Cyber blackmail and sextortion scams: What employees need to know

3 Dec 2020

Blackmail is a common practice among cybercriminals. Although most of the threats are usually fake, many employees lack enough knowledge and are easily taken in. Therefore, it’s crucial to constantly raise awareness and talk about online scams – including sextortion.

The concept of blackmail is said to date back to the 16th century, but the internet has taken it to new heights. Cybercriminals use a variety of blackmail and extortion techniques to target victims—and while the threats are usually fake, your employees need to be aware of these scams. 


Recently, so-called sextortion emails have been increasingly popular with criminals, usually going something like this: 

“Hello, my friend. You don’t know me, but I know you very well. Better than you’d expect, lol. This is your password, right?”


Emails like these often show up in employee mailboxes. The blackmailer usually claims to have stalked the recipient via their webcam while they were watching some adult content—and demands that the addressee pay up or the hacker will tell their family and co-workers or share explicit videos taken from their webcam


These threats are petrifying enough that recipients often don’t want to take a risk and will pay the desired sum—which is exactly what they shouldn’t do.  Take a proactive approach to the problem and let your employees know that sextortion scams are becoming more common—and that you want to make sure that no one is victimized. 


Explain the concept

Email sextortion scams are mostly swindles. They depend on social engineering, which is the psychological manipulation of people into performing actions or divulging confidential information. These extortionists try to look real, believable and confident—for example, claiming to have the victim’s password and access to their webcam—when often, they’re simply bluffing.


The FBI offers these tips to avoid being targeted in the first place:

  • Do not open emails or attachments from unknown individuals
  • Do not communicate with senders of unsolicited email
  • Don’t store sensitive or embarrassing photos or information online or on your mobile devices.
  • Ensure that security settings for social media accounts are activated and set at the  highest level of protection

Tell them not to pay up

Scams are a great business: According to the FBI’s Crime Complaint Center, in 2018, extortion by email caused losses around $83 million, most of them coming from sextortion campaigns. 


The main purpose of sextortion emails is to make the victim pay – preferably in Bitcoins, which allows the hackers to collect the money anonymously. However, these demands can be in the thousands of dollars – and once the target of the scam pays up, they may receive additional threats and demands.


This is why experts say a victim should never respond to demands for money (or information such as passwords, account information, etc.)


Talk about password best practices

The attacker may actually have the employee’s password, but that’s probably all they have. Mentioning a real password is just another technique to make the recipient feel nervous. Educate your employees on how the password market works. Explain that hackers often buy stolen passwords, which may have been revealed during a data breach, on the dark web at a fairly low price.


Most important, use this opportunity to remind employees of best practices when creating a strong password or passphrase. Explain that the password-selling business is exactly the reason why everyone needs to change their password periodically.  As a business owner, you should strongly consider implementing two-factor authentication as an additional layer of protection.


Discuss how to react

If the criminal does indeed have the correct password, advise your employees not to panic—but to change that password immediately. They shouldn’t reply to the email or pay the ransom, nor should they click on any links or attachments in it. In addition, your IT person or internal security departments should be alerted about the email.


Cyber blackmail, sextortion and other online threats can be reported at the FBI’s Internet Crime Complaint Center.

Read also

Impersonation Attacks Cover

Impersonation: When an Attacker Is Posing as the CEO

You have probably heard about social engineering – psychologically manipulating people into involuntarily revealing sensitive information. Let's take a look at impersonation, another non-technical attack technique used by cybercriminals to pretend to be trustworthy people while trying to manipulate others (e.g., to order and approve fraudulent transactions). How do you recognize when you are contacted by a cybercriminal instead of your colleague?

social engineering how not to fall victim article

How Not to Fall Victim to Social Engineering

Humans are emotional beings, and social engineering is a very effective way to take advantage of that. What’s more, social engineering attacks such as phishing or spreading malicious links don’t usually require highly specific technical skills on the side of the attacker. Forcing thousands of users to give up sensitive information or perform harmful actions has so far proven to be rather easy! Don’t be fooled – even when your business is small, you might still become a target.


It’s high season for phishing – here’s how to spot fraudulent emails before they cause any harm

Your employees have probably already received emails that appear to come from a bank or other popular online service, requesting that they “confirm” their account credentials or credit card number.This is a common phishing technique – if they click on the link in the email, they give access to hackers and their malicious intentions. Unfortunately, phishing lures are constantly changing – and they’re sometimes hard to recognize.