A new form of sextortion scam bilks unsuspecting victims out of money after telling them they've been recorded privately on home security cameras.
It's an alarming new version of the old scam where criminals try to convince you they have illicit recordings or information about you, which they'll release unless you pay them a ransom, said Kiri Addison, head of data science at IT security company Mimecast. She said Mimecast recorded a huge spike in the new tactic, with more than 1,600 scam emails intercepted in just a two-day period from Jan. 2 to Jan. 3.
"This one is a bit different. It stood out, because it's really convoluted in a way," Addison said.
"It starts out with a single email saying 'we've got some nude photos of you.'"
The email then provides a link that leads to a landing page on a website, showing generic footage from a Nest camera or another surveillance camera in a common area, like a bar or restaurant. This, according to the ransomers, is supposedly an area familiar to the victim. The generic footage, which looks like any location the average person may have visited in the last week, is meant to convince the victim he or she has been recorded elsewhere, possibly via smartphone, for a long period of time.
"Imagine everything you have done in over 11 months and imagine what we have seen you do," one such landing page reads. "Your videos are currently being uploaded on several porn websites and you have only one week until they [are] free for the public to view."
The scam has emerged after several worrying videos showing how criminals were able to gain of access to home cameras, including Google's Nest cameras, Amazon's Ring cameras and even -- in previous years -- baby monitors.
The scam, like most sextortion scams, relies on "social engineering," a process through which the scammer induces shame, panic or guilt in a victim in order to get them to act quickly -- often without thinking.
After the initial email, the scammers lead the victim through an elaborate maze, asking them to sign up for another type of email address, where they will supposedly receive further proof and information.
More "proof" may come in the form of a generic smart phone recording image, and further messages often ask users to set up yet another email address.
Along the way, they ask the victim to establish a bitcoin wallet and pay around $500 in cryptocurrency to keep the supposedly damning photos or video from being released, according to the research from Mimecast. The company does not track statistics on how many people have fallen for the scam.
The photos and video don't exist, Addison said. The fraudsters make the scheme complicated so it's harder for security companies to trace the email threads or track the origins of the criminal's bitcoin wallet.
"It also gets the [victim] a little more involved, and has the effect of, psychologically, getting them more worried," Addison said.
Sextortion frauds are very low-tech and cheap to pull off. As a result, they're very common.
In most cases of sextortion, a victim simply receives an email that uses tactics -- such as displaying a stolen password from a victim's old email account -- to convince the victim his or her email account was hacked. In most of these cases, the criminals never have access to a victim's information at all.
In a rarer and more damaging version of sextortion that often targets teenagers, a criminal convinces a victim to send explicit images -- and then threatens to release them unless the victim pays a ransom. In September, the FBI began an initiative to crack down on this type of crime, with an emphasis on middle- and high school-aged children.
Overall email extortion complaints rose 242% in 2018 to 51,146 reported crimes, with total losses of $83 million. While the FBI does not break out sextortion from the total number of extortion crimes reported, a spokesperson told CNBC last year that the majority of extortion complaints received were part of a sextortion campaign.
If you receive a sextortion email, the best thing you can do is ignore it.
Although internet-connected cameras and smartphones can be hacked, this is a very rare event. It's practically non-existent for such a hack to be combined with an extortion demand.
If you are still worried, update your spam filters to make sure they are catching the latest versions of sextortion scams. You can also change passwords or use a password manager, along with multifactor authentication, to be confident your email and personal information on other web sites are secure.
You can also report alarming emails to your company's IT department or local police, or to the FBI's Internet Crime Complaint center online.