An email pops up in your inbox and your eyes widen. Ato have video footage of you watching porn and asks for $1,000.
There’s outrage and embarrassment. You reach for your phone, but then you wonder “Who do I even call?”
Unfortunately, the answer to that question is complicated.
As it turns out, even law enforcement officials can’t agree. The FBI and your local police both suggest that you should call them. But experts warn that in many cases, neither agency will be able to help, especially if the criminal is asking for so little money.
This dynamic underscores why these kinds of hacks — and yes, the porn scam really happened — are starting to proliferate. There’s no clear answer on who to call. And from law enforcement’s perspective, many of these crimes are too small to be worth prosecuting. It’s no surprise that cyberattacks have run rampant across the web, as thieves online find ways to steal credit card information from millions of people without leaving their homes.
“If the people doing it keep the dollar amounts small enough that no individual police department is going to be motivated enough to prosecute, you can collect a lot of money from a lot of people all around the world,” said Adam Bookbinder, the former chief of the US Attorney’s cybercrime unit.
Sometimes these crimes don’t even involve a hack. An email scheme in which scammers spammed inboxes threatening to blackmail victims, without any evidence, netted $28,000 over two months, researchers from cybersecurity company Digital Shadows found.
But unless it’s a public concern, there’s a good chance no one will handle it, said Bookbinder, who’s now a cybersecurity and privacy team member with the Holland & Knight law firm.
In an emergency, you’re supposed to call 911.
“If a person believes they are a victim of a crime they should contact the police,” an New York Police Department spokeswoman told Techhnews.
But there’s not much your local police can do for you. For starters, you’d have to show that an actual crime happened, which is much more difficult when it’s digital.
For example, if someone accesses your Facebook account without your permission, but only uses it to look around at your messages, it’s not enough to meet the threshold for a criminal investigation, Bookbinder said.
“That’s a misdemeanor,” he said. “Could it be prosecuted? Yes. Is it likely that anyone is going to want to spend the resources on it? No.”
But if someone used private photos from your Facebook account and threatened to blackmail you with it, then it would be something that police could investigate, he said.
That’s assuming your local police have the resources to deal with investigating hacks. While more local and state police are improving their computer crime capabilities, it hasn’t happened across the board for every department.
It gets even more complicated if the hack crosses state or national lines. If your account is accessed by a Russian hacker, for example, your local police wouldn’t have the resources to investigate that.
“NYPD is probably an outlier in the resources they have available for investigation,” said Jake Williams, founder of Rendition Security. “But even then, it’s unlikely any law enforcement agency is interested in helping investigate who hacked your Facebook account.”
If a threat came to your doorstep instead of your digital inbox, the answer would be much simpler: Call the police. But when it’s an online crime, some consider calling 911 a joke.
“I occasionally still hear of companies and locals that call 911 when they believe they’ve been under a cyberattack,” US Department of Homeland Security Secretary Kirstjen Nielsen said during the agency’s Cybersecurity Summit in July.
Nielsen, with a smile, let the remark hang in the air before she told the crowd who they should really call.
“The best thing to do would be to call this center,” she said, referring to the DHS’s National Risk Management Center, a dedicated hub for helping respond to cyberattacks with a focus on critical infrastructure.
But it’s not much help if you’re an average person and not a major company.
When a person does call the DHS asking for help, the agency will refer them to the FBI, a DHS spokesman said.
The FBI recommends that cybercrime victims call them first — not your local police. The agency has an Internet Crime Complaint Center, where you can file details on what happened and analysts will review the case to determine what actions to take.
Often, though, nothing much is done. The FBI is the best-equipped agency to deal with cybercrime, with its vast resources and plentiful experts, Bookbinder said, but if the complaint isn’t a major case, it likely won’t be investigated.
“They won’t handle most cases of individual hacks unless they’re very high profile or a bunch of money was lost,” Williams said. “It varies from office to office, but most of them we’ve worked want to see $10K stolen before they’ll get involved.”
So is all hope lost? Not necessarily.
The best way to get a response would be to report the incident to the FBI, Bookbinder said. Even if your case doesn’t pop up on the agency’s radar, it’s logged into the FBI’s databases of cybercrime complaints. If enough similar complaints come in, analysts can connect the dots and start building an investigation, the former cybercrime unit chief said.
“They now have a good-sized crime, and all these people are victims in a case where they do prosecute someone,” he said.
Chances are, you weren’t only one hit with an email threatening to blackmail you over porn, or whatever. The FBI — and security experts — encourage you to at least report potential cybercrimes in order to help build up a case.
Here’s the thing: The same spamming tactic that cybercriminals are using to cast a wide net may also be their downfall.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Taking It to Extremes: Mix insane situations — erupting volcanoes, nuclear meltdowns, 30-foot waves — with everyday tech. Here’s what happens.