New Email Extortion Scam Uses Photos Of People’s Homes

An email hits your inbox from an unknown sender that includes a picture of your house and address, followed by a threat: “Don’t even try to hide from this. You have no idea what I’m capable of….I’ve got footage of you doing embarrassing things in your house (nice setup, by the way).”

Sounds like a scene out of a horror film, right? Instead, it’s one of the latest phishing scams.

Like many other email and text scams, this particular extortion scheme uses specific personal information to deceive people into sending money. The email convinces people the hacker knows more about them and that they must exchange payment or Bitcoin in order to keep their information safe.

“I received a PDF over email that included my address and photo of the address and made outrageous claims about my private behavior, and claimed to have video documentation captured from spyware on my computer,” Jamie Beckland, a chief product officer at the tech company APIContext, told HuffPost. “The scammer threatened to release the video if I didn’t pay them via Bitcoin.”

If you get a similar email, here are the steps you can take to figure out if it’s a scam so you protect yourself:

Many phishing emails are often riddled with grammatical errors and poor formatting, which make them easier to identify. However, this scam, which includes images of people’s homes, is a newer, darker twist.

You might be asking yourself, how exactly was the scammer able to identify your house address? According to Al Iverson, a cyber expert and industry research and community engagement lead at the software company Valimail, the sender likely found your address from a prior data breach that leaked personal data, and then used a Google Maps photo to put together an email.

Beckland was able to confirm this is a scam by comparing the image in the PDF to the Google Maps street view of his house. Most images in these scams are pulled from online sources, so he recommends that people check to see if the image was copied from the internet. If so, it’s clearly not legitimate.

Iverson recommended checking the email address’ legitimacy whenever you receive any correspondence from unknown users.

“Check whether the sender’s email domain matches the official organization’s website,” he said as one example.

“Also, if using Gmail, look for ‘show original message’ and review SPF, DKIM, and DMARC results.” These are essentially methods that verify the emailer’s domain to prevent spam, phishing attacks and other email security risks. To do this, click on the three-dot hamburger menu at the top right of your email and click “Show Original.”

“All three should ideally pass authentication checks,” Iverson said. In other words, it would say “PASS” next to all three options.

Scammers have become very sophisticated when masking domains. As a result, beware of “lookalike” domains with slight spelling variations. According to Iverson, if something seems too good (or too bad) to be true, it probably is.

Another thing to keep an eye out for is if a scammer sends a message “from” your own email address. Oftentimes, they are just spoofing your email address in the “from” address header.

“These scammers don’t have the time or ability to actually hack into your email accounts. They haven’t found some secret treasure trove of compromising photos. They’re just trying to scare unsuspecting people into coughing up money (or Bitcoin),” Iverson added.

If an email seems legitimate, you might accidentally click on the links it contains for more information. Zarik Megerdichian, founder of Loop8, a company that protects personal data and privacy from data breaches and hackers, strongly cautions against this.

“Exercise caution any time you’re asked to click on a link in an email,” Megerdichian said. “Bitcoin transactions are irreversible, as are many other common payment methods including Cash App and Zelle.”

Further, scams that demand remuneration should be reported to the Federal Trade Commission by filing a report online or via phone. Megerdichian also noted that if a hacker has obtained details about your financials, monitor your bank accounts closely and dispute fraudulent charges with your bank, cancel your cards and preventatively stop future charges.

It’s also highly advisable when confronted with an elaborate scam to change all of your passwords.

According to Yashin Manraj, CEO of Pvotal Technologies, a company that creates secure tech infrastructures for businesses, it’s important to protect your data right away if you suspect it’s been compromised.

“Use a new email address if possible and move critical financial or utilities to it, and then start reporting the case to the local police, the FBI and making sure your family is aware of the potential threat of a public shaming in the unlikely event that they did manage to steal some compromising data,” Manraj said.

It might feel tempting to respond to an email (especially ones that seem very realistic) to negotiate with the scammer. However, Manraj recommends disengaging and ignoring these emails because responding can actually place you on call logs and target databases that will make you vulnerable to further attacks.

It’s also advisable to isolate your home network via a separate Wi-Fi or router, using a VPN to connect to the internet. Most importantly, do not ask for specific help on public forums, especially when uploading logs or error messages.

“Be especially careful when using virtual numbers and password managers on unpopular websites to avoid reusing personally identified information that could be used to access your important financial services,” Manraj explained.

Users should remember that data is a commodity, and businesses today collect too much information (often more than they need to complete the transaction at hand). When signing up for new websites or downloading apps, Megerdichian suggests avoiding oversharing.

“Always ask yourself, do they really need to know that? It’s up to consumers to be proactive when it comes to their personal data,” Megerdichian said.