How to protect yourself from 'sextortion' scams

Email fraudsters are using personal information to make their threats seem credible. Here's what to watch out for and how to keep your information safe.

An email "sextortion" scam is putting a salacious new twist on old fraud tactics, but you can keep yourself and your information safe with some tried-and-true preventive measures, according to a cybersecurity expert at the University of Alberta.

"Scams preying on human emotions aren't new, but what stands out about this sextortion scam is how they're trying to blackmail somebody using something that would be the most sensitive or embarrassing thing you could hold over them," said Gordie Mah, the U of A's chief information security officer. "And the personal information is the bait."

How it works

Sextortion is a type of online extortion scam in which someone threatens to distribute your private and sensitive material if you don't give them sexual favours, sexual images or money.

In this case, the perpetrators grab your attention with your compromised personal information-a password you use now or have used recently, or even your driver's licence. Then they claim to have installed malware on your computer and have a recording of you watching sexually explicit material. If you don't pay their Bitcoin ransom, they threaten to release the video to all of your contacts-including friends, relatives and co-workers.

In reality, the scammers behind sextortion attempts are using lists of usernames, passwords and other personal details that were compromised in website data breaches over the past few years. They don't actually have any private or sensitive material to threaten you with, and you should not reply to it or give in to their demands, said Mah.

He noted that, unlike in other phishing scams purportedly from law enforcement or government agencies, the ransom demands in sextortion scams aren't as easy to discount.

"The targeted victim knows the scammer is a criminal, but it would add to the realism that this is a sophisticated criminal, good enough to have recorded what they claim to have recorded. And demanding payment in Bitcoin would make sense as well, because the payment recipient remains anonymous."

What to do if you get the email

"Trust your instincts. Think before you respond: don't reply, don't pay the ransom, don't click on that link," said Mah, who added checking Have I Been Pwned? will give you a better understanding of which organizations the perpetrators may have retrieved your information from.

He noted the fraudulent emails have telltale signs marking them as scams. Watch for generic greetings that don't mention you by name, frequent spelling and grammatical errors, and urgent or threatening language meant to scare you into paying the ransom immediately.

"Take a breath, take a moment to think. Buying that time will allow you to look at it with a clear head," said Mah.

Keep your information safe

To reduce the likelihood that scammers will grab personal information to use against you, Mah recommended being mindful of what you're putting out there-especially on social media, where scammers are moving as email providers shore up their defences against scams.

"Be mindful of what you place on social media sites and accounts. Try to be as aware as you can of how they're going to handle your information. Are they going to share it with third parties?"

It's also a good idea to keep an eye on what family members may be inadvertently revealing, Mah said.

"Watch all the 'side doors' in your human network, and don't share your passwords with them. It's not that you don't trust your kids or spouse; it's that there's less window of opportunity for those passwords to be used in an illicit way."

He suggested using options like two-factor authentication, which sends a code to your phone to confirm your identity when you login to your accounts from a new device, and a password manager, which keeps your passwords encrypted and may even let you know if any of your accounts have been compromised by a data breach.

"Change your password immediately if you suspect one of your accounts has been hacked," he said. "Use strong passwords that are difficult to guess, and don't reuse the same password for more than one account-especially valued accounts like online banking."

- with files from Sean Townsend