CIS Logo
tagline: Confidence in the Connected World

How to Identify an Email Hoax & What to do if You Fall Victim

There are a variety of email-based hoaxes demanding money and threatening SLTT government recipients in various ways. Hoax campaigns include illegitimate threats ranging from distributed denial of service (DDoS) attacks to physical violence and threats to reveal sensitive information purportedly gathered through exploited vulnerabilities or malware infections. The theme of the hoaxes change, but in recent cases, the threat actors’ goal has remained the same - attempting to elicit fear in the recipient in order to prompt the recipient to pay the extortion demand.

Hoax emails are opportunistic in nature with threats that the threat actor will not follow through on. It is imperative that recipients of hoax emails identify them as scams in order to avoid being hoodwinked. However, be aware that if you receive a malicious email with any one or more of the below identifiers it may also be a legitimate threat. For this reason, it is important to follow standard incident response procedures while also investigating the accuracy of the claim. 

How to know if it’s a hoax

There are a couple of key indicators that can help you in determining if the email is a hoax or not. For instance, many hoaxes are opportunistically emailed to multiple recipients. Identifying the threat actors’ use of generic language and lack of specific details about the target are good indicators that it’s a hoax. Another key component of these scams is that the threat actor incites a sense of urgency by demanding immediate payment to avoid the malicious activity, which makes it harder for the recipient to calm down and think it through. Furthermore, in a hoax, the email will not include legitimate proof of the ability to pull off these claims. One word of warning, some observed hoax campaigns attempt to gain legitimacy by claiming to be from groups known to conduct successful attacks. 

The case of the compromising video

A recent campaign affecting various SLTT governments claims, via email, that the threat actor placed malware on the email recipient’s system. The email then explains that the malware allowed the threat actor to capture webcam footage of the recipient while the recipient was purportedly viewing pornographic videos. Furthermore, the threat actor claims the malware grants access to all of the recipient’s personal contacts. The recipient is instructed to pay the extortion demand to a bitcoin wallet within 24 hours in order to prevent the video from being emailed to all their personal contacts.

email hoax 


  • Verify the accuracy of the claim while also investigating whether or not it is a hoax.
  • To check if it is a hoax:
    • Determine if the email contains any specific knowledge about operations or if the language is generic and appears to be part of a mass mailing campaign.
    • Conduct searches on keywords, the cryptocurrency wallet ID, and sender’s email address, as this may yield multiple examples of others affected by the same hoax.
    • Check the cryptocurrency wallet ID for transactions to the wallet, which may provide insight into the threat actor’s operations.
    • Contact the MS-ISAC and other information sharing resources to determine if other entities report receiving similar emails.
  • Verify the accuracy of the claim:
    • Confirm that malware was not placed on the system by running an antivirus scan. Ensure that the antivirus program uses updated signatures.
    • Reimage the machine and reset passwords if malware is discovered.
    • Speak with the employee to determine any relevant information they may have.
  • Provide social engineering training to employees and direct them to immediately report potential hoaxes.
  • Implement spam filtering at the email gateway to filter out emails with known phishing indicators, such as the known malicious subject lines.
  • Implement Domain-Based Message Authentication, Reporting & Conformance (DMARC), a validation system that minimizes spam emails by detecting email spoofing using Domain Name System (DNS) records and digital signatures.
  • Adhere to best practices, such as those described in the CIS Controls and the CIS Benchmarks programs.