“You can panic,” reads the subject line of one fake sextortion email.
Another has a victim’s real password in the subject line, in an attempt to establish authenticity.
These low-tech frauds spiked in 2018, according to the FBI’s Internet Crime Compliant Center (IC3), netting millions for scammers.
Last year, electronic extortion complaints rose 242% to 51,146 reported crimes, with total losses of $83 million.
While the FBI does not break out sextortion from the total number of extortion crimes reported, a spokesperson told CNBC, “The majority of extortion complaints received in 2018 were part of a sextortion campaign in which victims received an email threatening to send a pornographic video of them or other compromising information to family, friends, coworkers, or social network contacts if a ransom was not paid.”
The advice from experts: Don’t fall for it.
“They play on our basest levels of psychology,” said Priya Sopori, partner at law firm Greenberg Gluster and a former assistant U.S. attorney who prosecuted cybercrimes, including sextortion.
“You will read personalization into any generic statement. And if you believe that there are hackers out there that know every aspect of your life, and maybe they even know your life better than you do, you might actually pay even if you’ve done nothing at all.”
The power of shame
While there are examples of real sextortion, especially involving the theft of real nude photos or videos, hoax sextortion emails have no basis in reality.
Scammers send these emails out as form letters. They include claims about supposed improprieties, often including claims that the sender has evidence of your affairs, has hacked your webcam to take damning photos or videos of you or has evidence of pornographic material you’ve viewed.
Here’s a sample letter, courtesy of antivirus software company Malwarebytes, which researches this and other scams:
I am well aware [REDACTED] is your pass words. Lets get right to point. Neither anyone has paid me to investigate you. You may not know me and you are probably thinking why you’re getting this e-mail?
actually, i installed a software on the adult videos (pornographic material) web-site and do you know what, you visited this website to have fun (you know what i mean). While you were viewing videos, your web browser began working as a Remote Desktop that has a keylogger which gave me accessibility to your display and also cam. Just after that, my software gathered every one of your contacts from your Messenger, Facebook, as well as email . after that i created a double video. 1st part displays the video you were viewing (you’ve got a nice taste haha), and next part shows the recording of your cam, yeah its you.
You have not one but two choices. Shall we read up on these options in aspects:
First alternative is to just ignore this message. in such a case, i am going to send out your actual video to every single one of your personal contacts and think regarding the awkwardness you will definitely get. and definitely if you happen to be in a loving relationship, how it would affect?
Number 2 solution is to pay me $889. Lets name it as a donation. in this situation, i most certainly will asap remove your video footage. You could carry on daily life like this never occurred and you surely will never hear back again from me.
“First, have a healthy level of skepticism,” said Malwarebytes CEO Marcin Kleczynski.
“Then, remember, they almost certainly haven’t been recording you or have access to this type of information, if it even exists.”
His company has looked at bitcoin wallets associated with criminals perpetrating these schemes, Kleczynski said, where criminals ask victims to send what are often unusual sums -- $514, $607 and $618 in three recent examples. Apparently they spark enough panic to net the criminals $10,000 to $20,000 per week, according to Malwarebytes research.
“There is an incredibly low barrier of entry here. It’s a commodity attack,” he said. Criminals don’t need any hacking skills at all to pull off sextortion. They can simply rely on leaked email addresses stolen from huge companies and email providers in the last decade.
In the slightly more sophisticated version of the crime, scammers buy “dirt cheap” passwords associated with those emails and include the password in the subject line as an additional lure, falsely claiming they have used the password to access sensitive information about you.
But it’s all fake. The only reason it works so well, Sopori said, is because “People, especially young people, have come to believe there’s no such thing as privacy anymore.” This belief leads people to assume that anyone can spy on them at any time, or can even misuse their information to create the appearance of impropriety where it doesn’t exist.
“So it does seem to indicate that, when hear that people don’t care about privacy anymore, the success of these scams tells us the opposite might be true,” Sopori said. “People obviously do care about privacy. They do care about the idea that someone could have pictures of you, and they believe the threats that ‘I will send them to your brothers, your sisters, your friends.’ Privacy is still important. Shame can be a tremendous weapon that these criminals use.”
What you can do
Besides having a healthy level of skepticism -- it is highly, highly unlikely anyone sending one of these emails knows you or has information on you, Kleczynski emphasises -- checking and updating your spam filters can also help, to make sure those filters are catching the latest versions of these scams.
Changing passwords or using a password manager can also help, so that you can rest assured any passwords displayed in an alarming subject line are no longer in use. Multifactor authentication, which gives you the option of using other methods to log in other than passwords, can also help ease worries about passwords, he recommends
If you receive an email and it worries you, you can report it to your company’s IT department or local police -- who are well-aware of these scams, Sopori said. You can also report the emails to the FBI’s IC3.
This story first appeared on CNBC.com Get more from CNBC:
- Amazon responds to Ocasio-Cortez’s claim that it pays workers ‘starvation wages’
- I traveled to the Chernobyl Exclusion Zone — here’s what it was like
- Elon Musk says he deleted his Twitter account