How Have Ransomware Attacks Evolved with Double and Triple Extortion Tactics?

Ransomware attacks have undergone significant evolution since their inception, transitioning from simple data encryption schemes to sophisticated, multi-layered extortion strategies. The advent of double and triple extortion tactics has amplified the threat, increasing both the financial and reputational damage to victims. This essay explores the evolution of ransomware, focusing on the mechanics, motivations, and impacts of double and triple extortion tactics, and provides a real-world example to illustrate their application.

Early Ransomware: The Foundation of Encryption-Based Extortion

Ransomware emerged in the late 1980s with the AIDS Trojan, which encrypted files and demanded payment via postal mail. However, it was in the 2000s and 2010s that ransomware gained prominence with variants like CryptoLocker (2013), which used strong encryption and demanded Bitcoin payments. These early attacks followed a single extortion model: encrypt a victim’s data, lock access, and demand a ransom for the decryption key. The simplicity of this approach relied on the victim’s desperation to regain access to critical data, often with no guarantee of recovery even after payment.

The single extortion model, while effective, had limitations. Victims with robust backups could restore data without paying, reducing the attackers’ leverage. Additionally, law enforcement efforts and improved cybersecurity awareness began to mitigate the impact of traditional ransomware. This prompted cybercriminals to innovate, leading to the development of more coercive tactics: double and triple extortion.

Double Extortion: Adding Data Exfiltration to the Mix

By 2019, ransomware operators introduced double extortion, a strategy that combines data encryption with data exfiltration. In this model, attackers not only encrypt the victim’s files but also steal sensitive data before deploying the ransomware. If the victim refuses to pay for the decryption key, the attackers threaten to leak or sell the stolen data on the dark web or public platforms.

Mechanics of Double Extortion

  1. Initial Access: Attackers gain entry through phishing emails, exploiting unpatched vulnerabilities (e.g., CVE-2021-44228 in Log4j), or compromised Remote Desktop Protocol (RDP) credentials.

  2. Data Exfiltration: Before encryption, attackers use tools like Cobalt Strike or custom scripts to identify and exfiltrate sensitive data, such as customer records, intellectual property, or financial documents.

  3. Encryption: Ransomware is deployed to lock the victim’s systems, often using robust algorithms like AES-256 or RSA-2048.

  4. Ransom Demand: Attackers issue two threats: pay to decrypt the data, or pay to prevent the stolen data from being leaked. Some groups, like Maze, pioneered dedicated leak sites to publicize stolen data from non-compliant victims.

Motivations and Impact

Double extortion increases pressure on victims by introducing reputational and legal risks. Leaked data can lead to regulatory fines (e.g., under GDPR or CCPA), lawsuits, and loss of customer trust. Even organizations with backups are compelled to pay to avoid data exposure. This tactic also diversifies the attackers’ revenue streams, as stolen data can be sold to other criminals or used for further attacks.

The Maze ransomware group, active in 2019-2020, was among the first to implement double extortion. Their leak site, “Maze News,” showcased stolen data from victims who refused payment, setting a precedent for groups like REvil and Conti.

Triple Extortion: Escalating Threats with Additional Leverage

Around 2020, ransomware evolved further with triple extortion, adding a third layer of coercion. In addition to encryption and data exfiltration, attackers target third parties associated with the victim, such as customers, partners, or employees, or launch Distributed Denial-of-Service (DDoS) attacks to disrupt operations.

Mechanics of Triple Extortion

  1. Encryption and Exfiltration: As in double extortion, attackers encrypt systems and steal data.

  2. Third-Party Extortion: Attackers contact the victim’s stakeholders—customers, suppliers, or employees—demanding payment to withhold sensitive information or threatening them with fraud using stolen data. Alternatively, attackers may demand additional ransoms from the victim to protect these third parties.

  3. DDoS Attacks: Some groups, like SunCrypt and Avaddon, incorporate DDoS attacks to overwhelm the victim’s online services, adding operational disruption to the ransom demand.

