Tips & Advice

What I did when an email tried to blackmail me

Emma McGowan 2 Jul 2021

Plus, what to do if you receive a sextortion email yourself (hint: don't pay the ransom)

Y’all — I’ve been blackmailed. But I’m going to come clean, here, to you — the Avast readership — so that the blackmailer will no longer have power over me. Get ready, because this is my story.

I received an email a couple of months ago from an unknown sender. The subject line was my name, including my initial, with improper capitalization. Usually emails like that go straight to my spam folder, but this one didn’t — so I was intrigued! What could have gotten past the (usually very good) Gmail spam filter? 

I clicked on it and the text was…explicit. The sender claimed that he’d been watching me “by means of ur camera” and that he had images and intimate videos of me. He demanded I pay him in Bitcoin within “forty-eight h” to “save your prestige in the sight of men.” He also threatened that if I “neglect” his demand, the video tape of me would be “world heritage on the internet.” 

Now, obviously, I didn’t click on the included attachment. I also didn’t panic because: 

  1. I take precautions with the webcams on my laptops.
  2. I work for a security company and know that this type of email is common. It’s called a “sextortion” email and it’s almost always a phishing attempt filled with false threats.

Instead, I shared the email with my group chats, both personal and professional. On the personal side, two of my best friends — one who lives in DC and one who lives in Europe — also received the email. And when I went on Twitter later in the day, I saw that a bunch of people I follow had also been hit up by this sextortion email. The wording was always slightly different, but with the same bad grammar and spelling and the same message: I’ve been spying on you and have an explicit video of you and I’m going to expose you unless you pay me. 

So, on the professional side, my team decided to dive in and see what we could figure out from the metadata of the messages. How did these slip through the spam filter? Where were these messages originating? And what, if anything, should recipients of this type of blackmail do about it? 

Digging in to the sextortion emails

In total, our team looked at four emails, which were sent to me and to people I know. They were all received between April 12, 2021, and April 20, 2021. Interestingly, all four went to Google Gmail accounts but were sent from either AOL or Yahoo accounts — both of which are owned by Verizon, for what it’s worth. The sender’s name and email address was different for each email and when we looked at the headers, it appeared that these are legit accounts that may have been compromised through malware or stolen credentials. 

All four emails were sent with a subject line that matched the recipient’s name, including middle names or initials. The recipient’s name wasn’t always part of the email address. Because of this — and that the recipient’s name had to be put into the subject line prior to sending — it’s likely that the sextortion operators had access to our names from a source other than our email addresses. They probably got that information from stolen data that included both our emails and names.

In terms of the actual messages we got, all four of us received a similarly worded email message that was notable for poor spelling and grammar. The message was a plain text message, meaning there weren’t any graphics or anything. There were also no links in the email body.

Below is the email message I received with the sender name, email address, and my email address redacted.

The messages came with an attached text message, which didn’t contain any malware. (Don’t worry — I didn’t open it. I have a team with safe computers to do that! Don’t ever click on attachments from an unknown source.) The attached text message was named with the exact same recipient name as the subject line, which boosts our theory that the sextortion operators had the name and email address of each target.

The attachments were simple. Two of them just had a Bitcoin wallet address and a US dollar amount. The other two had this, plus additional text that was similar — though not identical — to the text in the email message. Each one had their own Bitcoin wallet address, which makes sense because multiple Bitcoin addresses are common in sextortion campaigns.

Below is the ransom note that was attached to my message. (We redacted the Bitcoin wallet address so as to not give these jokers any more play.)

Next question: How potentially profitable is this type of scam? It’s a little bit hard to say, because what does a Bitcoin amount really mean? Anyone who knows even the tiniest thing about Bitcoin knows that its value is super volatile. So we took a look at the dates the emails were sent and the opening price of Bitcoin that day. Here’s a table outlining those numbers:

Sample

Date Sent

Ransom

Opening Bitcoin price that day

Approximate number of Bitcoins for ransom

Sample A

4/12/2021

US$ 1,299.00

US$ 60,175.95

.0215

Sample B

4/15/2021

US$ 1,449.00

US$ 63,075.20

.0229

Sample C

4/16/2021

US$ 1,499.00

US$ 63,258.50

.0236

Sample D

4/20/2021

US$ 1,350.00

US$ 56,191.59

.0240


A couple of things are notable here. First, the sextortion operators are using a classic pricing trick of asking for “$1,299.00” rather than “1,300.00” to make it seem less expensive — and the amount is weirdly close to the $1,350 requested by scammers that our researchers tracked earlier this year. Additionally, they’re asking for ransom in US dollar amounts rather than specific Bitcoin amounts, likely to hedge against Bitcoin price fluctuations. Tricky tricky, internet scammers! 

It might not surprise you, but I didn’t pay the ransom. And neither did any of my friends or Twitter acquaintances whose emails we analyzed. And, when my team looked at the Bitcoin wallets, they didn’t see evidence of any payments. 

It also might not surprise you to learn that none of us were “exposed” by the extortionist. My friends and family have not received any explicit videos of me. Is my prestige in the sight of men still intact? That’s probably debatable, but I’d argue that’s the price you pay for living an interesting life.

What to do if you receive a sextortion email

I’m being a little bit flippant, of course, because this is such a blatantly ridiculous attempt at online extortion. But I also know that not everyone is as aware of this kind of thing as I am. So here are some tips if you receive a sextortion email yourself.

  1. Don’t panic. It’s just spam — really. Think of it as a modern-day Nigerian Prince email.

  2. Don’t respond. There’s no need and sometimes a scammer will escalate if you reply.

  3. Don’t open any attachments, in case there actually is malware included. There wasn’t in this case, but that doesn’t mean there isn’t in your email. Don’t take the chance. 

  4. If the extortionist mentions leaked passwords, it’s worth it to do a password hygiene check. You can scan the Dark Web for any leaks and then change those passwords. If you need help keeping track of all of your unique passwords, invest in a solid password manager. 

  5. Share the email with your friends and make fun of it together! We have to all be able to laugh at this stuff, right? 

Reader, thank you for joining me on this journey into the depths of sextortion blackmail emails. I hope, as always, that you have emerged on the other end better informed — and at least a little entertained. May your firewalls be strong and may all of your scammers be as inept as this one.