Sextortion and similar cyber extortion schemes
by John Bandler
Sextortion is a type of cybercrime extortion where criminals threaten to embarrass the victim to steal money. There are different types of sextortion scams.
If you are a current victim of sextortion, read this first:
- This is not the end of the world. You will get through this. (Some people have committed suicide because of these threats)
- It may be a complete scam. You might have nothing to worry about.
- You cannot trust an extortionist. Their statements and their promises are worthless.
To protect against becoming a victim of sextortion, do this:
- Never take private photos of yourself, of intimate parts of your body
- Never share with others private photos of yourself, of intimate parts of your body
- Never share private pictures with strangers
- Improve your knowledge of technology, cybersecurity, and practice safe computing habits
Two types of sextortion
There are two main types of sextortion.
One is where the victim has voluntarily shared private pictures (e.g. naked selfies) with another person. Now that person extorts the victim, and threatens to distribute that private picture unless the victim does something, send more intimate pictures, or send money.
Another is where the cybercriminal contacts the victim (usually by email), and tells the victim that the cybercriminal has video of the victim doing very personal activities (e.g. masturbating) while visiting adult websites. The cybercriminal claims the victim's computer was infected with malware, the video camera caught it all, and perhaps provides other details to try convince the victim of special access. The cybercriminal demands money (usually bitcoin or other cryptocurrency) or they will distribute this private information to the world.
How the bulk email sextortion scam works
Here's how the scam works:
- Cybercriminal has a list of thousands or millions of email addresses, possibly with personal identifying information, and even old passwords.
- Cybercriminal emails all of these addresses, and says: (i) I put malware in your computer and can monitor everything you are doing, and can watch you through your camera, (ii) I caught you surfing adult websites (porn), (iii) I have records and video to prove it, including video of you doing some very personal things, (iv) if you pay me money I won't tell anyone, or post it anywhere, (v) if you don't pay me, I'll tell everyone, and post it publicly (very embarrassing for you).
- A percentage of these email recipients have in fact visited adult websites in the past.
- A percentage of these email recipients believe the email may be a genuine threat, and consider paying the ransom. Or actually do pay the ransom.
Takeaways for the bulk email sextortion scam
Here are the main takeaways for this scam:
- Many of the people susceptible to this scam need to gain more knowledge about cybercrime and cybersecurity. This means they may be safe from this threat, but there are many other cybercrime events that might befall them. Consider reading my cybersecurity articles or cybersecurity book to improve your knowledge and skills. This is the first step to improve your security.
- Chances are good that this cybercriminal did not infect your computer with malware. But chances are good that your cybersecurity posture is not good, and that means risks for your computer, data, and networks. Your computer might be infected with malware (though probably unrelated to this particular criminal).
- Chances are good you were not captured on video doing some very personal activities while surfing adult web sites.
- You probably should not visiting those adult websites. It is risky computing activity with many malicious sites. Visiting one malicious website can get your computer infected with malware. I'm not saying every adult website will do this, but many are, especially those offering free--often pirated--content. Some adult websites may be operated securely and properly, but I am no expert on the genre or industry. My point is it is probably best avoid this risk to your computer altogether. And never subject a company or employer's computer to this risk, even if (especially if) it's your own company. There are a host of policy reasons why this is not appropriate computer usage.
Extortion is a crime
Generally, this cybercrime is extortion, which is a type of theft or attempted theft. You could report this to law enforcement, including to local or state authorities, or through the FBI's IC3 portal.
Where the victim knows the extorter, and the extorter actually has intimate photos, this is a more solvable case and should be investigated. More states are enacting revenge porn type laws which add another tool to law enforcement's arsenal.
As a general rule, people should not pay ransom or extortion. It feeds the criminal economy and makes the crime profitable. Furthermore, criminal extortionists generally cannot be trusted to keep their side of the "bargain". If they receive $X for their silence, they may be back in a week to demand more money.
Reduce your risk of becoming a victim
Here's another thought, touching on risk from multiple perspectives. We need to live our lives, and need to make decisions about what we do, and what we want to keep secret about what we do.
Meeting people online is always risky. We need to realize they may be deceptive about who they really are. Don't share intimate photos with someone you only know online.
Meeting people in the "real world" is risky too. There are no shortages of former intimate partners who then share intimate photos and videos, with the intent to embarrass their ex.
From an information security and organization standpoint, viewing online pornography should be prohibited. It is a security risk and is otherwise not appropriate usage of organization assets. So that should be the rule to protect organization information assets.
Personal conduct that does not affect the organization is a different matter, more for personal choice and personal risk management. It is not my job to dictate personal conduct. Risk management should be holistic, not narrowly focused on certain areas to the exclusion of all others. On the continuum of risk relating to the sexual conduct and activities of individuals, viewing online pornography may be relatively safe. Put differently, viewing an adult website has many risks compared to viewing a reputable news site, and there are ways to mitigate those risks and associated negative implications. But visiting that adult website is less risky than many in-person activities.
Protect yourself from falling victim to an extortionist. This means improving your knowledge and awareness on cybersecurity, and avoiding certain risky actions.
If you are being extorted now, remain calm, contact authorities and consider private assistance. You probably should not pay any extortion. You will get through this.
- Bandler's Four Pillars of Cybersecurity
- Cybersecurity Tips from John Bandler (single page tip sheet)
- Cybercrime Investigations (page about my second book).
This article is hosted at https://johnbandler.com/sextortion, copyright John Bandler, all rights reserved.
Originally published March 2019. Updated 5/24/2022.