Motivations and Impact

Triple extortion maximizes pressure by exploiting the victim’s ecosystem. Targeting third parties amplifies reputational damage and creates urgency, as victims face external demands from affected stakeholders. DDoS attacks further disrupt business continuity, particularly for organizations reliant on online services. This multi-pronged approach makes non-payment increasingly untenable, even for well-prepared organizations.

The psychological and financial toll of triple extortion is significant. Victims face complex decisions: pay multiple ransoms, negotiate with attackers, or risk widespread fallout. The tactic also complicates incident response, as organizations must address data breaches, system recovery, and third-party communications simultaneously.

Drivers of Ransomware Evolution

Several factors have fueled the shift to double and triple extortion:

  1. Cryptocurrency: Bitcoin and privacy-focused coins like Monero enable anonymous, untraceable payments, emboldening attackers.

  2. Ransomware-as-a-Service (RaaS): Platforms like DarkSide and LockBit lower the barrier to entry, allowing less-skilled affiliates to execute sophisticated attacks. RaaS operators provide ransomware kits, infrastructure, and leak sites in exchange for a cut of the profits.

  3. Cyber Insurance: While insurance can mitigate losses, it also incentivizes ransom payments, as insurers often cover costs to expedite recovery.

  4. Geopolitical Factors: Some ransomware groups operate from jurisdictions with lax cybercrime enforcement, such as Russia or North Korea, reducing the risk of prosecution.

  5. Increased Connectivity: The proliferation of IoT devices, cloud services, and remote work has expanded attack surfaces, making initial access easier.

Case Study: The Conti Attack on Ireland’s Health Service Executive (HSE)

A prominent example of double extortion is the 2021 Conti ransomware attack on Ireland’s Health Service Executive (HSE), the country’s public healthcare system. This incident illustrates the devastating impact of modern ransomware tactics.

Background

In May 2021, Conti, a Russia-linked ransomware group, compromised the HSE’s IT systems, affecting 80,000 devices across hospitals and healthcare facilities. The attack disrupted patient care, delayed treatments, and exposed sensitive medical data.

Attack Mechanics

  1. Initial Access: Conti likely exploited a vulnerability in Microsoft Exchange Server (CVE-2021-26855) or used phishing to gain a foothold.

  2. Data Exfiltration: Attackers stole 700 GB of sensitive data, including patient records, staff details, and financial information.

  3. Encryption: Conti deployed ransomware to encrypt critical systems, rendering electronic health records and diagnostic tools inaccessible.

  4. Ransom Demand: Conti demanded $20 million to decrypt the systems and prevent data leaks. They published a sample of stolen data on their leak site to pressure the HSE.

Response and Impact

The Irish government refused to pay the ransom, citing policy against funding criminal activity. Instead, the HSE collaborated with cybersecurity firms and international law enforcement to mitigate the attack. Conti eventually provided a decryption key for free—possibly due to public backlash—but continued to threaten data leaks.

The attack cost the HSE over €100 million in recovery efforts, disrupted healthcare services for months, and compromised patient privacy. The incident highlighted the societal impact of double extortion, as leaked medical data posed risks of identity theft and fraud for affected individuals.

Lessons Learned

The HSE attack underscores the need for robust cybersecurity measures, including:

  • Regular patching and vulnerability management.

  • Employee training to recognize phishing attempts.

  • Offline, encrypted backups to enable recovery without payment.

  • Incident response plans that address data breaches and system restoration.

Mitigating Double and Triple Extortion

Organizations can reduce the risk of ransomware by adopting a multi-layered defense strategy:

  1. Prevention: Implement endpoint detection and response (EDR) tools, firewalls, and intrusion detection systems. Enforce strong password policies and multi-factor authentication (MFA).

  2. Backup and Recovery: Maintain regular, offline backups tested for integrity. Segment networks to limit ransomware spread.

  3. Incident Response: Develop and test ransomware response plans, including communication strategies for stakeholders. Engage legal counsel to navigate regulatory obligations.

  4. Threat Intelligence: Monitor dark web forums and leak sites for stolen data. Collaborate with industry peers to share threat indicators.

