Which do you fear more: that yours is one of the 100 million personally identifiable records stolen from Capital One or that someone is threatening to reveal a personally embarrassing detail (true or not) about your private life? Say, your sex life or your meanderings among various web porn sites?
In the former case, your life may be disrupted but Capital One is on the hook to make any financial loss good. In the latter case, your reputation may go up in flames, your partner may decide being single again is not such a bad idea, and your job may be at stake.
A new report from Symantec claims the company blocked nearly 300 million extortion scam emails in the first five months of 2019, many of which (the company didn’t specify how many) were sextortion emails. Bomb threat scams also increased during the period. A chart from Symantec clearly shows the trend.
Sextortion emails are fairly easy for spam filters to spot because many of those filters block emails containing Bitcoin addresses in the message body, so attackers are using PDF attachments or “obfuscated text” to bypass the filters. The attackers may claim that they’ve somehow recorded you in flagrante delicto or have a record of your visits to web porn sites.
The emails also typically contain a password or partial phone number (former or current) associated with your email address. While this may make it appear that the attacker has somehow gained access to your private information, the reality is that the personal info likely was obtained from the massive password leaks that have occurred over the past few years. In 2018, some 5 billion personal records were leaked, according to one estimate.
According to Symantec, “In most of these scam emails, the attacker claims to have a recording of you visiting a porn website, though in some cases the attacker pretends to be a member of law enforcement who has found child pornography on your device.” Here’s a typical example.
Sextortion is just another example of how our brave new world is susceptible to inventive criminals. Take comfort in knowing that these guys are not as crafty as others. For example, you can expect hackers to hold an entire city for ransom.
Typical characteristics of the sextortion emails are a threatening tone (in one of 13 languages), an urgency to pay within a short period, and poor spelling and phrasing in English-language emails.
Symantec also believes that there are at least two cybercrime groups still sending the sextortion emails but noted that there are potentially many more. It does not take massive technical skill or a lot of people who pay up for the attackers to rake in more than $100,000 a month.
To protect yourself from extortion and sextortion email scams, Symantec offers four tips: have strong email protection technology in place (which Symantec sells, by the way); do not open emails or attachments, or click on links in unsolicited emails or emails from unknown sources; do not panic, respond or send money to the attackers; use strong passwords and, when you can, two-factor authentication. Symantec also recommends that such emails be marked as spam and, if you believe it to be necessary, to report the email to law enforcement authorities.