Sextortion attacks against professional firms, including CPAs, are not uncommon and increasing in frequency. Sextortion is a form of blackmail in which sexual information or images are used to extort sexual favors or cash from the victim. The FBI offers an explantion of this new crime here.
However, recently this type of crime has been modified into a sextortion-based spear phishing scheme—which uses a real password used by each recipient.
It has never been easier for scam artists to launch convincing, targeted phishing and extortion scams that are automated on a global scale. Given the sheer volume of hacked and stolen personal data now available online, it is likely there will be many variations on these phishing campaigns that leverage customized data elements to enhance their effectiveness.
The latest email scam takes the following form:
I am aware ********* one of your pass. Lets get right to the purpose. You may not know me and you’re probably wondering why you are getting this e-mail? None has paid me to investigate about you.
Let me tell you, I actually setup a malware on the X vids (porn material) web site and do you know what, you visited this site to experience fun (you know what I mean). When you were viewing video clips, your browser started out working as a Remote control Desktop with a key logger which gave me access to your display and also cam. Just after that, my software obtained your entire contacts from your Messenger, Facebook, as well as e-mail account. Next I made a double-screen video. 1st part shows the video you were watching (you have a fine taste: )), and second part displays the recording of your webcam, and its you.
You do have just two solutions. We will read each one of these choices in particulars:
First option is to disregard this email message. In that case, I most certainly will send out your actual video clip to just about all of your contacts and thus think concerning the humiliation you will definitely get. Do not forget if you happen to be in a loving relationship, just how it will certainly affect?
In the second place option will be to compensate me $2000. I will call it a donation. In such a case, I most certainly will asap erase your video. You will resume your life like this never happened and you will never hear back again from me.
You’ll make the payment by Bitcoin (if you don’t know this, search “how to buy bitcoin” in Google).
BTC Address: ******
[CASE-SENSITIVE, copy and paste it]
Should you are thinking of going to the law enforcement officials, okay, this e mail cannot be traced back to me. I have dealt with my actions. I am just not looking to charge you a lot, I wish to be paid for. I have a specific pixel within this email message, and at this moment I know that you have read this mail. You have one day in order to make the payment. If I do not get the BitCoins, I will definitely send your video recording to all of your contacts including relatives, colleagues, and so on. Having said that, if I receive the payment, I will destroy the recording right away. It’s a non-negotiable offer therefore do not waste my personal time & yours by responding to this e mail. If you really want proof, reply with Yup then I definitely will send out your video recording to your 6 contacts. Dev
To the uninitiated receiving this email is quite unnerving regardless of the victim’s surfing habits. Many people are not aware that their old email passwords are available for sale on the dark web and the idea that a criminal has access to your computer is creepy at best.
Because men are more inclined to surf porn sites they make the best targets (The Institute for Family Studies recently confirmed a whopping 50% of casually dating men watch porn weekly, and this percentage only drops to 40% when they are seriously dating, and 20% for engaged or married.) Looking at this from a criminal marketing perspective the total addressable extortion market is massive.
Cyber gangs will start using new hacks, with current real passwords, highly likely combined with other personal data that was onbtained from the dark web and attached to the victims record using big data technology. This method is also going to be used by the tech support scam artists in a variety of ways.
We suggest you send the following to your employees. You’re welcome to copy, paste, and/or edit. You might want to coordinate with HR on this risk.
“Sextortion is a serious internet crime that can lead to destructive results for victims. Sextortion occurs if someone threatens to distribute private and sensitive material if the victim does not provide them with images of a sexual nature, sexual favors, or money.
According to the FBI, here are some things you can do to avoid becoming a victim:
- Never send compromising images of yourself to anyone, no matter who they are — or who they say they are.
- Don’t open attachments from people you don’t know, and in general be wary of opening attachments even from those you do know.
- Turn off [and/or cover] any web cameras when you are not using them.
If you receive an email that claims they have video of you viewing pornography, do not answer, delete the scam email and do not pay any amount in any form.
The FBI says in many sextortion cases, the perpetrator is an adult pretending to be a teenager, and you are just one of the many victims being targeted by the same person. If you believe you’re a victim of sextortion, or know someone else who is, the FBI wants to hear from you: Contact your local FBI office (or toll-free at 1-800-CALL-FBI).”
Please contact your IT service provider for more assistance and details of the latest scams.
Finally, take a look at your professional liability policy to see if there is coverage for cyber extortion. Some insurers specifically exclude this. For example Hanover Insurance Company contains a specific endorsement (ENHANCED NETWORK SECURITY BREACH AND PRIVACY LIABILITY COVERAGE 915-0907 05 17) which states:
This policy does not apply to claim(s) for a network security breach , or privacy event that is based upon or arising out of, or relating directly or indirectly to:
6. Any extortion or blackmail;
Whereas other insurers offer affirmative coverage. Check your policy or ask your agent. Cyber extortion is a specific coverage extension in the CPAGold Enhanced Cyber Coverage endorsement. Go here for details.
Jorgensen & Company are not attorneys and do not offer any form of legal advice. Consult with appropriately qualified local counsel for more assistance.
Rickard Jorgensen, FCII, ARM, ACIArb is the founder and President of Jorgensen & Company, a risk management consultant and professional risk specialist. Since 1999, Jorgensen & Company has developed and managed specialty insurance programs for CPAs, lawyers and Investment Professionals.
Contact Rickard at: email@example.com or 201 (345) 2440.
- Coverage for independent subcontractors via the CPAGold™ program.
- A cyber coverage “Fire Drill” – professional liability insaurance implications of the CCH Axcess (Wolters Kluwer Tax & Accounting) malware attack.
- Private Company Management Liability Claims
- Management Liability for CPA firms
- Data Breach and Insider Trading