Sextortion and similar cyber extortion schemes

I have fielded calls from people who receive emails trying to extort them for money, threatening to release some very personal information or photos.

Here's how the scam works:

  1. Cybercriminal has a list of thousands or millions of email addresses, possibly with personal identifying information, and even old passwords.
  2. Cybercriminal emails all of these addresses, and says: (i) I put malware in your computer and can monitor everything you are doing, and can watch you through your camera, (ii) I caught you surfing adult websites (porn), (iii) I have records and video to prove it, including video of you doing some very personal things, (iv) if you pay me money I won't tell anyone, or post it anywhere, (v) if you don't pay me, I'll tell everyone, and post it publicly (very embarrassing for you).
  3. A percentage of these email recipients have in fact visited adult websites in the past.
  4. A percentage of these email recipients believe the email may be a genuine threat, and consider paying the ransom. Or actually do pay the ransom.

Here are the main takeaways for this scam.

  1. Many of the people susceptible to this scam need to gain more knowledge about cybercrime and cybersecurity. This means they may be safe from this threat, but there are many other cybercrime events that might befall them. Consider reading my book or articles to improve your knowledge and skills. This is the first step to improve your security.
  2. Chances are good that this cybercriminal did not infect your computer with malware. But chances are good that your cybersecurity posture is not good, and that means risks for your computer, data, and networks. Your computer might be infected with malware (though probably unrelated to this particular criminal).
  3. Chances are good you were not captured on video doing some very personal activities while surfing adult web sites.
  4. You probably should not visiting those adult websites. It is risky computing activity. Visiting one malicious website can get your computer infected with malware. I'm not saying every adult website will do this, but many are, especially those offering free--often pirated--content. Some adult websites may be operated securely and properly, but I am no expert on the genre or industry. My point is don't subject your computer to the risk. Never subject a company or employer's computer to this risk, even if (especially if) it's your own company.

Generally, this cybercrime is extortion, which is a type of theft or attempted theft. You could report this to law enforcement, including through the FBI's IC3 portal, but I suspect the resulting investigation may not be very thorough.

Separately, there are extortion type threats where the person knows the victim, and actually has intimate photos. That's a more solvable case and should be investigated. And more states are enacting revenge porn type laws.