Coercion

A subject’s emotional state is exploited by a malicious third party, particularly during periods of heightened stress, grief, or personal hardship. The third party leverages this vulnerability to manipulate the subject into revealing sensitive information or performing actions that could compromise the organization.

A malicious third party gradually builds a relationship with the subject over an extended period, slowly gaining their trust. This trust is then exploited to access sensitive information or systems, often without the knowledge of the subject.

The subject acts under coercion stemming from threats that target reputation, professional standing, financial stability, or exposure of personal secrets. These threats may be digitally delivered. While these actions stop short of threatening physical harm, they can exert intense psychological pressure, particularly when the subject believes their career, relationships, or public image are at imminent risk.

This type of coercion may originate from:

• Former colleagues, romantic partners, or adversarial insiders with access to sensitive personal or professional material.
  Political actors, who have a political agenda against the subject's work place.
• External criminal actors (or hacktivist groups) who have compromised a personal account or acquired compromising data (e.g., via credential leaks or private messages).

Unlike ideological motivation or personal gain, this behavior is driven by fear of exposure or ruin, not alignment with the threat actor’s objectives. Subjects may act reluctantly, leave minimal technical traces of coordination, and revert to baseline behavior once the coercive force is removed.

A third party uses deception, exploitation, or other unethical methods to psychologically manipulate a subject over time, with the intent to influence their perceptions, actions, and decisions. This manipulation can lead the subject to, knowingly or unknowingly, act against the organization’s interests.

A malicious third party employs romantic interest or seduction as a manipulation tactic. Through emotional and psychological engagement, the third party persuades the subject to reveal confidential information, grant access to restricted resources, or carry out actions detrimental to the organization.

A subject is extorted by a third party threatening to expose sexual or indecent images connected to them, a tactic commonly referred to as sextortion. These images may be real, obtained by a third party, AI-generated ‘deep fake’ images resembling the subject, or entirely fabricated claims. The extortion is typically financially motivated, which can drive the subject to harm the organization for personal gain. Alternatively, the third party may coerce the subject into compromising the organization by revealing sensitive information or granting unauthorized access.

A third party deceptively manipulates and/or persuades a subject to divulge information, or gain access to devices or systems, or to otherwise cause harm or undermine a target organization.

The subject is coerced by a third party into harmful or otherwise policy-violating activity through explicit or credible threats of violence, either directed at themselves or at others (e.g., family members, colleagues). This type of coercion often includes real-world intimidation, such as direct verbal or written threats, or more ambiguous references that imply the actor possesses the means or knowledge to inflict physical harm.

Examples may include:

• Stated intent to harm the subject’s family unless a system is accessed or data is provided.
• Demonstrations of knowledge of personal routines or addresses.
• Implied physical threat (“We know where you work.” / “Think about your daughter.”) intended to coerce compliance.

In some cases, the coercive actor may belong to or adopt the tactics and posture of organized crime groups or hybrid cyber-physical groups, lending credibility to the threat. The subject’s response may be reluctant, sudden, and inconsistent with previous behavior, reflecting actions taken under acute psychological and physical duress.

This motive reflects extreme coercion and requires careful investigative sensitivity. It may also intersect with criminal law, necessitating immediate coordination with internal legal teams, law enforcement, and/or protective services. In almost all such cases, the organization has a duty to treat the subject as a victim of crime.