New Extortion Email Scam Targets Businesses

Washington: Cybersecurity experts have warned businesses about a sophisticated extortion campaign that is targeting companies through deceptive emails, social engineering and voice phishing tactics. The campaign, identified by Google’s cybersecurity teams, has the potential to cost organisations millions of dollars through data theft, ransom demands, reputational damage and legal liabilities.

According to a recent report by Google’s security divisions, Mandiant and Google Threat Intelligence Group, the campaign has been linked to a financially motivated threat cluster known as UNC3753, also referred to as Luna Moth, Silent Ransom Group or Chatty Spider.

Unlike traditional ransomware attacks that encrypt files, this group focuses on stealing sensitive corporate data and then threatening to release it publicly unless victims agree to pay substantial sums of money.

How the scam operates

The cybercriminals begin their attacks with seemingly harmless emails sent from consumer email accounts controlled by the attackers.

These messages often use invoice-related themes and are intentionally designed to appear ordinary. The emails typically contain no malicious attachments or suspicious links that would normally trigger security alerts.

A typical message may simply read: “Hello, here is the invoice we talked about yesterday.”

The simplicity of the communication is a deliberate tactic intended to encourage recipients to respond or engage with the sender.

Once communication is established, attackers employ social engineering techniques and voice phishing, commonly known as vishing, to manipulate employees into granting remote access to company systems or disclosing sensitive information.

Voice phishing plays a crucial role

Voice phishing has become one of the group’s most effective weapons.

Attackers often impersonate IT support personnel, service providers or trusted business contacts. Through convincing conversations, they persuade employees to install remote access software or provide credentials that allow attackers to enter corporate networks.

Once access is obtained, the criminals focus on identifying and extracting highly sensitive information.

This may include customer databases, financial records, intellectual property, internal communications, contracts and confidential business documents.

Unlike ransomware gangs that lock systems and demand payment for restoration, Luna Moth’s strategy centres on data theft and extortion.

Threatening emails increase pressure

After obtaining valuable information, the attackers send extortion emails to company executives or security teams.

These messages claim that sensitive corporate data has been stolen and threaten severe consequences if the organisation refuses to negotiate.

The emails typically warn that confidential files will be published online, shared with customers, employees, competitors or journalists, and used to damage the company’s reputation.

The criminals often claim they have been inside the victim’s network for weeks and may include screenshots or limited evidence to support their assertions.

The language is designed to create urgency and panic, pressuring organisations into entering negotiations quickly.

Why companies are vulnerable

Many businesses remain vulnerable because the attack does not rely on sophisticated malware during the initial stages.

Traditional cybersecurity tools are often effective at detecting malicious attachments, infected links or known malware signatures. However, they are less effective against human manipulation.

The campaign exploits trust, curiosity and routine workplace interactions rather than software vulnerabilities alone.

Employees who are unaware of social engineering tactics may inadvertently provide attackers with the access they need.

Remote and hybrid working environments have also increased opportunities for cybercriminals to impersonate legitimate support staff and exploit communication gaps within organisations.

Potential financial impact

The financial consequences of such attacks can be significant.

Companies may face direct extortion demands, incident response costs, forensic investigations and legal expenses. Regulatory penalties may also arise if customer data or personal information is compromised.

In addition, organisations can suffer reputational damage that affects customer trust, investor confidence and future business opportunities.

For publicly listed companies, data breach disclosures can lead to sharp declines in market value and shareholder concerns.

Cybersecurity experts note that the total impact of a successful breach often extends far beyond any ransom amount demanded by attackers.

How businesses can protect themselves

Security experts recommend several measures to reduce the risk of falling victim to such campaigns.

Organisations should provide regular cybersecurity awareness training to employees, particularly on identifying phishing and voice phishing attempts.

Multi-factor authentication should be enabled across all critical systems to reduce the effectiveness of stolen credentials.

Companies should also establish strict verification procedures before granting remote access or sharing sensitive information.

Monitoring tools that detect unusual account activity, data transfers and remote access sessions can help identify intrusions before significant damage occurs.

Regular security audits and incident response planning are also essential for strengthening organisational resilience.

Conclusion

The Luna Moth campaign highlights how cybercriminals are increasingly shifting from traditional ransomware attacks to data theft and psychological pressure tactics. By exploiting human trust rather than technical weaknesses alone, these attackers can infiltrate organisations and demand substantial payments while threatening reputational harm. As such threats continue to evolve, businesses must combine robust cybersecurity technologies with employee awareness and strong verification procedures to protect their data and operations.