Do you back yourself to spot the scams that drop into your email inbox?
Could you teach your friends, family and colleagues to do the same?
If you’re like most people, you probably answered, “Yes, and yes.”
But those questions and answers don’t always tell the full story, because of the sheer variety of scams out there, and the sometimes contradictory nature of the advice that applies to each sort of scam.
Sometimes, what feels like ‘general knowledge’ that is supposed to protect you from all sort of harm turns out not to be as generally useful as you thought.
Sadly, this can play into the hands of online scammers.
In fact, many scammers rely on victims following the advice for one sort of scam specifically to sucker them into a similar-but-different scam instead.
For example, we all know that it’s important to report suspicious online content and activity if we come across it, or to get in touch with our bank promptly if we think someone is trying to defraud us.
In fact, most of us have probably encountered some sort of dubious activity recently that we spotted easily, and that was obviously intended to lure us into sharing personal data such as passwords, login codes, or payment card numbers.
We know perfectly well that we’re supposed to take care with this sort of information, which makes us feel as though we’re rightly and rightfully alert to online crime.
That’s why there’s an entire category of ‘fake fraud alert’ scams in which the crooks pretend to be reporting possible fraud to you, and offering to help, posing as law enforcement, bank officials, tech support staff and more.
If they can trick you into ‘choosing’ to contact them, thinking you’re following fraud prevention advice to protect yourself, they may be able to catch you off guard
The crooks hope that the advice about reporting one sort of cybercrime will lure you into a similar-but-different sort of online crime.
There’s also the problem that some cybercriminals are happy to assume that you’ll figure out they’re scammers, and may even make it clear all along, hoping to convince you that they have some sort of hold over you, even if you don’t believe all of their claims.
A tragic example of this sort of attack is the so-called porn scam, an odious and offensive type of spam email that is less prevalent today that it was three or four years ago, but common nevertheless.
You’re probably familiar with this sort of thing:
The premise is that the crooks have filmed you through your webcam while scraping your screen to prove you were viewing a porn site at the time, thanks to malware they’ve implanted on your computer:
Even if you always keep your webcam covered when you aren’t using it, have active anti-malware protection, and have no interest in porn, the scammers often try to get you on the hook anyway by including bogus ‘evidence’ in their messages to convince you that the malware part of the story is true.
Hint. If your laptop doesn’t have a built-in laptop cover, you can use a neatly-cut square of electrical tape to shield it. Avoid using a stick-on plastic sliding cover, because these can transfer unwanted forces to the edge of the glass when you close your laptop, and crack the screen.
For example, porn scam messages may include your mobile phone number, or one of your passwords in unencrypted text form, or your full postcode, leaving you wondering whether the crooks really did get hold of that information using spyware implanted on your computer.
In fact, that evidence is typically scooped up from old data breaches that have been dumped online, and is often incomplete, outdated or wrong, but it is worrying nevertheless to see it right there in a threatening email.
Also, the crooks sometimes deliberately fake the sender information on their messages so they seem to come from your very own account, as if to ‘prove’ that they have access to your email, and therefore by implication everything else on your computer.
Email addresses shown next to From
and other fields such as Reply To
are as much part of the message itself as the Subject
line, so the sender can insert anything they like. You can’t trust those fields any more than the body of message or its attachments.
The cybercriminals hope that even if you dismiss the rest of their message because it matches the archetypal ‘porn scam’ template you have been warned about, you might nevertheless be worried that they really are spying on the rest of your digital life, including snooping on your passwords and online banking.
And although received wisdom says never to pay the crooks, because it’s obviously a scam, perhaps it’s OK to just make contact with them, and see where things go?
After all, if they can ‘prove’ to your friends and family, or to your employer, that they’re definitely spying on you, what if they decide to make the false porn-site allegations anyway, thus creating trouble in your life that you could do without?
As an IT manager of my acquaintance once put it:
“I have seen many instances of this scam. It does panic the user. It’s a similar experience when asked if you are carrying drugs or weapons at airport security. You know you don’t have any, but you’re sweating about what you may say.”
Even when we’re sure that the crooks don’t have the evidence they claim, some of us may nevertheless be troubled enough by the experience itself to dig ourselves into trouble that didn’t exist before.
Those bullish “Yes, and yes” answers about our ability to avoid scammers that we presented at the top of the article are suddenly sounding less certain.
Indeed, and as you may have seen or guessed already, porn scammers who are active in 2024 have taken to including new wording in their boilerplate that’s meant to tap right into our contemporary cybersecurity fears, notably our concerns about AI.
