Sextortion scams - What you need to know

In these series I covered already several forms of online crime, for instance ransomware, phishing and tech support scams. They all have something in common, deception techniques. Criminals try in every possible way to convince people to download a malicious attachment, click a phishing link or make them believe their computers have viruses. They try to exploit people's greed, create a sense of urgency, use scare tactics,...

In this post I want to raise awareness about sextortion scams as they are very prevalent at the moment.

What are sextortion scams

This is how Lexico defines sextortion.

The practice of extorting money or sexual favours from someone by threatening to reveal evidence of their sexual activity.

In this post I want to focus on the scam mails that are trying to extort money from people. Such an email can look for instance like this.

In this case criminals threaten to leak compromising screenshots to your family and friends. To add credibility to their claims they show your email adress and password and they use a particular critical vulnerability. The average user doesn't understand this vulnerability, but it sounds scary, right?

How can you recognize such a scam?

There are a few common patterns in these scam mails you should be aware of.

  • They extensively use scare tactics.
  • The criminals will try to convince you they have information about you. They show a username with corresponding password for instance.
  • They will also often ask for an amount in bitcoin, like we can see in the screenshot below. Bitcoin is a digital currency criminals use because it makes it very hard to trace them.

What you should understand

People that receive such an email might think it's a targeted attack against them. This is not the case, these emails are sent to a large amount of people.

This previous email starts with:

"Hey, I know your password is: lady123"

Well, by simply using Have I Been Pwned I can see that the password "lady123" has been found 10,685 times in different data breaches.

Have I Been Pwned "only" contains the leaked passwords for 410 data breaches at the moment of writing. The password "lady123" is thus leaked even a lot more than 10,685 times.

The criminals use lists of leaked usernames and password combinations that are easily to find on the internet. They will send an email to all the email addresses in this list. In these emails they will show the according password for that email address. They know that there always will be people that still use that leaked password - for instance "lady123" - for that particular email address.

I checked the balance of the particular bitcoin address in the extortion email and unfortunately several people fell for the scam and paid the criminals an amount of bitcoin.

Bitcoin wallet address balances can be checked by anyone

The first example I showed was a sextortion mail that I received. My email address was correct, but the password was a really old one. But if you receive such an email that contains a username and password that you're still using, change the password immediately. Here you can find some guidance on how you can create strong passwords.

Also when the criminals would have screenshots of you or they have access to the files on your computer they would use them in the email. When you ever get mails sent with screenshots of yourself or files on your file system immediately contact the police.

What to do if you fell for this kind of scam

Don't be ashamed, report this fraud to the police. It might help them to catch the scammers and maybe you can get your money back.


It makes me really sad to see that still so many people fall for this type of scam and pay the criminals out of fear. Keep in mind you should never pay criminals. I hope the tips in this post help you to identify these scams. And keep in mind, whenever you doubt contact a tech savvy friend or even call the police.

That's it for today. More security awareness is for tomorrow. In the meantime stay safe online!

John Opdenakker

John Opdenakker

Blogger | #Infosec | #AppSec | Security awareness | Occasional Public Speaker | Cycling | Running | Enjoying life