  5. Cyber Insurance: Evaluate policies to ensure coverage for extortion scenarios, but avoid over-reliance on insurance to deter attacks.

Conclusion

The evolution of ransomware from single to double and triple extortion reflects the adaptability and sophistication of cybercriminals. Double extortion leverages data exfiltration to amplify pressure, while triple extortion escalates threats by targeting third parties or launching DDoS attacks. The Conti attack on Ireland’s HSE exemplifies the real-world consequences of these tactics, highlighting the need for proactive cybersecurity measures. As ransomware continues to evolve, organizations must prioritize resilience, combining technical defenses, employee awareness, and robust incident response to mitigate the growing threat.

5 Ways To Get Taken by Fake Check

Fake check scams are the most pervasive fraud in America, hitting virtually every demographic group with some permutation of the same clever con, according to the National Consumer’s League.

“Fake check scams are an equal opportunity fraud,” says John Breyault, director of the National Consumers League Fraud Center. “Scam artists are savvy, networked and know every button to push to get consumers from all walks of life to fall for their schemes.”

There are multiple permutations of the same con. But the basic way it works is this: You get a check for a relatively large amount of money and are asked to refund or pass on a portion of the amount to the sender or a third party. By the time you find out that the check is fake, your money is long gone.

The typical victim loses between $3,000 and $4,000 in the scam, says Susan Grant, director of consumer protection at the Consumer Federation of America. “Once you send money to a crook, it’s almost impossible to get back.”

Tragically, the scam works partly because of common misunderstandings about how banks clear checks. Financial institutions are required by federal law to give you credit for checks deposited in your account within a set number of days. The precise timing depends on whether the check issuer is local, national or international. Most consumers assume that when the bank makes the funds available, it has determined that the check is good. But that’s not the case.

It can take weeks to discover a good forgery. At that point, the bank will reverse the credit it gave you for the fake check and you’re on the hook for any checks you wrote against it. Worse, many banks will consider you the crook, close your account for “suspicious activity” and enter your name into a database that will make it more difficult to open another bank account, says Grant.

Consumer experts have been warning about this growing con for years. And yet, the crooks are so clever and convincing that they are believed to have conned more than 1.3 million people. Here are the five most common ways that they do it, and the tip-offs that help you know it’s a scam.

Mystery shopper: You’re looking for a job and answer an advertisement for mystery shoppers. The company sends you a check supposedly to cover the items you’ll be buying and to “test” Western Union’s services. You get to deduct your pay from the check too.

Tip offs that this is a scam?

1. The check is for more than $1,000 and the company says you can keep a $200 or $300 fee for the job. Real mystery shoppers get paid $10 to $25 per job.

2. They paid in advance. Legitimate mystery shopping jobs pay only after you’ve turned in your review.

3. Review Western Union? If the con artists were to be believed, Western Union would be the most mystery-shopped company in the world. They want you to use Western Union because sending this draft is the same as sending cash. Once it leaves your hands, it’s gone.

Sweepstakes: You have won an international lottery! Congratulations! Here’s a $20,000 check for just a portion of your winnings. To claim the additional hundreds of thousands of Euros or dollars that you’ve won, all you have to do is send a personal check for the taxes due on your winnings.

Tip-offs that this is a scam?

1. You didn’t enter an international lottery. (I swear, you would remember if you did.)

2. Taxes are collected after you receive income, not before.

3. Governments collect taxes, not lotteries.

Account manager: You’ve been hired as the account manager at a major international distributor. You can work at home. Your only responsibility is to handle remittances. You get checks, deposit them into your own account and pass them on, subtracting your fee. Your fee is substantial.

Tip-offs?

1. International corporations have no problem opening their own bank accounts. Why do they need you to use yours? Oh...because they’re not an international corporation and if they used their own accounts, they couldn’t steal your money.

2. Jobs that require very little work for high pay don’t exist unless you’re a corporate Chief Executive Officer. And to get a job as a CEO, you need to know how to golf.

