Sextortion Scams

SEXTORTION SCAM

Have you ever received one of those emails that didn't really make sense but still made the hair stand up on the back of your neck? One of those could start with a message like:  “Send bitcoin right away or else I am sending compromising photos or information to your friends and family.”

This is a new variation of an old scam. A little fear-inciting jolt that has you unsure of the nature of what the scammer is talking about… your mind races … How would they have anything I would not want to be exposed? What item or video could they have that I would want to hide? Then you think about the privacy in your own home? What device did they hack? Even if you know the claim is impossible and untrue, it is still very unsettling and a bit frightening. This new version of an old scam is called Sextortion and it preys on your fear of the unknown.

How does this scam work?

The bad guy tells you they have hacked your device/computer and they will release embarrassing information. They don’t tell you what they have, only that they have something from your personal device. It could be photos, emails or text messages. Most of the time the bad guy vaguely threatens to release the information they have stolen to your employer, your friends and your family. Sometimes the bad guys describe details of what they allegedly have on you.

What is it that they want? They’ll tell you that to avoid having your personal items exposed to everybody you have to pay them immediately using bitcoin.

Here’s the catch:

What would make you believe their claims are right when you know it can’t be right. The scammer provides just enough information from one of your hacked accounts. Equifax, Target, Facebook, Marriott, MANY more! Mine was my old MySpace account. There are too many breached companies to list them all, but in all likelihood, some of your information has been stolen. They give you just enough information, that adds credibility to their claim, to make you believe they may have something of yours that you want back. They’ll show an exposed password and/or your user name which they purchased on the dark web. By matching your email address with passwords, they have enough information to make you a little frightened. The scammers assume a small percentage of their chosen victims will react and pay the extortion fee. It’s in the numbers, 1 million emails sent, 50,000 people get nervous, 5,000 pay the $1,000 ransom and they have a $5,000,000 payday. 
That's only .5%  response on the 1,000,000 emails sent for a HUGE payday.

The 50,000 nervous people have a jump in their fear level start a Google search for how to purchase Bitcoin or think about what could they have.  OK DEEP BREATH, if you are like 99.5% of us you know you're being scammed but let us give you some advice in case you're still nervous. Don’t fall for it and don’t pay the ransom.

As proof, they may provide you with a legitimate username and password, most likely from an old account because those are the cheapest to obtain. Regardless if it is old or new, stop using the password they provided, change it immediately, especially if it is one of the 3 passwords you use. Using the same password will eventually lead the bad guys to an account that does have items you want to keep safe and private. If you use your password manager, it will assist you in changing that password as well as do a security search of your accounts for the same password. Change those as well. Rest assured, if the password they show you has been used to secure some of your other accounts, all of those accounts are also compromised. That is where the hair on the back of your neck should raise up.

If you really want to be secure and keep information private, use the two-factor authentication on your password manager. Consider the advice below by covering your camera lens with a piece of tape, post-it note or slide cover.

What should you do if you get a Sextortion email?

Even though there is no real bit behind this scam doesn’t mean you should not take some sort of action. Use the extortion scam as a cue to protect yourself online. The Federal Bureau of Investigation aka FBI advises:

• Do not pay
• Do not respond to the email
• When opening unexpected attachments from people you know, use caution because their email addresses may have been spoofed
• Change your passwords often
• See if your other email addresses and passwords have been pawned or stolen
• Stop using the password immediately (and while you’re at it, update any old passwords — using a password manager, like LastPass, is fastest)
• Never ever send compromising photos of yourself to anyone unless you want everybody to see them.
• Don’t open attachments from strangers
• Turn off your computer’s camera or put a piece of tape over it when you’re not using it

I'll reiterate, DON’T reply to the email. The more you reply, the more likely you are to expose other items or information that they will use to manipulate against you.