Public being warned as AG confirms Massachusetts “sextortion” scam

BOSTON – The Attorney General’s Office today issued an advisory to alert the public to a “sextortion” email phishing scam that threatens to send compromising information from your computer to friends, family, and colleagues in exchange for a ransom.

The AG’s Office has received more than 100 inquiries from consumers alleging they received an email in recent weeks from an unknown sender who claims to know the victim’s computer or email password and to have used the password to access embarrassing information about the victim and their online activities. In the email, the scammer threatens to release photos, videos, or some type of evidence to the victim’s friends, relatives and co-workers unless the victim pays a significant ransom, often in the cryptocurrency bitcoin.

The AG’s Office warns that receiving such an email does not necessarily mean that you have been hacked. Such “sextortion” phishing scams are designed to frighten victims into paying a ransom by including a password – often an old one no longer used– in the subject line of the email to make the scheme seem more legitimate. Scammers often purchase passwords illegally on the “dark web” from hackers who sell stolen email addresses and passwords obtained from data breaches. It is unlikely the perpetrators of this scam have actually used the passwords to access victims’ computers or email accounts.

The AG’s Office advises people to take these steps if they receive one of these emails:

Do not respond. Do not reply to the email in any way or pay the ransom. Ignore and delete the email.

Report it to law enforcement. You can report the incident to your local police department and to the FBI’s Internet Crime Complaint Center. Doing so gives law enforcement information to help identify and stop the scammers.

Update your passwords. It’s good practice to routinely change your passwords and replace them with new, strong ones that use a combination of letters, numbers, and symbols. Consider using a password manager, and wherever possible, use two-factor authentication on all of your accounts and devices.

Beware of Phishing. Don’t respond to requests for your personal information in emails from senders you don’t recognize or expect to hear from, even if the email appears to come from a legitimate source. Don’t open attachments or click links in an email you aren’t expecting or from a sender you don’t recognize. Instead, enter the address directly into an internet browser to confirm it’s legitimate.