For the past few months, a phishing scam known as “sextortion” has been targeting Internet users in a variety of ways. (Phishing is a common method of tricking people into doing something dangerous—from clicking on a link to an infected website to wiring money to a con artist—that usually begins with an email.)Now, cyber criminals are trying to use sex as a lure. There are several versions of this scam circulating, but all of them threaten to expose the individual as a viewer of web pornography unless they pay “hush money”. In most variations, the scammer claims to have accessed the viewer’s webcam and recorded them viewing a pornographic site.In some cases, the individuals have actually visited porn sites. In others, they have not—but those who take the bait still worry about exposure. They may wonder if a friend or family member accessed the site from their computers, or if the scammer could somehow have created a video that makes them appear to be watching a porn site.In the most disconcerting incidents, the scammer has harvested the intended victim’s password and displays it in the message to prove they have access to the individual’s computer.The scammer invariably asks for the ransom to be sent via Bitcoin, a digital monetary exchange system that doesn’t use traditional banking channels.WHAT YOU NEED TO DOFirst of all, take a deep breath. Yes, there have been instances where victims have been blackmailed with nude photos taken after their computers were hacked and their web cams turned on. However, all indications are that this scam does not involve actual filming of computer user activity.How do we know?
If hackers had video of someone watching a porn site, they would likely send a screen grab to prove their threat is very, very real.
The emails usually begin with “hello friend” or some other anonymous salutation. They contain no personal details, nor do they mention any specific porn site the user was purportedly watching.
In cases where scammers displayed an email password, it is highly unlikely that they hacked an individual computer just to perpetrate a scam. It’s much more likely that they acquired the passwords on the Dark Web or through some other nefarious source. Experts predict that approximately 500 million passwords have been exposed through data breaches.
If you receive such a message, here’s what you can do:
If the scammer includes your password in the email, change it immediately and make it very, very strong. Everyone should use strong passwords for all their accounts, both online and for all their computers and mobile devices (including their apps), and they should not all be the same. If you cannot remember a bunch of strong passwords, license a password manager.
The latest variation of this scam involves a more innocuous email with an attachment titled “Invoice”. Never open an attachment from an unknown sender. We previously published advice for confirming a sender is legitimate. You can read it here.
Run a malware scan to ensure your systems have not been infected.
If you want complete reassurance, put a piece of tape over your webcam lens.
Finally, don’t pay money to anyone whose identity you cannot confirm by any method, and especially not by Bitcoin, cash, check or wire transfer. If you think you are being extorted, call the FBI.