords and their corresponding user emails can be purchased on dark marketplaces for almost nothing. In this example, the leaked password is merged into the title of the email. The victim reads the email, recognizes the PW, and may be convinced that the extortion threat is legitimate. The email also references common online proclivities and preferences. Given how many internet users visit pornography sites, this uncomfortable and potentially embarrassing observation applies to everyone but feels personal.

Social Pressure

In sextortion scams, the social pressure is applied via the threat of releasing an embarrassing phantom video to the victim’s contacts. They use a time-based threat as well to create a sense of urgency.

Asymmetric Financial Offer

The relatively low demand is designed to force the victim into NOT thinking this whole situation through. The perceived risk is SO high relative to the cost that one might as well pay. 

Other Tells

This email was designed to elicit a payment without any back and forth, but in the last line the sender offers a contradicting offer. First, they state they can produce evidence if the recipient replies. In the next sentence, they tell the recipient not to bother emailing. When the authors of these emails deviate from the basics it exposes their illegitimacy.

Conclusions to Avoid Phantom Incident Extortion

The likelihood of encountering threats like this is about 100%, so it’s important that companies protect themselves and are ready and able to spot these scams. Breaking down the threats into the components we discussed in these examples can help qualify the extortion threat as a scam. When in doubt, victims should always contact law enforcement or their privacy counsel for assistance. We also note that every threat should be evaluated in depth and taken seriously. At a minimum, the feedstock for creating the engineered legitimacy is something to look into. Coveware’s phones are always on as well! 

Contact us

*** This is a Security Bloggers Network syndicated blog from Blog | Latest Ransomware News and Trends | Coveware authored by Bill Siegel. Read the original post at:

Avatar photo

Bill Siegel

Bill Siegel is the CEO and Co-founder of Coveware, a ransomware incident response firm. Before founding Coveware, Bill Siegel was the CFO of SecurityScorecard, a NY based cyber security ratings company. Prior to SecurityScorecard, Bill was the CEO of Secondmarket, and served as the Head of NASDAQ Private Market following Nasdaq’s acquisition of SecondMarket in 2015.

bill-siegel has 67 posts and counting.See all posts by bill-siegel