The United Kingdom’s National Cyber Security Centre (NCSC) has issued a warning about the rise of sextortion scams that exploit individuals’ emotions for financial gain. American sexual assault victims have been personally targeted through phishing attacks where phishers will threaten victims with having captured rape videos or nudes. To prevent the public dissemination of this purported material, perpetrators typically extort the victim for payment in cryptocurrency. Victims may be confronted with scary messages informing them that a person has hacked their webcams. They can be remotely alerted when spyware has been installed on their devices.
Sextortion scams are getting trickier. Attackers have learned that a strong sense of urgency and fear can go a long way. In another frequent iteration of the scam, the scammer instructs you to transfer $1,450 (£1,085) to a cryptocurrency wallet. You typically have 48 hours to pay this amount. This arbitrary countdown functionally pressures victims into accepting settlement offers before they’re ready.
Understanding the Mechanics of the Scam
In our experience, the most effective techniques used by attackers have psych ops baked in. For instance, they might assert that they used Pegasus spyware to hack the victim’s device. This kind of spyware is capable of both listening to calls and collecting photos. This legal argument brings an additional element of boogeyman, though, since Pegasus’ capabilities have become well-known largely thanks to surveillance researchers.
To counter this, the NCSC reminds us that attackers lack definite knowledge about their victims. They don’t know if an individual owns a webcam. They don’t know if their peoples’ traffic goes to adult sites or their online behavior versus offline behavior.
“They do not know if you have a webcam, have been visiting adult websites, or the means by which you communicate with people. In short, they are guessing. The phisher hopes to emotionally trigger people so that they will ‘take the bait’ and pay the ransom.” – UK’s National Cyber Security Centre (NCSC)
Your constituents will have personal experience with many phishing emails they receive—some include passwords—which are now based on stolen caches of personal data from past breaches. The United Kingdom’s National Cyber Security Centre warns people not to be alarmed if they see their password in these messages. Instead, they need to reset their password and turn on two-step verification on all accounts that offer it.
How to Respond to Sextortion Scams
If you think you may have been duped by one of these scams, it is important to move quickly. The NCSC suggests reporting sextortion scams to your local police force by calling 101. Suspicious emails can be forwarded to report@phishing.gov.uk, the UK’s official email reporting service.
If you have sent the scammer any money, stop reading and Act Now! Please report it to your local police force so they can protect you and others. Only by taking these steps will we be able to limit additional damage and speed law enforcement’s ability to catch the criminals behind it.
The urgency of these scams is on display in alarming audio clips released by the scammers to humans. One common line reads:
“I’ll be notified when you open my email and from that moment you have exactly 48 hours to send the money.” – The scammer (via the email)
This sort of language is meant to scare, and scare you into reactive behavior before we’ve had a chance to strike first.
Protecting Yourself from Phishing Attacks
The best defense against sextortion and other phishing scams is to stay cautious while on the internet. Changing passwords frequently and using two-factor authentication are powerful tools for keeping oneself secure.
On top of this, knowledge of prevalent phishing strategies can equip people to identify shady emails before responding or clicking on anything. The NCSC wants to make sure victims of these scams don’t feel ashamed or alone. These scams are purposely crafted to exploit human emotions and trust.