Sextortion is one of those portmanteau words I dislike for linguistic reasons but also because it describes a plain nasty thing. Defined as extorting money by threatening to publicize evidence of sexual activity, sextortion has become a staple of the scamming fraternity. Let me be clear, this article is not about grooming, online predators and the like: this article is only about the type of sextortion ‘blackmail’ scams sent by email.

Both my junk email folder and the sheer amount of pleas for assistance I am getting recently would suggest the “I’m a hacker with your passwords and your porn” and “I’m a hacker and I’ve infected your computer with malware” scammers are currently back with a vengeance. It’s easier said than done when panicked, I readily admit, but my advice is to keep calm and consider the triple negative reality: no they are not an elite hacker, no they haven’t got access to your passwords or system, and no, they have not recorded you watching porn.

What does a sextortion scam look like?

Of course, there will always be the slightest chance that a sextortion scam is actually genuine, but in many years of experience with this genre, I cannot say I have ever come across one. This isn’t to say that extorting someone with the threat of exposing sexual activity doesn’t exist; it very much does. But, most often, the real threat comes from someone you know and trust. The scammers, however, follow a templated methodology designed to invoke fear and a knee-jerk ‘pay to make it go away’ response.

Here is a typical sextortion email that I received recently.

In fact, if they were some kind of criminal hacker who had compromised your password and your systems/accounts, they would put that to far more profitable use. Think about it: like any volume scam, the perpetrator is hoping that at least one of the victims will immediately fall for a claim that their computer has been hacked and is a watcher of porn. Rather than hope someone takes the bait and pays the $1,000 or whatever is demanded, the real criminal would aim higher. Access to your system and passwords, access to your email account, and access to your financial accounts all offer a far greater potential reward.

And that’s before even considering the lock it all down with ransomware approach.

Where did the ‘hacker’ get my password?

It’s the lack of evidence that should be the biggest giveaway that such scams are fake, but the scammers often manage to sow that seed of doubt by revealing a password of yours that is genuine. How can they do this if not a genuine hacking genius? Simply, they go to one of the many criminal forums that have databases of breached credentials and use one of these. These also give the scammer the email, most often used as the username, to target the sextortion scams. The recipient, most likely not using a password manager to create unique, random, and lengthy passwords for every site used, could well recognize the password, and so the bait is swallowed. That it’s the password for some service you no longer use, or were forced to change once the breach was disclosed, matters not. That familiarity, particularly if you use similar passwords across services, is all that’s needed to sow the seed of doubt and make what follows believable. But what about malware infection, isn’t that possible? Yes, it is. However, using malware that can record keystrokes, grab screens or whatever is, again, unlikely to be used to perpetrate a crime such as this. There is far more money, and far greater chance of success, using malware to obtain data other than such a recording.

Sponsored

A complete lack of evidence

So, why do I mention the lack of evidence? Simply because there will be none presented as the scammer has none. They will say that they have recorded you watching porn; the emails I have received most recently all claim to have a split-screen video of the porn being watched and me ‘enjoying’ watching it. It is these recordings that will be made public, they say. Yet they also say not to respond to the email as it’s from a ‘hacked account’ and won’t be answered, just to pay the demanded amount to a cryptocurrency wallet.

What’s missing here? Yes, evidence. If I were to try blackmailing someone, then I’d include at least some evidence with my demand. In the case of sextortion, that would be a short clip of the described nature, clearly showing you watching porn. “I have much more of this and will send it to all your contacts” would likely work much better than just “I will send the video I claim, but offer no proof, to have.”

Sometimes, the so-called master hacker will bulk up the password claims with claims that they have hacked your webcam and have been controlling it for weeks. But even if this were the case, and there are certainly plenty of cheap third-party webcams that are less than secure, would you trust such a criminal to delete the supposed footage after paying up? And, again, there’s the evidence or lack of it to take into account.

A three-step plan to deal with sextortion scams

So, to sum it all up, here’s my three-step guide to dealing with such sextortion scams:

1. Take a deep breath, do not respond, do not pay, and do not open any attachments.

2. Take a screenshot of the email. Report it. In the U.S., contact the local FBI field office or online at the Internet Crime Complaint Center (IC3) and the U.K. to your local police station or online via Action Fraud. You can also forward a copy of the email itself to ‘[email protected]’ in the U.K.

3. If you recognize a password that has been included, change it. Change it everywhere you use it. Better safe than sorry. If you recognize the password but can’t remember where you used it, then check the excellent and free Have I Been Pwned https://haveibeenpwned.com/ database to see where passwords associated with your email address have been compromised and exposed. Then change it.

I’ll add a fourth, if I may, which is to scan your system for malware if this claim has been made. Free online scanners such as those from ESET and Malwarebytes are good starting points.

Sponsored

Leave a Reply

Your email address will not be published. Required fields are marked *