Overpayment: You are selling your car/puppy/chest-of-drawers and have placed an advertisement on the internet. You get contacted from somebody who just loves English Bull Terriers (or whatever you’re selling) and is desperate to pay full price. Just one problem. The buyer is from overseas; hasn’t yet opened a U.S. bank account; and can only pay with a third-party check — maybe even a paycheck. If you take that check and deposit it, you can pay yourself and just give them cash for the overpayment, right?

Tip offs?

1. Opening a bank account with a paycheck is pretty dang easy. It might take a few hours, but the Bull Terriers can wait. If you cash this check, you are the bank and you have your first bad debt. (Congratulations. Maybe you can apply for a government bail-out.)

2. Your Bull Terriers are clearly the cutest in the world, but there are others in the world — even others in your state/city/county. Your buyer is generating a sense of urgency — I’ve got to have one and I’m afraid they’ll all be sold before I get my account opened! — just to scam you. Tell them to let you know when their account is opened, and you’ll put them on the list to have first pick of the next litter if this litter is, indeed, all spoken for by the time their bank account is opened.

Grant: You get an official looking letter saying that you have won a $100,000 grant from the government or some foundation. But to claim the grant money, you need to send a “processing fee.”

Tip-offs?

1. You didn’t apply for a grant.

2. You are not a scientist.

3. Government agencies and foundations that provide grants send you money. They don’t ask you to send them money (unless they’re soliciting donations…and that’s not the kind of letter you got).

CONTACT US FOR ANY SUPPORT

By

Protect yourself against cyber attacks

A cyber-attack is an attempt by an individual or group to obtain unauthorized access to a computer network or system. It may be executed for financial gain, to obtain data, or to damage the reputation of an individual or entity. Cyber-attacks are a growing concern in the financial services sector. In 2015, 8.5 million Canadian consumers were affected by cybercrime (Norton Cyber Security Insights Report 2016)

 

The financial services industry is shifting toward online products that make it easier for people to do business. But portals, online applications and mobile apps increase the ways in which cyber-attacks can occur against consumers.
FSCO’s regulated sectors, such as insurance providers, mortgage brokerages and pension plans, have a responsibility to protect information and provide a safe online environment for consumers. This includes implementing policies and processes that help prevent cybercrime and lay out the steps to take if a cyber-attack takes place.
However, criminals are finding new ways to steal confidential information even from those who are diligent in protecting their online profile. If you deal with any financial service organization online, it is important to be aware of the risks involved and the steps you can take to protect yourself.

What do cyber-attacks look like?

Some cyber-attacks may seem obvious to you, such as suspicious emails, but others can be hard to detect. Some of the most common ways criminals try to steal your information include:

Hacking: cyber criminals gain access to your device or an organization’s information technology systems to steal your information
Malware: viruses, spyware or adware are placed on your device to steal your information
Pharming: cyber criminals redirect an organization’s legitimate website to a similar-looking website that captures the information you enter
Phishing: fake emails, text messages and websites asking for your information, such as your social insurance number (SIN)
Spam: mass distribution of unwanted messages to you or from you to your contact list
Wi-Fi Eavesdropping: captures your online activity over an unsecure Wi-Fi network

How can you reduce the risks of a cyber-attack?

Practicing regular reviews of your online profile can reduce your exposure to cyber-attacks. Simple steps you can take – such as using strong passwords, changing passwords regularly for each of your devices and services, and updating software to the latest version – may address up to 80 per cent of the risk of compromises due to cyber-attacks (Insurance Institute, 2015). Other things you can do include:

 

  • Start a discussion with your financial service providers so you understand how your information is kept safe.
  • Avoid using public Wi-Fi when dealing with financial service providers and opt for an encrypted or secure connection. Turn off Wi-Fi and Bluetooth settings when you are not using them.
  • If you receive an email from a financial service provider asking for information, give them a call (on a number not given in the email) to confirm it is legitimate. When in doubt, delete it.
  • Use safe payment options, such as credit cards, when making purchases online. Avoid using money transfers – this is not a common practice in the financial services industry.
  • Find other tips and resources on Public Safety Canada’s website – Get Cyber Safe

