Email Sextortion Scams: How Exposed are You?



  • How it works…

    The recipient receives an email from an unknown sender threatening the release of embarrassing images or videos to family, friends, and contacts if a ransom is not paid. The sender alleges that the compromised material has been obtained by hacking into the camera on the recipient’s device. In order to prevent the distribution of the compromising information, the recipient must pay a ransom in Bitcoin, a virtual currency with a high degree of anonymity, to a Bitcoin address within a limited timeframe. To make the scam seem more compelling, the fraudsters include a key piece of information to convince the recipient that he has been compromised: an actual password associated with the recipient’s email address.

    …but here’s the catch…

    Generally speaking, the recipient’s device was never compromised, no embarrassing information was obtained, and the provided passwords were likely harvested by malicious actors through a third party data breach. The scammers presumably matched databases of stolen email addresses and passwords widely available for purchase on the dark web, and sent the semi-personalized phishing email to a large group of people. The emails are sent from a variety of email addresses, including genuine Hotmail and Outlook accounts, enabling the emails to bypass spam filters and land in the would-be victim’s inbox.

    This scam has been relatively successful for two reasons: the inclusion of the legitimate email password and the public’s general confidence in the technological capabilities of malicious actors online. The inclusion of a legitimate password gives the scam a measure of credibility, as it appears that an unknown party has access to the recipient’s user names and passwords. Second, it is plausible with current technology for a malicious actor to hack the camera on a device. This possibility, combined with the inclusion of the valid (albeit sometimes dated) password, is sufficient to intimidate some people into paying the ransom. Based on one firm’s monitoring of 770 Bitcoin wallets identified in connection with the scam, more than 1,000 payments have been made since July with a total value of approximately $500,000 (70.8 Bitcoin), though this is likely a conservative estimate.

    It is important to note that this is an ongoing scam with multiple iterations. One low-tech version of the scam involves fraudsters sending physical letters through the postal service to individuals in affluent areas making demands similar to what have been seen in the email version. Another conceivable iteration could include scammers obtaining more recent or even current passwords, and combining those with other personal data available online, to develop more targeted messages that may convince more recipients that they are the victim of a genuine hack. Because scammers have already achieved some level of monetary success from this tactic, it is likely that they will find new ways to exploit data obtained through breaches, including email addresses and passwords, to extort victims.

    Other iterations of sextortion

    Sextortion is a crime that occurs when a malicious actor threatens to distribute a victim’s private and sensitive material unless they comply with demands, which could include providing images, favors, or money. In one iteration, perpetrators threaten to release sensitive files that have been obtained from a victim’s personal electronic devices unless they comply with the perpetrator’s demands. In another form, sometimes called webcam blackmail, online malicious actors lure victims into an actual compromising situation on a webcam, and then secretly record a video. The actor will then threaten to release the video publicly unless a payment is made.

    How to protect yourself

    Do not pay the ransom. The FBI and other law enforcement and cybersecurity organizations recommend that recipients of these email not pay a ransom, as it encourages malicious actors to continue schemes and may embolden scammers to target the individual again, as they appear susceptible to blackmail or fraud.

    If the password identified in the email is still in use, stop using it and immediately change it on all associated accounts. New passwords should be unique, long, and strong. Consider the use of a password manager to create and store complex passwords (see OSAC report: Protecting Accounts with a Password Manager).

    Use a trusted website, such as HaveIBeenPwned, to determine your level of public exposure stemming from third party data breaches (See OSAC report: Have your online credentials been pwned (compromised)?).

    Do not email or communicate with the fraudster or with any unsolicited email senders, and never provide personal information via email.

    Enable multi-factor authentication.

    Cover and/or turn off device cameras when not in use.

    Do not send compromising images of yourself or store them on personal devices.

    Ensure settings for social media accounts provide the highest levels of security.

    Scan all attachments, and do not open attachments from people you do not know.
    If you believe you have been a victim of this scam, contact your local FBI office and file an online complaint with the IC3. Provide all relevant information in the complaint, including the extortion e-mail, information in the email header, and Bitcoin address, if available.


Log in to reply