Sextortion scams surge with personal data to extort money

New research from Barracuda reveals a rise in personalised sextortion attacks globally, whereby cybercriminals use victims' personal information to intensify blackmail pressures.

Sextortion scams involve criminals demanding money by threatening to release explicit imagery alleged to be stolen from victims' devices. The latest Barracuda research highlights a worrying trend, where criminals now incorporate detailed personal data, including victims' full names, phone numbers, and residential addresses, to make threats more convincing.

In some instances, images of victims' homes sourced from Google Maps are included in the threatening emails, adding a new level of personal invasion. This tactic presents victims with a challenging choice: ignore the demands at the risk of exposure, or pay to ensure their privacy.

"Sextortion attacks are on the rise globally, with hackers using victims' addresses and photos of their homes to personalise the attacks and increase the pressure to pay," Barracuda stated in the report.

Barracuda researchers have noted that these extortion demands have increased significantly. Where once individuals were extorted for a few hundred dollars, demands now often reach thousands of dollars, with payments sought in cryptocurrency. This increase is supported by the use of quick response (QR) codes, making transactions simpler for the victims.

Australian authorities have been urged to remain vigilant as the impact of these scams can be severe, both in financial terms and emotional toll. The arrest of two men in Nigeria over the sextortion of an Australian teenager, who tragically took his own life, underscores the critical nature of the issue.

Barracuda's analysis shows that sextortion emails constitute approximately 3% of the targeted phishing attacks detected annually. The report elaborates on the modus operandi, where personalised details such as names and contact information are strategically used in email openings, often starting with phrases that warn of impending personal visits or calls.

"I know that calling [telephone number] or visiting [street address] would be a better way to have a chat with you in case you don't cooperate. Don't even try to escape from this. You have no idea what I'm capable of in [city]," illustrates a typical opening line from such emails, demonstrating the aggressive tone adopted by attackers.

The research further details how sextortion emails have evolved with varying templates, mainly around the lines preceding the Google Map image of the victim's address and payment instructions. Phrases like "See you here?" or "Is this the right place to meet?" are commonly used.

Efforts to curb these crimes include leveraging AI-based protection to detect extortion emails, deploying account-takeover protection to prevent compromised accounts from launching attacks, and enhancing security-awareness training for users to identify and report fraudulent activity. Proactive investigation measures, such as monitoring email origins and content, are also recommended.

Barracuda emphasised the importance of maintaining system security to prevent exploitation by malware, a potential consequence of sextortion scams when emails breach inbox defences.

Given the evolving tactics of cybercriminals, Barracuda stresses the necessity for continuous updating of browsers and operating systems, alongside comprehensive user education and simulated phishing exercises, to effectively mitigate the threats posed by such scams.