New twist on sextortion scam includes pictures of people's homes
The extortion attempt arrives as an email with a PDF attached. When opened, the document includes a photo of a family's home, and often the person's address and phone number. The scammers claim that the recipient has been spotted in unseemly places on the internet, and they can destroy that evidence — for a fee.
Similar sextortion tactics have been around for years, but this latest strain has drawn fresh attention from law enforcement agencies around the country. The PDFs are particularly intimidating in how they harness victims’ personal data.
Examples of two of the emailed letters seen by Recorded Future News feature an anonymous sender telling the recipient they have caught them watching porn and will reveal that fact to all of their contacts unless they pay about $2,000 in bitcoin. The tone is typically chatty, but sinister.
One of the emails alleges the scammer used Pegasus spyware — a powerful tool typically only available to government agencies — to see the victim’s online activity.
“I can look at everything on your display, switch on your camera and mic and you wouldn’t even notice,” the letter said. “Yeah, yeah I’ve got footage of you doing filthy things in your house (and nice set up by the way).”
PDFs sent to two other victims who spoke with Recorded Future News also included the victim’s or a family member’s cell phone number and home address in the email subject line.
While the FBI’s Internet Crime Complaint Center (IC3) did not have information to share on the trend, the New York State Police and police departments and sheriff’s offices in Washington, D.C., Florida, Alabama and Washington state have recently issued alerts.
The Metropolitan Police Department in Washington, D.C., said it believes the scammers are sending home photos they have found on Google Maps.
The photos of victims’ homes is a notable development, said Jeff Jockisch, co-founder of the privacy recovery tech company ObscureIQ, which advises clients on how to handle sextortion emails and other breaches of personal data.
Jockisch, who has heard from four contacts or clients who have been victims of the scam in the past week, said many of the sextortion emails featuring homes should be ignored even if they are scary.
“It feels more invasive with the picture of your home,” Jockisch said.
Scammers are using tools to automatically gather data and images from the web and send emails on their behalf, he said.
“They're doing this at mass,” Jockisch said. “They're not even looking at [the emails]. They just start sending it out.”
A victim in the Washington area told Recorded Future News he received the email attempting to con him out of $1,950 last Sunday night. The victim said he does not usually open emails from people he doesn’t know, but he opened the scammer’s note because his cell phone number and home address appeared in the subject line.
A PDF attached to the email featured a photograph of his home, the victim said.
The email told him he’d been a “naughty boy” and that the scammer had caught him visiting porn sites and in some cases violent ones.
“They were trying to panic whoever saw [the email] that this being revealed publicly would be very embarrassing,” he said. “It was disconcerting to me to see my home address and my cell phone number there.”
Along with the photo of his home, the victim said the sextortionist warned him that they knew where he lived.
Although it’s relatively easy for scammers to find cell phone numbers, home addresses and photos online through people search sites, Zillow and Google Maps, the victim said “it is enormously disturbing when someone reveals a photograph of your house.”
The problem underscores the harm which data brokers do, the victim said, citing how easy it is to find personal data online.
“Even highly sensitive information is constantly monetized and sold and made available, whether it's for nefarious purposes or just to bombard you with telephone calls or emails,” he said. “And there's absolutely no controls for it.”
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.