CONTACT US FOR ANY SUPPORT

By

Tactics used in Advance fee fraud

Perpetrators of an Advance Fee Fraud (AFF) can be very creative and innovative. These schemes can use the following tactics:
  • An individual or company receives a letter or fax from an alleged “official” representing a foreign government or agency;
  • An offer is made to transfer a sum of money, possibly millions of dollars in “over invoiced contract” funds, into the individual or company’s bank account;
  • There may be an encouragement to travel overseas to complete the transaction;
  • Blank company letterhead, forms, bank account information, telephone/fax numbers and other personal information may be requested;
  • Perpetrators provide numerous documents with official looking stamps, seals and logos testifying to the authenticity of the proposal;
  • Up-front or advance fees for various taxes, attorney fees, transaction fees or bribes are requested;
  • In some cases, perpetrators may send nominal amounts of money to the intended victim, in order to establish his/her confidence;
  • Once the perpetrators have received an initial up-front fee, requests to invest additional funds to complete the transaction follow;
  • Other forms of schemes include: c.o.d. of goods or services, real estate ventures, purchases of crude oil at reduced prices, beneficiary of a will, beneficiary of a life insurance policy, recipient of an award and paper currency conversion.
Consumers who are contacted by an off-shore perpetrator of an AFF scam are recommended to not respond to the inquiry.

CONTACT US FOR ANY SUPPORT

By

Identity information

403

(1) Everyone commits an offence who fraudulently personates another person, living or dead,

  • (a) with intent to gain advantage for themselves or another person;
  • (b) with intent to obtain any property or an interest in any property;
  • (c) with intent to cause disadvantage to the person being personated or another person; or
  • (d) with intent to avoid arrest or prosecution or to obstruct, pervert or defeat the course of justice.
    Marginal note:Clarification

(2) For the purposes of subsection (1), personating a person includes pretending to be the person or using the person’s identity information — whether by itself or in combination with identity information pertaining to any person — as if it pertains to the person using it.
Marginal note:Punishment

(3) Everyone who commits an offence under subsection (1)

  • (a) is guilty of an indictable offence and liable to imprisonment for a term of not more than 10 years; or
  • (b) is guilty of an offence punishable on summary conviction.

CONTACT US FOR ANY SUPPORT

By

Section 402- fraudulent misrepresentation

Identity theft

402.2

(1) Everyone commits an offence who knowingly obtains or possesses another person’s identity information in circumstances giving rise to a reasonable inference that the information is intended to be used to commit an indictable offence that includes fraud, deceit or falsehood as an element of the offence.
Marginal note:Trafficking in identity information

(2) Everyone commits an offence who transmits, makes available, distributes, sells or offers for sale another person’s identity information, or has it in their possession for any of those purposes, knowing that or being reckless as to whether the information will be used to commit an indictable offence that includes fraud, deceit or falsehood as an element of the offence.
Marginal note:Clarification

(3) For the purposes of subsections (1) and (2), an indictable offence referred to in either of those subsections includes an offence under any of the following sections:

  • (a) section 57 (forgery of or uttering forged passport);
  • (b) section 58 (fraudulent use of certificate of citizenship);
  • (c) section 130 (personating peace officer);
  • (d) section 131 (perjury);
  • (e) section 342 (theft, forgery, etc., of credit card);
  • (f) section 362 (false pretence or false statement);
  • (g) section 366 (forgery);
  • (h) section 368 (use, trafficking or possession of forged document);
  • (i) section 380 (fraud); and
  • (j) section 403 (identity fraud).
    Marginal note:Jurisdiction

(4) An accused who is charged with an offence under subsection (1) or (2) may be tried and punished by any court having jurisdiction to try that offence in the place where the offence is alleged to have been committed or in the place where the accused is found, is arrested or is in custody. However, no proceeding in respect of the offence shall be commenced in a province without the consent of the Attorney General of that province if the offence is alleged to have been committed outside that province.
Marginal note:Punishment

(5) Everyone who commits an offence under subsection (1) or (2)

  • (a) is guilty of an indictable offence and liable to imprisonment for a term of not more than five years; or
  • (b) is guilty of an offence punishable on summary conviction.

