Report Sextortion Scams under Cybersecurity Information Sharing Act of 2015

For the last two months, @Lacyberlawblog and every other news and government website published articles and alerts about Coronavirus scams. What initially started as schemes to sell fraudulent medical supplies, Coronavirus treatments/vaccines, and “investment” opportunities in Coronavirus cures has transformed into sextortion.

On April 20, 2020, the FBI’s Internet Crime Complaint Center (IC3) again reported a substantial uptick in COVID-19 internet scams and identified the common tactics of scammers. While the initial tactics listed by IC3 seem familiar (emails with broken English and bad grammar), the latter listed items indicate that the scammers are looking to blackmail individuals who visit adult entertainment websites and/or may have “dirty secrets.”

Specifically, IC3 states that the frequently used extortion tactics are as follows:

• Email communication in broken English fraught with grammatical errors;

• Recipient’s personal information is repeated in the communication to convey fear and intimidation, often containing the recipient’s username and password to certain accounts;

• Recipient is accused of visiting adult websites, cheating on a spouse, or being involved in compromising situations (likely sexual in nature);

• The communication includes a statement like, "I had a serious spyware and adware infect your computer," and "I have a recorded video of you" (perhaps inspired by the movie Long Shot, in which this happens to Seth Rogen’s character);

• The communication then threatens to release the video, image, or compromising intel to friends, family, co-workers, or on social networks if ransom is not paid within a short time period; and

• Payment is requested in Bitcoin, a nearly untraceable virtual currency.

Sextortion scams are not new, but with more people working from home and leaving laptops open, it is an easier sell for the scammers – especially for those who watched the movie Long Shot or Oceans 8 (Rihanna’s character used phishing to trick a Wheaton Terrier fanatic into giving her access to his webcam). As many know or will notice here shortly, the top of a laptop has a camera. Theoretically, a bad actor using spyware could activate a laptop’s camera and watch its user, in addition to tracing internet traffic.

Fortunately, there are ways to protect yourself. IC3’s list of precautions can be found in its most recent report. Additionally, the following is recommended:

• Cover the laptop camera with electrical tape or a webcam cover;

• Utilize a VPN service and a TOR Browser for certain internet activity (Google chrome’s invisible feature is often insufficient);

• Utilize a password management service or the encrypted passphrase service on Google; and

• Consider contacting the authorities.

The Cybersecurity Information Sharing Act of 2015 allows private entities and citizens to share cyber threat indicators with approved federal agencies (like the FBI) without waiving certain privacy rights, legal privileges, or inviting public records requests (Louisiana also has a state law version written by Sarah Anderson). In Louisiana, an individual or private business can report an incident directly to the Cyber Crimes Investigation Division within Louisiana State Police; I can attest to the professionalism, discretion, and incredible abilities of these individuals. While perhaps scary, law enforcement can often provide guidance on the authenticity of the attack and/or offer solutions. They are also able to anonymously utilize the information to prevent future and similar attacks against others.