What is a “Sextortion” Email Scam?
“Sextortion” email scams are a form of “social engineering” designed to trick or entice a user into: clicking on a link, installing mal-ware, paying a ransom, or other behavior (that a victim would not typically engage in without interference). Why do we refer to this as a form of “social engineering”? Because arguably the purpose of the “sextortion” portion of the content is to use fear (manipulation) to shock or trick a person into clicking on a link or taking other action.
A recent “sextortion” email example that came across my desk can be summarized as follows: “We (the sender of this mail) have a web cam video of you engaging in an particular act while watching on-line pornography. If you don’t believe that we really have this video, click this link to watch the video for yourself.” Clicking the link of course delivers ransom-ware or other viral payload to one’s computer, or worse.
Another recent “sextortion” scam sent users a decade old password in the e-mail (used to shock user into thinking the threat is real: in reality is typically a once legitimate vendor password exposed via a past data breach) and told users that if they did not pay a bit-coin ransom the illicit video would be sent to all the user’s e-mail contacts. It should go without saying that none of these scammers really have a video of the user watching porn.
We must all be on guard in order to prevent damage to our systems from these malicious actors (typically individuals, small teams, or organized crime located in the third world); as they will no doubt continue to evolve their tactics. A rule of thumb I often repeat to all who will listen is: “If one finds themselves squinting at a mail in wonder, trying to determine if it is legitimate….it is not”. Delete or otherwise verify all suspicious mails before clicking on included links. When in doubt, feel free to forward to our team for further analysis.