CONTACT US FOR ANY SUPPORT

By

Section 184- Wiretapping Laws in Canada

Interception

184

(1) Every one who, by means of any electro-magnetic, acoustic, mechanical or other device, wilfully intercepts a private communication is guilty of an indictable offence and liable to imprisonment for a term not exceeding five years.
Marginal note:Saving provision

(2) Subsection (1) does not apply to

  • (a) a person who has the consent to intercept, express or implied, of the originator of the private communication or of the person intended by the originator thereof to receive it;
  • (b) a person who intercepts a private communication in accordance with an authorization or pursuant to section 184.4 or any person who in good faith aids in any way another person who the aiding person believes on reasonable grounds is acting with an authorization or pursuant to section 184.4;
  • (c) a person engaged in providing a telephone, telegraph or other communication service to the public who intercepts a private communication,

(i) if the interception is necessary for the purpose of providing the service,

(ii) in the course of service observing or random monitoring necessary for the purpose of mechanical or service quality control checks, or

(iii) if the interception is necessary to protect the person’s rights or property directly related to providing the service;

  • (d) an officer or servant of Her Majesty in right of Canada who engages in radio frequency spectrum management, in respect of a private communication intercepted by that officer or servant for the purpose of identifying, isolating or preventing an unauthorized or interfering use of a frequency or of a transmission; or
  • (e) a person, or any person acting on their behalf, in possession or control of a computer system, as defined in subsection 342.1(2), who intercepts a private communication originating from, directed to or transmitting through that computer system, if the interception is reasonably necessary for

(i) managing the quality of service of the computer system as it relates to performance factors such as the responsiveness and capacity of the system as well as the integrity and availability of the system and data, or

(ii) protecting the computer system against any act that would be an offence under subsection 342.1(1) or 430(1.1).
Marginal note:Use or retention

(3) A private communication intercepted by a person referred to in paragraph (2)(e) can be used or retained only if

  • (a) it is essential to identify, isolate or prevent harm to the computer system; or
  • (b) it is to be disclosed in circumstances referred to in subsection 193(2).

CONTACT US FOR ANY SUPPORT

By

Section 342- Criminal Law in Canada

Theft, forgery, etc., of credit card

342

(1) Every person who

  • (a) steals a credit card,
  • (b) forges or falsifies a credit card,
  • (c) possesses, uses or traffics in a credit card or a forged or falsified credit card, knowing that it was obtained, made or altered
  • (i) by the commission in Canada of an offence, or
  • (ii) by an act or omission anywhere that, if it had occurred in Canada, would have constituted an offence, or
  • (d) uses a credit card knowing that it has been revoked or cancelled,

is guilty of

  • (e) an indictable offence and is liable to imprisonment for a term not exceeding ten years, or
  • (f) an offence punishable on summary conviction.
    Marginal note:Jurisdiction

(2) An accused who is charged with an offence under subsection (1) may be tried and punished by any court having jurisdiction to try that offence in the place where the offence is alleged to have been committed or in the place where the accused is found, is arrested or is in custody, but where the place where the accused is found, is arrested or is in custody is outside the province in which the offence is alleged to have been committed, no proceedings in respect of that offence shall be commenced in that place without the consent of the Attorney General of that province.
Marginal note:Unauthorized use of credit card data

(3) Every person who, fraudulently and without colour of right, possesses, uses, traffics in or permits another person to use credit card data, including personal authentication information, whether or not the data is authentic, that would enable a person to use a credit card or to obtain the services that are provided by the issuer of a credit card to credit card holders is guilty of

  • (a) an indictable offence and is liable to imprisonment for a term not exceeding ten years; or
  • (b) an offence punishable on summary conviction.
    Marginal note:Definitions

(4) In this section,

personal authentication information means a personal identification number or any other password or information that a credit card holder creates or adopts to be used to authenticate his or her identity in relation to the credit card; (authentifiant personnel)

traffic means, in relation to a credit card or credit card data, to sell, export from or import into Canada, distribute or deal with in any other way. (trafic)

CONTACT US FOR ANY SUPPORT

By

Wire Fraud

The federal statute on wire fraud is Title 18, United States Code, Section 1343. Congress passed the wire fraud statute in 1952 as part of the Communications Act Amendment. The law against mail fraud was already on the books at that point, but Congress wanted to extend the mail fraud provisions to cover new technology.

