Naked Security Naked Security

FTC warns of LGBTQ+ extortion scams – be aware before you share!

It's a simple jingle and it's solid advice: "If in doubt, don't give it out!"

Sadly, over the years, we’ve needed to write numerous Naked Security warnings about romance scammers and sextortionists.

Although those are general-sounding terms, they’ve come to refer to two specific sorts of online crime:

  • Romance scamming. This typically refers to a long-game confidence trick in which cybercriminals court your online friendship under a bogus identity, often by “borrowing” images, a name and a life story from someone else’s dating site account. Romance scammers may be prepared to invest weeks, months, or even years, into building an entirely fictitious, but apparently totally serious, online relationship. They may even propose marriage along the way. During this time they will abuse your trust to milk you for financial “help”, for example for visa fees, lawyers’ bills, airline tickets, medical expenses, and possibly much more.
  • Sextortion, also known as “porn scamming”. This usually refers to blackmail messages that claim to have taken screenshots showing you viewing porn online, while at the same time catching you on your webcam. Porn scammers usually claim to have acquired their “evidence” by implanting malware on your computer to give them remote access. In reality, there are no screenshots and there is no video, but the criminals often include some personal data about you, usually acquired from an old data breach, to scare you into thinking their malware story might be true. The data is often a phone number, postcode or old password of yours.

The good news in the case of a porn scam is that the crooks don’t have anything on you, and the “malware” they claim to have implanted on your computer is just a pack of lies.

The bad news, however, is that there is a form of online sexual extortion that is effectively hybrid of romance scamming and porn scamming, where the criminals involved do indeed have content with which to blackmail you.

Dating site extortion revisited

These hybrid “romance-combined-with-porn-scam” criminals typically approach you on a dating site, just like the romance scammers mentioned above, and court your interest, but they don’t take their time to milk you for money over an extended period.

Instead, they persuade you to exchange explicit photos, often leading you to think you can trust them by sending you their own explicit photos first. (As you can imagine, they use other people’s photos, not their own.)

Sadly, the scam then unfolds just like the porn scam mentioned above: “Pay hush money or we’ll spread the news to people you don’t want to know about it.”

The difference in this case, of course, is that the criminals do indeed have explicit material.

Unlike the old-school porn scammers, that part of the story isn’t a bluff, because they’re using the photos you sent to them under the mistaken impression you could trust them.

Worse still is that, while sexual blackmail is bad enough in general, there are some specific victims who are even more vulnerable than others, notably those whose sexuality is a secret to start with.

FTC warning

The US Federal Trade Commission (FTC), America’s consumer protection body, has therefore issued a very particular warning about this sort of extortion to people in the LGBTQ+ community who aren’t yet “out”.

As the FTC explains:

[The criminals] usually work something like this: a scammer poses as a potential romantic partner on an LGBTQ+ dating app, chats with you, quickly sends explicit photos, and asks for similar photos in return. If you send photos, the blackmail begins. They threaten to share your conversation and photos with your friends, family, or employer unless you pay — usually by gift card.

Other scammers threaten people who are “closeted” or not yet fully “out” as LGBTQ+. They may pressure you to pay up or be outed, claiming they’ll “ruin your life” by exposing explicit photos or conversations.

Whatever their angle, they’re after one thing — your money.

What to do?

  • Consider using your favourite search engine for a reverse image search. This won’t always catch out scammers, but it may help you spot that someone you just “met” on a dating site isn’t the person they’re claiming to be. In other words, if your reverse image search gets no useful hits, that doesn’t prove that the person who contacted you is genuine. But if you do get a hit against someone else’s profile, you can immediately be sure you’re dealing with a scammer.
  • Be aware before you share. In many countries, it’s not illegal to send explicit photos to other people with the consent and understanding of both parties. But this requires you not only to trust the other person completely, but also to trust that they won’t themselves suffer a hack or data breach in which the information you shared with them gets scooped up and sold on by someone else entirely.
  • If in doubt, don’t give it out. If there’s information that you don’t want to be public knowledge, whether that’s something as simple as your phone number or as intimate as your sexuality, don’t make it semi-public by entrusting it to people you don’t really know and haven’t actually met. Once you’ve given it out, there’s no certain way to recall it, no matter how co-operative the people you shared it with might seem to be.
  • Don’t pay the blackmail money. There’s no way to be sure that the criminals really will delete the data as they claim. Worse still, even if they genuinely do delete their copies, you’ve got no guarantee that they didn’t sell the data on before scamming you, or that they weren’t themselves hacked by other crooks between receiving your photos and concluding their blackmail campaign.

One real-life reminder of how cybercriminals sometimes turn on each other is the infamous Conti ransomware breach from August 2021, in which aggrived affiliates of the Conti ransomware “services” turned on the operators of the scheme by publicly dumping an archive file called Мануали для работяг и софт.rar (operating manuals and software).

https://nakedsecurity.sophos.com/2021/08/06/conti-ransomware-affiliate-goes-rogue-leaks-company-data/

Reporting online fraud

Whatever your sexuality, and whatever the type of scam you get hit with, remember that if you are in the US, you can report online fraudsters at: https://reportfraud.ftc.gov.

The FTC’s online form is easy to use; you can supply as much or as little information as you know or want (as far as we can see, you can identify yourself as much or as little as you like, too); and you can report scams as varied as “just an annoying call”, fake love interests, phoney government officials, and fraudulent investments.

In the UK, use: https://www.actionfraud.police.uk/

In Europe use: https://www.europol.europa.eu/report-a-crime/report-cybercrime-online

In Canada, use: https://www.antifraudcentre-centreantifraude.ca/

In Australia, use: https://www.cyber.gov.au/acsc/report

In New Zealand, use: https://report.netsafe.org.nz/hc/en-au/requests/new


LEARN MORE ABOUT ROMANCE SCAMS

LEARN MORE ABOUT “PORN SCAMS”