FRAUD RESOURCE CENTER
En español | According to a May 2019 AARP study, people are more likely to respond to threatening scam messages than to those that promise rewards. That might explain the growth of email extortion scams that threaten to publicize compromising information about you — true or not — if you don’t make a quick payment.
Extortion scammers have a valuable scare tactic at their disposal: They show in their messages that they know a password you’ve used for online accounts. They claim they’ve implanted malware on your computer that lets them capture your keystrokes, watch through your webcam and amass evidence that you, say, frequent adult websites. And they say they’ll share that information with all your email and social media contacts — perhaps with a video of you enjoying your viewing — unless you pay hush money, typically several hundred dollars in the form of Bitcoin.
Don’t panic. There’s little chance the cyber-blackmailer has really invaded your computer. Extortion scammers send out threats indiscriminately, using big batches of email addresses and associated passwords that they likely obtained on the black market following big corporate data breaches. They hope to stumble across a few people who don’t change their passwords regularly or do have some secret they don’t want known. That there have been actual cases of hackers gaining access to people’s webcams gives the scam a veneer of plausibility. To make it even more intimidating, some scammers tinker with their email messages, filling in the “From” section with your actual email address to create the illusion that they have control of your account.
This ruse is rampant. Cybersecurity company Symantec says its software blocked almost 289 million extortion emails in the first five months of 2019. When the message does get through, it can be lucrative. The FBI’s Internet Crime Complaint Center (IC3) documented 51,146 cases of online extortion in 2018, with victims suffering losses of $83.4 million. The pornography scenario, termed “sextortion,” accounted for the majority of extortion complaints, according to the FBI. But online extortionists might also claim to have caught you cheating on a spouse, or to have planted a bomb in your office building.
- The email includes a password you use online or one you used in the past.
- The message seems generic and doesn’t cite any specific websites the sender claims you visited.
- The threat is poorly worded and includes grammatical errors.
- You are given a short deadline to respond, typically a day or two — a classic high-pressure scam tactic.
- Do a web search for a phrase or two from the threatening email, to see if it’s a spam message that’s been sent to many people.
- Do change the password you use for a website you’ve learned has been hit by a data breach.
- Do use two-factor authentication when it’s available. With two-factor authentication you need something besides your password to enter a website — for example, a code the site’s owner texts to your phone. This means a hacker can’t access your account with just a stolen password.
- Do keep your operating system, web browser and antivirus programs up to date.
- Do cover the lens on your computer’s webcam with a piece of opaque tape when you’re not using it, to block a hacker who might actually use it to spy on you.
- Don’t reply to an extortionist’s email.
- Don’t pay up in hopes that the blackmailer will go away. He or she may just ask for more money.
- Don’t keep using the password the scammer mentioned in the email. Change it immediately.
- Don’t use the same password for multiple sites. If you have trouble keeping track of multiple passwords, use a password manager to track and store them.
- Don’t click any links or open attachments in an extortion email. They could be ploys to infect your computer with malware.
- Report online extortion attempts to the IC3 or to an FBI field office in your area. Include the sender’s email address and payment information, if provided (for example, the number of his or her Bitcoin “wallet”), which may help with the investigation.
- The website Have I Been Pwned? collects information from major data breaches and lets you check whether email addresses and passwords you use for online accounts may have been compromised. You can learn about how the site handles that data on its privacy page.
Published August 28, 2019
More From the Fraud Resource Center