
Top 5
I am a hitman, hired to kill you, but I see you are a good man. If you pay me $5,000 I will cancel the job, otherwise I’m coming to your house to kill you and your wife.’ This message appeared one morning in a Chief Financial Officer’s inbox. Questions raced through his mind: Who sent this? Should I be worried? This was not the first time experts had seen such tactics, with similar cases appearing frequently each year.
Digital investigations confirmed the wording matched scripts sold on the dark web. The message lacked specific knowledge about the CFO – no names or addresses were mentioned. It was also established that his email had been compromised in a social media data breach. This was simply a scam targeting many victims, similar to ‘sextortion’ emails from previous years. Like many organisations, the CFO’s company lacked security resources to support staff in such situations.
Assessing threat credibility
For organisations without dedicated security resources, these moments can be unsettling. Threats can arrive via various channels: text messages (including WhatsApp, Signal), voice calls, emails, physical mail and social media. The priority is always assessing credibility before action. Anyone can make a threat, but do they mean it?
Threat actors span many categories: disgruntled employees or ex-employees, obsessed individuals, angry customers, or malicious troublemakers. For some leaders, the sheer volume of threats can quickly overwhelm them and their security teams – particularly those associated with politically divisive organisations. The targeted assassination of UnitedHealthcare CEO Brian Thompson in December 2024 was a stark reminder of the real threats faced by business leaders and high-profile individuals.
Handling digital threats
Threats must be assessed quickly, discounting those lacking credibility while focusing on individuals posing genuine physical harm. While easier said than done, effective triage is essential. Law enforcement primarily focuses on evidence collection rather than real-time threat assessment; the burden often falls on the organisation or individual to determine what requires urgent action.
In one instance, an organisation’s leadership faced a social media backlash sparked by a high-profile critic. Personal details were published alongside executives’ names, drawing thousands of comments – many explicitly threatening violence. Immediate security guidance was issued while a deeper assessment began, with the priority being staff safety.
A structured approach to threat assessment asks six key questions:
- What was said? Is the threat explicit or implied?
- What do they want? Is there an extortion demand, or are they purely making threats to harm?
- Who are they? What identifying information can be extracted (such as phone numbers, email addresses, metadata, etc)?
- What is the motive? Often financial, though when money is not mentioned, deeper reasons may exist.
- Do they have capability and intent? Can they carry out their threat, and do they mean what they say?
- What options exist for both victim and threat actor? What is likely to happen next, and how can the target be protected?
When handling mass digital threats, establishing capability is the first priority. In this case, all threatening accounts were identified, users geolocated, and historical activity analysed. The targeted executives were based in southern England, while the individuals behind the threats were largely outside the UK. Most were in the US and the geographically closest was in West Africa. Though travel remained theoretically possible, this context reduced the likelihood of a credible threat.
A crisis response consultant was mobilised to provide strategic advice on managing the situation while forensic research was conducted into the threat actors’ profiles, including image analysis to verify geolocation data. In select cases, psychological profiling is used to distil behavioural insights directly from threat language.
The evolving threat landscape
For organisations, taking proactive steps to monitor emerging risks can make a difference. Events like AGMs, financial disclosures, or leadership changes often trigger heightened threat activity. Early identification of high-risk individuals or groups allows for strategic monitoring, deploying safeguards before escalation occurs.
The modern threat landscape is evolving – becoming more personal, frequent and sophisticated. Responding effectively means finding a balance between urgency and rational decision-making. The right expertise can cut through the noise, enabling swift, informed action that ensures security without unnecessary alarm.