Like the mail fraud statute, the law against wire fraud prohibits any scheme or artifice to defraud that uses wire, radio, or television communication in interstate commerce. Later in 1956, Congress broadened the scope of the wire fraud statute to include transmissions in foreign commerce.

The elements of wire fraud are the same as mail fraud. In order to convict the defendant, federal prosecutions have to prove all of the following beyond a reasonable doubt:

  1. A scheme to defraud or obtain money or property by fraudulent pretenses.
  2. Intent.
  3. The making of materially false representations.
  4. Transmission by wire, radio, or television communication in interstate or foreign commerce.

The United States Attorney is not required to establish that the wire, radio, or television transmission was critical to the scheme. Rather, the transmission element is more like a jurisdictional element. The transmission in interstate commerce is what gives federal court jurisdiction over the scheme. Without the transmission, the scheme would be prosecutable in state court.

The venue for prosecution under 18 USC 1343 is basically any district where either the transmission began or ended. The venue statute, 18 USC 3237, provides that venue is proper in any district in which the offense began, continued, or was completed.

Wire fraud is a felony offense under federal law. The penalty can be 20 years imprisonment. However, where the victim of the wire fraud was a financial institution (eg, bank), the sentence is enhanced. In these cases, the sentence can be 30 years in federal prison.

CONTACT US FOR ANY SUPPORT

By

CAN-SPAM Act

Do you use email in your business? The CAN-SPAM Act, a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations.

Despite its name, the CAN-SPAM Act doesn’t apply just to bulk email. It covers all commercial messages, which the law defines as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service,” including email that promotes content on commercial websites. The law makes no exception for business-to-business email. That means all email – for example, a message to former customers announcing a new product line – must comply with the law.

Each separate email in violation of the CAN-SPAM Act is subject to penalties of up to $40,654, so non-compliance can be costly. But following the law isn’t complicated. Here’s a rundown of CAN-SPAM’s main requirements:

  1. Don’t use false or misleading header information. Your “From,” “To,” “Reply-To,” and routing information – including the originating domain name and email address – must be accurate and identify the person or business who initiated the message.
  2. Don’t use deceptive subject lines. The subject line must accurately reflect the content of the message.
  3. Identify the message as an ad. The law gives you a lot of leeway in how to do this, but you must disclose clearly and conspicuously that your message is an advertisement.
  4. Tell recipients where you’re located. Your message must include your valid physical postal address. This can be your current street address, a post office box you’ve registered with the U.S. Postal Service, or a private mailbox you’ve registered with a commercial mail receiving agency established under Postal Service regulations.
  5. Tell recipients how to opt out of receiving future email from you. Your message must include a clear and conspicuous explanation of how the recipient can opt out of getting email from you in the future. Craft the notice in a way that’s easy for an ordinary person to recognize, read, and understand. Creative use of type size, color, and location can improve clarity. Give a return email address or another easy Internet-based way to allow people to communicate their choice to you. You may create a menu to allow a recipient to opt out of certain types of messages, but you must include the option to stop all commercial messages from you. Make sure your spam filter doesn’t block these opt-out requests.
  6. Honor opt-out requests promptly. Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient’s opt-out request within 10 business days. You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request. Once people have told you they don’t want to receive more messages from you, you can’t sell or transfer their email addresses, even in the form of a mailing list. The only exception is that you may transfer the addresses to a company you’ve hired to help you comply with the CAN-SPAM Act.
  7. Monitor what others are doing on your behalf. The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.

Table of Contents

CONTACT FOR ANY SUPPORT

By