The headline is racy, Sextortion. It’s the latest email scam circulating the internet and it certainly raises some eyebrows and causes anxiety for many recipients. The good news is it’s an email scam that sounds a lot worse than it is.
Here’s how it works. You receive an email with a subject containing a username and password you are either currently using or have used in the past. The message goes on to say that you recently visited an adult website and while you were there, the sender of this email installed malware on your computer. This malware allowed them to take control of your webcam and record you. Unless you agree to send a ransom in Bitcoin, the sender threatens to release the videos they have of you and the adult websites you have visited to your contact list.
The sender also employs a little odd humor, commenting on your good taste in adult videos you watch. That aside, there is nothing funny about this. This scam plays on your sense of privacy and prudence. It attempts to shame you into paying a ransom to protect your reputation. It’s just the latest example of extortion attempts via email.
So where are the bad guys getting your username and password? The first thing to confirm is whether the password is one you use currently. It may be. It may also be one you have not used for years.
So where are the bad guys getting your username and password? The first thing to confirm is whether the password is one you use currently. It may be. It may also be one you have not used for years. Most security researchers believe that the usernames and passwords are being obtained from databases on the Dark Web that have millions of compromised credentials, gathered from numerous data breaches that have taken place over the last ten or more years. The problem is that many people don’t change their passwords often or use a unique password for each site you need a login for. So, it’s quite likely that the password may still be in use, on at least some of the web sites that you visit.
The good news is there are no reports that anyone has actually had the threats in the email carried out. But the threat is what gets people to take action and in some cases, actually pay the demanded Bitcoin ransom. You should never do this as it just fuels these scams. All indications are this is an automated scam, mining data on Dark Web and crafting these email messages. If the bad guys behind this receive even a small fraction of the ransom they are demanding, they will make out pretty well. Don’t fall for the scam and help them make money.
So, what can you do to help protect yourself against email scams like this? Use a strong password, preferably a passphrase that consists of several words put together to create a strong passphrase that will be very difficult to hack. I recommend a bare minimum of 12 characters, mixing upper and lower case letters, numbers and symbols. Don’t use the same password on more than one website. This is probably the most difficult thing to do, with all the username and password combinations you have. If you struggle with this one, look into a password manager to help you manage all the usernames and passwords you have. If you are not familiar with password managers, Google them and read user reviews to see if one may be good for you. Also, be sure to enable two factor authentication whenever it is an option, to further secure your logins.
Most importantly, if you get one of these messages, don’t panic and absolutely do not reply or send the ransom. The worst thing you can do is engage in an exchange with a hacker like this. Or pay them.