Sextortion and similar cyber extortion schemes

I have fielded calls from people who receive emails trying to extort them for money, threatening to release some very personal information or photos. E.g. videos of the victim from the victim's laptop camera while the victim is viewing sexually explicit websites.

Here's how the scam works:

  1. Cybercriminal has a list of thousands or millions of email addresses, possibly with personal identifying information, and even old passwords.
  2. Cybercriminal emails all of these addresses, and says: (i) I put malware in your computer and can monitor everything you are doing, and can watch you through your camera, (ii) I caught you surfing adult websites (porn), (iii) I have records and video to prove it, including video of you doing some very personal things, (iv) if you pay me money I won't tell anyone, or post it anywhere, (v) if you don't pay me, I'll tell everyone, and post it publicly (very embarrassing for you).
  3. A percentage of these email recipients have in fact visited adult websites in the past.
  4. A percentage of these email recipients believe the email may be a genuine threat, and consider paying the ransom. Or actually do pay the ransom.

Here are the main takeaways for this scam.

  1. Many of the people susceptible to this scam need to gain more knowledge about cybercrime and cybersecurity. This means they may be safe from this threat, but there are many other cybercrime events that might befall them. Consider reading my cybersecurity articles or cybersecurity book to improve your knowledge and skills. This is the first step to improve your security.
  2. Chances are good that this cybercriminal did not infect your computer with malware. But chances are good that your cybersecurity posture is not good, and that means risks for your computer, data, and networks. Your computer might be infected with malware (though probably unrelated to this particular criminal).
  3. Chances are good you were not captured on video doing some very personal activities while surfing adult web sites.
  4. You probably should not visiting those adult websites. It is risky computing activity with many malicious sites. Visiting one malicious website can get your computer infected with malware. I'm not saying every adult website will do this, but many are, especially those offering free--often pirated--content. Some adult websites may be operated securely and properly, but I am no expert on the genre or industry. My point is it is probably best avoid this risk to your computer altogether. And never subject a company or employer's computer to this risk, even if (especially if) it's your own company. There are a host of policy reasons why this is not appropriate computer usage.

Generally, this cybercrime is extortion, which is a type of theft or attempted theft. You could report this to law enforcement, including through the FBI's IC3 portal, but I suspect the resulting investigation may not be very thorough.

Separately, there are extortion type threats where the person knows the victim, and actually has intimate photos. That's a more solvable case and should be investigated. More states are enacting revenge porn type laws which add another tool to law enforcement's arsenal.

As a general rule, people should not pay ransom or extortion. It feeds the criminal economy, makes the crime profitable, and the criminal generally cannot be trusted to keep their side of the "bargain".

Here's another thought, touching on risk from multiple perspectives. From an information security and organization standpoint, viewing online pornography should be prohibited. It is a security risk and is otherwise not appropriate usage of organization assets. That said, it is not the job of information security professionals to dictate morals or personal conduct, and risk management should be holistic, not narrowly focused on certain areas to the exclusion of all others. On the continuum of risk relating to the sexual conduct and activities of individuals, viewing online pornography is extremely safe! And there may be ways to mitigate risks and associated negative implications with this activity.

Originally published March 2019. Updated 5/5/2020.