Romance scams have become increasingly common of late, with cybercriminals sparing no one. Within the LGBTQIA+ community, hackers prey on their vulnerabilities to extort them. Among the most common scams seen are:
Romance scamming: This typically refers to a long-game confidence trick in which cybercriminals court your online friendship under a bogus identity, often by “borrowing” images, a name and a life story from someone else’s dating site account. Romance scammers may be prepared to invest weeks, months, or even years, into building an entirely fictitious, but totally serious online relationship. They may even propose marriage along the way. During this time they will abuse your trust to milk you for financial “help”, for example, visa fees, lawyers’ bills, airline tickets, medical expenses, and possibly much more.
Sextortion, also known as ‘porn scamming’: This usually refers to blackmail messages that claim to have taken screenshots showing you viewing porn online, while at the same time catching you on your webcam. Porn scammers usually claim to have acquired their ‘evidence’ by implanting malware on your computer to give them remote access. In reality, there are no screenshots and there is no video, but the criminals often include some personal data about you, usually acquired from an old data breach, to scare you into thinking their malware story might be true. The data is often a phone number, postcode or old password of yours.
The good news in the case of a porn scam is that the crooks don’t have anything on you, and the ‘malware’ they claim to have implanted on your computer is just a pack of lies.
The bad news, however, is that there is a form of online sexual extortion that is effectively a hybrid of romance scamming and porn scamming, where the criminals involved do indeed have content with which to blackmail you.
Dating site extortion revisited
These hybrid “romance-combined-with-porn-scam” criminals typically approach you on a dating site, just like the romance scammers mentioned above, and court your interest, but they don’t take their time to milk you for money over an extended period.
Instead, they persuade you to exchange explicit photos, often leading you to think you can trust them by sending you their explicit photos first. (As you can imagine, they use other people’s photos, not their own).
Sadly, the scam then unfolds just like the porn scam mentioned above: “Pay hush money or we’ll spread the news to people you don’t want to know about it.”
The difference in this case, of course, is that the criminals do indeed have explicit material.
Unlike the old-school porn scammers, that part of the story isn’t a bluff, because they’re using the photos you sent to them under the mistaken impression you could trust them.
Worse still is that, while sexual blackmail is bad enough in general, some specific victims are even more vulnerable than others, notably those whose sexuality is a secret to start with.
The criminals usually work something like this: A scammer poses as a potential romantic partner on an LGBTQ+ dating app, chats with you, quickly sends explicit photos, and asks for similar photos in return. If you send photos, the blackmail begins. They threaten to share your conversation and photos with your friends, family, or employer unless you pay — usually by a gift card.
Other scammers threaten people who are ‘closeted’ or not yet fully ‘out’ as LGBTQ+. They may pressure you to pay up or be outed, claiming they’ll ‘ruin your life’ by exposing explicit photos or conversations.
Whatever their angle, they’re after one thing — your money.
What to do?
Consider using your favourite search engine for a reverse image search: This won’t always catch out scammers, but it may help you spot that someone you just ‘met’ on a dating site isn’t the person they’re claiming to be. In other words, if your reverse image search gets no useful hits, that doesn’t prove that the person who contacted you is genuine. But if you do get a hit against someone else’s profile, you can immediately be sure you’re dealing with a scammer.
Be aware before you share: In many countries, it’s not illegal to send explicit photos to other people with the consent and understanding of both parties. But this requires you not only to trust the other person completely but also to trust that they won’t themselves suffer a hack or data breach in which the information you shared with them gets scooped up and sold on by someone else entirely.
If in doubt, don’t give it out: If there’s information that you don’t want to be public knowledge, whether that’s something as simple as your phone number or as intimate as your sexuality, don’t make it semi-public by entrusting it to people you don’t really know and haven’t actually met. Once you’ve given it out, there’s no certain way to recall it, no matter how cooperative the people you shared it with might seem to be.
Don’t pay the blackmail money: There’s no way to be sure that the criminals really will delete the data as they claim. Worse still, even if they genuinely do delete their copies, you’ve got no guarantee that they didn’t sell the data before scamming you, or that they weren’t themselves hacked by other crooks between receiving your photos and concluding their blackmail campaign.
(The writer is the Principal Research Scientist at Sophos, a global leader in next-generation cybersecurity)
By Paul Ducklin