Sextortion and similar cyber extortion schemes

by John Bandler

Sextortion is a type of cybercrime extortion where criminals blackmail and threaten to embarrass the victim, usually to steal money. There are different types of sextortion scams.

If you are a current victim of sextortion, read this first:

  • This is not the end of the world. You will get through this.
    • Some people have committed suicide because of these threats but that is never the answer
  • It may be a complete scam. You might have nothing to worry about. The criminals might not know any of your secrets.
  • You cannot trust an extortionist. Their statements and their promises are worthless.

To protect against becoming a victim of sextortion, do this:

  • Never take private photos of yourself, of intimate parts of your body
  • Never share with others private photos of yourself, of intimate parts of your body
  • Never ever share private pictures with strangers or people you met online
  • Improve your knowledge of technology and cybersecurity. Practice safe computing habits

Two types of sextortion

There are two main types of sextortion.

One is where the victim has voluntarily shared private pictures (e.g. naked selfies) with another person. Now that person extorts the victim, and threatens to distribute that private picture unless the victim does something: send more intimate pictures, or send money.

Another is where the cybercriminal contacts the victim (usually by email), and tells the victim that the cybercriminal has video of the victim doing very personal activities (e.g. masturbating) while visiting adult websites. The cybercriminal claims the victim's computer was infected with malware, the video camera was recording it all, and maybe other details to try convince the victim of the computer breach. The cybercriminal demands money (usually bitcoin or other cryptocurrency) or else they will distribute this private information to the world.

How the bulk email sextortion scam works

Here's how the scam works:

  1. Cybercriminal has a list of thousands or millions of email addresses, possibly with personal identifying information, and perhaps even old passwords.
  2. Cybercriminal emails all of these addresses, and says:
    • I put malware in your computer and can monitor everything you are doing, and can watch you through your camera,
    • I caught you surfing adult websites (porn),
    • I have records and video to prove it, including video of you doing some very personal things,
    • If you pay me money I won't tell anyone, nor post it anywhere,
    • If you don't pay me, I'll tell everyone, and post it publicly (very embarrassing for you).
  3. A percentage of these email recipients have in fact visited adult websites in the past. They get worried.
  4. A percentage of these email recipients believe the email may be a genuine threat, and consider paying the ransom. Many actually pay the ransom (that's what makes this scam profitable).

Takeaways for the bulk email sextortion scam

Here are the main takeaways for this scam:

1.  Learn more. Many of the people susceptible to this scam need to gain more knowledge about cybercrime and cybersecurity. This means they may be safe from this threat, but there are many other cybercrime events that might befall them. Consider reading my cybersecurity articles or cybersecurity book to improve your knowledge and skills. This is the first step to improve your security.

2. Your computer probably wasn't infected, but... Chances are good that this cybercriminal did not infect your computer with malware. But chances are good that your cybersecurity posture is not good, and that means risks for your computer, data, and networks. Your computer might be infected with malware (though probably unrelated to this particular criminal).

3. Chances are good you were not captured on video doing some very personal activities while surfing adult web sites.

4. Ease off the porn? You probably should not visiting those adult websites. It is risky computing activity with many malicious sites. Visiting one malicious website can get your computer infected with malware. I'm not saying every adult website will do this, but many are, especially those offering free--often pirated--content. Some adult websites may be operated securely and properly, but I am no expert on the genre or industry. My point is it is probably best avoid this risk to your computer altogether. And never subject a company or employer's computer to this risk, even if (especially if) it's your own company. There are a host of policy reasons why this is not appropriate computer usage.

Extortion is a crime

Generally, this cybercrime is extortion, which is a type of theft or attempted theft. You could report this to law enforcement, including to local or state authorities, or through the FBI's IC3 portal.

Where the victim knows the extorter, and the extorter actually has intimate photos, this is a more solvable case and should be investigated. More states are enacting revenge porn type laws which add another tool to law enforcement's arsenal.

As a general rule, people should not pay ransom or extortion. It feeds the criminal economy and makes the crime profitable. Furthermore, criminal extortionists generally cannot be trusted to keep their side of the "bargain". If they receive money they may be back in a week to demand more.

Sextortion has many varieties

Criminals who steal evolve in how they try to do this, including through extortion.

Predators who prey will evolve in how they will try to obtain compromising compromising photos or otherwise try to torment others.

Reduce your risk of becoming a victim

Here's another thought, touching on risk from multiple perspectives. We need to live our lives, and need to make decisions about what we do, and what we want to keep secret about what we do.

Main rules:

  • Don't take intimate photos of yourself.
  • Don't allow others to take intimate photos of you.
  • Never share intimate photos with anyone you met online.
  • Don't share intimate photos of others.

Meeting people online is always risky. We need to realize they may be deceptive about who they really are. Don't share intimate photos with someone you only know online.

Meeting people in the "real world" is risky too. There are no shortages of former intimate partners who then share intimate photos and videos, with the intent to embarrass their ex.

From an organization's information security and acceptable use perspective, viewing online pornography should be prohibited. It is a security risk and is otherwise not appropriate usage of organization assets. So that should be the rule to protect organization information assets.

Personal conduct that does not affect the organization is a different matter, more for personal choice and personal risk management.

This page is not to preach morals or dictate personal conduct. But viewing pornography can be a cybersecurity risk.

And there are some who say it is unhealthy for the viewer, and exploitative of the performers.

Still, risk management should be holistic, not narrowly focused on certain areas to the exclusion of all others. On the continuum of risk relating to the sexual conduct and activities of individuals, viewing online pornography may be relatively safe, compared to many much more risky activities in-person, including with strangers or loose acquaintances. Put differently, viewing an adult website has many risks but there can be ways to mitigate those risks and associated negative implications. But visiting that adult website is less risky than many in-person activities.

Conclusion

Protect yourself from falling victim to an extortionist. This means improving your knowledge and awareness on cybersecurity, and avoiding certain risky actions. Don't take nor share intimate photos.

If you are being extorted now, remain calm, contact authorities and consider private assistance. You probably should not pay any extortion. You will get through this. Suicide is never the answer.

Additional Reading

This article is hosted at https://johnbandler.com/sextortion. Copyright John Bandler, all rights reserved.

A version of this article is available on Medium.com, at https://johnbandler.medium.com/sextortion-and-similar-cyber-extortion-schemes-273ac09d156c (though perhaps not kept as current).

Originally published March 2019. Updated 2/28/2023.