Don’t panic! These scammers don’t actually have photos of you

Emma McGowan 8 Jun 2023

Sextortion threats are getting a little thirsty – don’t play that game.

Imagine this: You open your email and find the following message: 
 
“I am a hacker, and I’ve gained access to your operating system. I’ve been watching you for months…” 

As what we do on our computers and mobile devices is increasingly linked with our personal lives, it’s fair that this message might raise the hairs on the back of your neck. 

Sextortion scams are email-based scams that try to convince potential victims that a cyber criminal has taken full control of your system, has been watching you through your cameras, that they know everything, and that you must pay to keep your privacy safe.  

They prey on a victim’s uncertainty and fear of embarrassment, hoping that you’ll pay up quickly rather than risk literal exposure.  

The positive news is that a recent wave of sextortion emails, detected by Avast within a few hours of their release, are entirely fake, bogus, and should be treated like any other phishing scam. 

Earmarks of amateur scams 

While sextortion scams have been around for a while, this recent email campaign lacks the details and credibility that come with more sophisticated phishing and ransomware efforts. That is to say, the hackers really phoned it in on this one. Let’s look at the details of their message.  

“I am a hacker, and I have successfully gained access to your operating system. I also have full access to your account.”

This line was meant to seem ominous and mysterious, but in reality, it’s a vague catch-all that lacks real specifics. What account have they accessed (I have quite a few)? Even more generic, “operating system” could literally mean any digital device. Are they talking about a laptop or tablet? Or, is the scammer hoping that you’ll fill in the details for them? 

“The fact that your computer has been infected with malware through an adult site you visited. If you’re not familiar with this, I will explain…” 
 
Like a poor James Bond villain, the bad actor here spends a lot of time explaining how they defeated the victim, why you’re defenseless, and how they’ve taken control of your cameras, microphones, and contact lists.  

The prudent skepticism here should focus on why the hacker is spending time explaining a broad (and spurious) process, rather than discussing anything that really pertains to you. While they’re going on about how talented they are, perhaps they’re unaware of the secret antivirus that Q gave you to stay protected. 

“I made a video showing how you satisfy yourself in the left half of the screen, and the right half shows the video you were watching.” 

Shame and embarrassment are the keys to sextortion scams — it’s why they work. When a threat like this worries you, the first thing to consider is that this is a tactic. Like when a car salesman tells you that a price is only good for today, a sextortion scammer is preying on insecurity while putting you under time pressure.  

They want you to act first and think later. Don’t go for it. 

“I never make any mistakes. If I find that you have shared this message with someone else, the video will be immediately distributed.” 
 
Here, the scammer has wrapped up the theme of the email. They are in control, they are watching, and you have no recourse but to pay them off. And as they’ve gone through this lengthy explanation of their highly skilled operation that threatens to expose you, they haven’t provided a single valid detail about you personally. 

They didn’t use your name. They didn’t know your operating system or types of devices. They didn’t mention any of your contacts, where you live/work, or any of your social platform names. It’s a lot of omission considering the time and effort they put toward “hacking” you. 

Protecting yourself from sextortion scams 

As amateur as this sextortion scam is, it is important to be aware there are more sophisticated attacks out there. In other threats, cybercriminals will add some of the details discussed above (often from old internet data) to make their threats appear more credible. These attacks can happen to anyone, even one of our team members. 

If you ever receive a sextortion email, here are some steps to protect yourself:

  • Stay calm: Do not respond to the email or pay any money. Sextortion emails are often empty threats and just spam. 
  • Update your passwords: Change your passwords regularly and use strong, unique passwords for each account to prevent attackers from accessing your data. 
  • Enable two-factor authentication (2FA): 2FA adds an extra layer of security to your accounts, making it more difficult for cybercriminals to gain unauthorized access. 
  • Keep your devices updated: Regularly update your operating system, antivirus software, and other applications to protect your devices from malware and other threats.

While this campaign hasn’t been successful, it serves as a reminder that this and other threats exist. Stay informed, exercise healthy skepticism, and follow best practices for online security. 

--> -->