The email is alarming. Right there in its subject line is one of the recipient’s username-password pairings. Its body alleges possession of secret recordings of the recipient watching adult pornography online, recorded through his own webcam, and demands a $5,000 bitcoin payment in exchange for not making the recordings public.

Security experts say it’s just the latest version of an extortion scam that has been mutating since the 19th century. In two words: Ignore it.

The extortion threat looks legitimate because it contains accurate personal information, says Matthew Hickey, co-founder and director of security testing and advocacy organization Hacker House. It relies on a common habit of reusing usernames and passwords; vast troves of stolen personal log-in information leaked online; and the target’s fear of family, friends, and colleagues learning that they’ve watched pornography online.



READ MORE ON PHISHING ATTACKS

Most phishers using Gmail are actually Nigerians targeting Americans
How to avoid phishing scams
Parallax Primer: How to dodge a spear-phishing attack
Parallax Primer: What’s in an APT
How YubiKey could double-lock your online accounts


While providing the password is a new technique, it’s still a common scam, like the 419ers,” he says, referring to the Nigerian letter and email fraud notorious for violating section 419 of the Nigerian criminal code. “419” has become such a common term for online scams that communities of scam-baiters—people who hope to hoodwink the scammers—are often referred to as 419 eaters for their propensity for consuming the time and resources of scammers.

The Parallax has seen porn extortion threats following this template demanding as little as $1,900 and as much as $5,000.

Hickey says they comprise just the latest “confidence scheme” to trick people into “handing over their money.” Recipients should ask themselves whether the senders are “proving that they have anything other than this password,” he says. “They’re exploiting the threat in your mind. Either ignore it, or if you think it’s blackmail or extortion, report it to the police.”

The scam has been pervasive enough that one reporter even received the extortion threat over U.S. postal mail.

In the United States, it’s a federal crime to attempt extortion, regardless of delivery mechanism. If you believe that you are being targeted by an extortion scam, report it to the authorities, Hickey advises. For email scams, U.S. citizens can contact the FBI at the Internet Crime Complaint Center; for snail mail, you can report it through the agency’s Tip Line or to the U.S. Postal Service. The FBI also keeps a searchable list of known scams.

The FBI did not return a request for comment.

If scam targets know how to view the email header, which contains the email’s Internet routing information, they can also send it to an antispam organization such as Spamhaus to analyze it and add it to a spam-blocking list.

Targets can also check if their personal information has been leaked at the HaveIBeenPwned website, a free service run by security expert Troy Hunt to help data breach victims keep track of their personal information.

Besides swiping leaked email addresses and passwords, the porn scams utilize relatively clear language and legitimate-looking email accounts. To avoid detection, they often use email redirection services, or send the emails from hacked accounts.

The fact that email scams like this are evolving to include the reams of stolen and leaked personal data isn’t surprising, says Kevin Epstein, vice president in charge of the Threat Operations Center at security company Proofpoint.

“Social engineering is the norm; it’s a part of almost all attacks,” he says. “Using a prior large breach with a known password is an interesting innovation in social engineering, but it’s a natural evolution.”

Scammers, he says, are moving on from the days of poor grammar and comically bad copies of corporate logos. Now they employ sophisticated wire transfer word choice, logo templates, and even correct website URLs in places to convince targets to pony up their cash.

One way to avoid getting caught up in future scams is to make sure that you never reuse a password. Use either your browser’s built-in password manager or one from a third party to keep track of and help change passwords. And enable two-factor authentication wherever possible.

And most importantly, Hickey and Epstein say, heed the advice of British author Douglas Adams: “Don’t panic.”