They’ve also taken to stating explicitly that they’re scammers, and therefore that we should be fearful of them for any and all reasons we can think of:
Sadly, as some parts of the cybersecurity industry themselves embrace an ever-larger collection of automated tools and responses, and an ever-less human-centric attitude towards protecting against cybercriminality…
…we’re increasingly at risk not only of assuming that we (or our automated tools) will indeed always be able to say “Yes” to spotting scammers, but also at risk of assuming that everyone else should be able to avoid scammers as well.
It’s an astonishingly small step from that sort of assumption to the self-serving convenience of victim blaming: “We’ve already explained how to spot that sort of scam, so we can’t waste our online lives worrying about those who can’t or won’t listen.”
As we’ve already mentioned, when there’s one sort of online scam that experts have decided is easy to figure out, and for which simple and definitive preventative advice can be given, there may be another scam that sounds surprisingly similar for which that very same advice is entirely invalid, or even dangerous.
A worrying and important example is the cybercrime commonly known as sextortion.
As the portmanteau name suggests, this is a serious crime that combines sex and sexuality with extortion, or blackmail as it is also known.
Unfortunately, the word ‘sextortion’ has been, and sometimes still is, used as a synonym for what we have referred to above as porn scamming, which also brings together sex and blackmail.
In the case of porn scams based on claims of screenshots and webcam videos that the crooks simply don’t have, we can fall back on straight-talking advice such as, “It’s all a pack of lies; delete the message and think no more of it.”
(If the crooks really did have those illegally-scraped videos and screengrabs, surely they’d send you a frame from their video as proof, instead of falling back on the much less convincing ruse of telling you your own phone number or postcode?)
But the crime for which we should now specifically reserve the word sextortion is much more troubling, because the criminals very likely do have revealing videos or photos of their victims, shared in good faith but under false pretences.
In other words, the advice that, “It’s all a pack of lies; just ignore the threat and move on,” which is glibly accurate advice for dealing with the porn scam messages we described above, is not just incorrect but potentially dangerous for sextortion victims.
And although blackmail based on sexual images shared by adults is a serious matter in its own right, the crime is especially troubling when younger people are drawn in, and has even led under-age victims to kill themselves in despair.
As the US Federal Bureau of Investigation (FBI) warns, youngsters may be even more fearful of their family or community than they are of the criminals who have entrapped them, potentially leading to a dreadful spiral of trouble:
“Sextortion can start on any site, app, messaging platform, or game where people meet and communicate. In some cases, the first contact from the criminal will be a threat. The person may claim to already have a revealing picture or video of a child that will be shared if the victim does not send more pictures. More often, however, this crime starts when young people believe they are communicating with someone their own age who is interested in a relationship or with someone who is offering something of value.
After the criminals have one or more videos or pictures, they threaten to publish that content, or they threaten violence, to get the victim to produce more images. The shame, fear, and confusion children feel when they are caught in this cycle often prevents them from asking for help or reporting the abuse. Caregivers and young people should understand how the crime occurs and openly discuss online safety.”
In a similar vein, the US Federal Trade Commission (FTC), which looks after consumer rights and safety, has warned about similar blackmail criminality on adult dating sites and chat forums:
“The FTC is hearing about scams targeting people on LGBTQ+ dating apps, like Grindr and Feeld. And they aren’t your typical I-love-you, please-send-money romance scams. They’re extortion scams.
They usually work something like this: a scammer poses as a potential romantic partner on an LGBTQ+ dating app, chats with you, quickly sends explicit photos, and asks for similar photos in return. If you send photos, the blackmail begins. They threaten to share your conversation and photos with your friends, family, or employer unless you pay — usually by gift card.
Other scammers threaten people who are closeted or not yet fully out as LGBTQ+. They may pressure you to pay up or be outed, claiming they’ll ruin your life by exposing explicit photos or conversations.
Whatever their angle, they’re after one thing — your money.”
Pre-paid gift cards are widely exploited by cybercriminals who are looking for fast, illicit payments that don’t run into tens of thousands of dollars from each victim.
Gitf cards are widely available to buyers of all ages; they don’t require the victim to set up an online account and go through an anti-money-laundering check as cryptocurrency purchases do; and they can be cashed out or sold on quickly, easily and largely anonymously, even by technically unsophisticated cybercriminals.
Clearly, if you’re advising other people, whether they’re friends and family, or colleagues you look after as part of an IT team, you need to bear in mind that these two scams have very different potential personal impacts.
In the first case, the crooks are trying to frighten victims into providing them with leverage they didn’t have before, whereas in the second case they’re exploiting significant leverage they already have.
Remember, therefore, that any advice you give should take into account the risk that the victim already faces.
Having said that, here are some suggestions:
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!