Sextortion

Cybersecurity Glossary

Sextortion is blackmail using sexual content. Some people also call this type of attack the “porn scam”.

In sextortion, criminal actors pretend to be in possession of juicy material from their victims and threaten to publish this information and data.

Hence the name “sextortion”. It is made up of the English words sex and extortion. Extortion means blackmail.

How do cybercriminals carry out sextortion attacks?

Sextortion can take place in different ways. The police, for example, basically distinguish between two phenomena:

  • Sextortion after contact via social media or similar.
  • Sextortion after data leaks

In both cases, it can be assumed that the blackmailers actually have sensitive material from their victims.

Sextortion after contact via social media

In this case, the threat actors contact individuals. They write to them and are in direct contact with them. Once sufficient trust has been established, the perpetrators ask their victims to perform certain acts of a sexual nature. This can happen in front of the camera, but also involve video and picture recordings that the victim takes of herself and sends to the attackers. They save the data and use it to put the victim under pressure and extort money. In this case, the criminals resort to social engineering methods. The criminals build a relationship with the victim, and once he trusts them, the situation is exploited. A similar approach can be seen in some phishing attacks. Here, too, human emotions, e.g. curiosity, fear, but also shame, are appealed to, which then trigger certain reactions, such as passing on trustworthy information.

Sextortion after data leaks

In this case, the criminal actually has access to the computer and can view files. This can happen, among other things, by infiltrating viruses and other malware, cracking passwords, but also by using unsecured wifi-connections. If the attacker has access to the systems and data, he can specifically search for risque material that he can use for the blackmail attempt. This can also be picture and video material that shows the person itself. But the perpetrators also use chat histories, an overview of sites visited or pornographic material actually consumed to put the victims under pressure.

Another method – playing on fear

In addition to these two types of attacks, however, there are also blackmail attempts in which the attacker only plays with fear and appeals to the victim’s sense of shame, but does not actually have any delicate material whatsoever. Here, blackmail letters are sent to often randomly selected people – usually by e-mail. The messages explain how the perpetrators apparently got hold of the data and are followed by an approximate description of the material that allegedly fell into the wrong hands. Here, too, the criminal hacker tries to extort money. But also further damage can be done. With this method, malware can also be placed on the devices. For example, if the perpetrator links to the allegedly stolen data that he uses to “prove” that he is actually in possession of the photos, videos, the victim only has to click on the link and malware is downloaded.

How likely it is to become a victim of sextortion.

You may wonder how likely it is – especially in the work context – to become a victim of sextortion and what the concrete threat of this fraud is. In fact, it’s not that far-fetched. According to the Federal Office for Information Security’s (BSI) status report on IT security in Germany 2022, sextortion emails account for the largest share of extortion emails at 76 % and are now one of the top 3 cyber threats to society, along with identity theft and fake shops.

Protection from sextortion

There are some measures you can take to protect yourself – albeit often rather indirectly – from sextortion.

Invest in a minimum standard of cyber hygiene.

This will prevent criminal hackers from easily and quickly gaining access to your computer and thus to your systems and data. This includes, among other things:

  • Use strong and unique passwords
  • Update your technical protection measures regularly and promptly
  • Install multi-factor authentication where possible and appropriate

Attention: Regardless of sextortion attempts, we advise you not to click on a link in an e-mail that seems dubious or suspicious to you, because malware may be hiding behind it. If in doubt, you should rather take a diversion and search for the pages in your browser and call them up that way.

Online behaviour

In general, you should move with caution on the internet. A healthy level of suspicion is particularly beneficial when confirming contact requests – especially from people you do not know. Do not share confidential or sensitive information by e-mail, text message or on the phone. With regard to possible sextortion attempts, you should always be careful to whom you send sensitive photos or recordings. It is also advisable not to perform intimate acts in video calls, as the other person may save the video or take screenshots. The material may be used against you. This can also apply to people you know and actually trust.

Are you already being blackmailed?

Do not accept the demands and do not pay. Contact the police and report the case. Discuss the next steps with the competent authority. Experts can then help you solve the case. Hiring IT security experts can also help you. With the help of cyber experts, you can find out if and how criminal actors have gained access to your computer. In this way, many an extortion attempt can be nipped in the bud if it can be determined that no criminal hacker had access to delicate data.