April 16, 2019

Sextortion phishing scams have been on the increase

We recently featured sextortion phishing scams in our Breaking Scams series but as there had been no signs of this attack slowing down, we got our team to investigate them in more detail.

What are sextortion scams?

In a nutshell, they are a threatening correspondence sent to potential victims with a goal of extorting money, with blackmailers frequently asking for payment in cryptocurrency.

During the scam, a potential victim receives an email purporting that their computer has been hacked and they have been filmed doing something “untoward”. The perpetrator then asks for a fee, often to be transferred in bitcoin, and threatens to expose the victim’s secret if they don’t pay the ransom. Frequently such emails mention visits to porn sites but sometimes they are kept purposely vague, referring only to a ‘dirty secret’. Keeping the content vague allows the scammer to catch more victims as the vague content will apply to greater number of people.

Sextortion emails utilise different types of threats and methods

Direct threats, such as telling the victim that the data collected on them will be distributed to friends, family and/or work colleagues and implied threats, which talk about shame a victim might feel if their secret was to be made public.

Often victims are also reminded about the potential breakdown of an existing relationship, should the ‘secret’ come out. These threats serve a purpose – to evoke fear. Fear is a visceral influence, or a primal drive, under which careful thinking is compromised. Fear has two components: physiological (e.g. adrenaline levels rise to prepare us to fight or flight a situation) and emotional. This emotional reaction is often unique to each person, with some people being more averse to fear than others, which means they may also be more likely to comply with the requests in order to avoid it.

Often fraud warnings that fail to address emotional reactions to certain frauds (e.g. those evoking fear or even excitement) are ineffective. The reason for this is that any strong emotional or visceral reaction will override rational thinking for a short time, and in such a state, we focus on addressing the goals associated with that state (e.g. when hungry we think of how to get food).

Additionally to evoking strong emotional response, sextortion emails use several persuasive components in order to encourage immediate compliance – blinding victims with computer-babble.  Overview of 60 such emails conducted by The Defence Works showed that they all follow a certain pattern. Typically they contain an explanation on how the computer was hacked and the victim’s data collected. To most people who have limited cybersecurity or computer knowledge, these will appear credible:

The hacking was carried out using a hardware vulnerability through which you went online (Cisco router, vulnerability CVE-2018-0296).  I went around the security system in the router, installed an exploit there. When you went online, my exploit downloaded my malicious code (rootkit) to your device. This is driver software, I constantly updated it, so your antivirus is silent all time.  Since then I have been following you (I can connect to your device via the VNC protocol). That is, I can see absolutely everything that you do, view and download your files and any data to yourself. I also have access to the camera on your device, and I periodically take photos and videos with you. 

Genuine Extract from Sextortion Email

Then there are time limits imposed, which add urgency. Urgency is a known persuasion technique. The key is to not allow the victim to properly think about it or share the news with someone who may advise them not to comply. Some perpetrators draw attention and apologise for the spelling mistakes, offering an explanation for their poor grammar, by saying they are from a specific foreign country. Since many people have come to associate bad spellings in unsolicited emails with scams, this may be a specific new technique to get around this association and make the correspondence appear more credible.

Along with the threats of exposure, many sextortion scam emails contain elements of semantic priming, specifically words that are used throughout the correspondence, which are carefully selected to induce intense shame and humiliation. There are also references to social norms (e.g. ‘your taste is so weird’ or ‘you’re a big pervert’) which will contribute to feelings of shame and humiliation and intensify the fear of exposure.

Word Analysis of Terms Used in Sextortion Emails


Frequently, such correspondence also includes references that equate the scam victimisation to a normal transaction (e.g. ‘it’s confidentiality fee’) and scammers even plead with a victim not to hate them, as they are only doing their job. Some of the emails also point out that the amount asked for is reasonable and not likely to affect the victim a great deal financially. This may make some victims more likely to pay the ransom and less likely to report it as frauds that result in smaller losses are not reported as frequently. Therefore, some scammers purposely keep the amounts low to avoid detection.

Feeling helpless

But the most worrying component of such emails is that they induce helplessness.

Scammer reminds the potential victim that, although they can report the blackmail to the police, their efforts would be futile because they are located in another country or because they are undetectable. Some also concentrate on the fact that investigation is likely to last a long time:

Should you are wondering about going to the cops, very well, this email message cannot be traced back to me. I’ve covered my moves.

Some even point out that the victim, should they go to the police, will run out of time before the information about them is released:

You can go to cops, but searching me is more long-lasting than one day.

If a potential victim feels they have no control over the situation, they are more likely to accept it and agree to the terms of the blackmail than try to fight it. Therefore inducing helplessness may be a deliberate tactic in such correspondence, designed to render the victim silent and ensure compliance.

Sextortion scams are on the rise and affect a great number of people.  It is important to report them instead of keeping them a secret.  Individuals are encouraged to stop and check the facts and take the time to let the feelings of fear subside before acting.

Want to learn more about empowering your employees to help them stay safe in their personal life, as well as at work?  Why not sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this: