Sextortion - The Latest Email Scam Using Hacked Passwords

Author: Craig Pollack Date: Jul 20, 2018 Topics: Cybersecurity

Here’s a clever twist on an old email scam that serves to make the con totally believable. The message purports to have been sent from a hacker who’s compromised your computer and used your webcam to record a video of you while you were watching porn. They then threaten to release the video to all your contacts unless you pay a Bitcoin ransom. The new twist? The email now references a real password tied to your real email address.

So, how is this possible you ask? Well, welcome to the effects of the dark web.

You may not realize this, but your email address and password and all of your staff's emails and passwords may be available to anyone willing to pay for them via the dark web. Well, maybe not everyone - but certainly a good number of them.  How is this possible? Well, the data from every breach that you've heard about over the years like those that happened to Yahoo, LinkedIn, Target, and Dropbox (and many others that you haven't heard of) all end up on the dark web for sale.

Keep in mind, if you haven't changed your password since the time of the breach, it's your current password! This is one of the reasons we work with clients to define and implement a robust password policy (including their complexity and how often to change them).

what sextortion looks like

Technically, sextortion is when a bad actor sends a message to a user stating that they have compromised their computer, have some negative sexual content on them, and then demand a ransom not to release the information. 

The hackers scare tactics include:

  • Sending passwords the users have previously used on accounts from years ago to show the validity of the threat
  • Threatening to expose provocative pictures or videos of the user taken from their webcam if the ransom is not paid
  • Requesting users to purchase Bitcoins and transfer ransom in the form of bitcoin currency

When you first receive an email like this, it all seems implausible. But, the fact that they offer up your password (or one of your old ones) makes the scam seem real.

But these aren’t the only guidelines they're following. As time goes on and the word gets out to be aware of these scams, they will most likely refine their tactics, using more recently used passwords or other personal data to make the threats seem that much more legitimate.


So how do you respond if you or one of your staff are hit with one of these emails:

  • Do NOT Respond
    • Do NOT respond back to the email.  Print it out (in case you bring it to authorities) and then just delete it.
  • Keep the Evidence
    • Document usernames, URL’s, ID details, photos, videos, or anything else the bad actor sent.
  • Address the Password
    • Immediately change the password for every account using this password (not just the accounts using this email / password combination).
  • Do NOT Pay
    • Paying the bad actors open floodgates for them to demand more and more money.

what to do to stay ahead of the dark web

Your business needs to have a strong password policy along with an effective cybersecurity user awareness training program so your employees know what to do if they should ever encounter a suspect email. Creating human firewalls within your company is the first line of defense in helping to keep these bad actors at bay.

In addition, the latest tool in our tool belt to improve the proactive protection of our clients' networks and information now includes Dark Web Monitoring service.  This additional layer is something every company should have to prevent the results of these breaches such as noncompliance fines, virtual theft, damaged reputation, or worse, loss of business. With the information that's currently out there on the dark web along with the addition of every new breach, no longer can we sit passively by.  Dark Web Monitoring provides that extra added layer of protection to get ahead of these breaches.

The Bottom Line

The internet is not a place to house anything you may not want the public to see, but it should also not be used to hold people’s private acts for ransom. In any case, hackers will use any and all tactics available to get money and the quickest way is with the threat of embarrassing exposure. If you want to avoid being a victim of this then it’s best to remember to:

  • never send any compromising images or videos to anyone
  • make sure your webcam is turned off
  • make sure your webcam is covered when not in use.
  • never open an attachment from anyone you don't know or expect

What are you doing to be proactive to avoid scams? Do you feel you may have been a victim of a scam and need to do something about it? Share your thoughts and experiences in the comments section below or let me know if you'd like to chat about this topic more in depth. 

To learn more about how IT network security can affect your bottom line, be sure to check out our new free guide by clicking on the link below.


Subscribe here to get our "2 Minute Tuesday" email for valuable tips & tricks!


Craig Pollack

Craig Pollack

Craig is the Founder & CEO of FPA Technology Services, Inc. Craig provides the strategy and direction for FPA, ensuring its clients, business owners, and key decision makers leverage technology as efficiently and effectively as possible. With over 25 years of experience building the preeminent IT Service Provider in the Southern California area, Craig is one of the area’s leading authorities on how small to mid-sized businesses can best secure and leverage their technology to achieve their business objectives.