According to a sensitive law enforcement document reviewed by The Daily Beast—headlined ‘Scams and Fraud Campaigns Exploiting COVID 19 Likely to Continue,’ and dated April 20—“the pandemic has created an environment ripe for fraudulent activity with threat actors leveraging fears of the virus to perpetrate a variety of malicious and criminal exploitation.”The confidential NYPD briefing document goes on to state that “threat actors around the world have flooded the internet with COVID-19 themed phishing scams in attempts to capitalize on fears of the virus for financial gain.”
“The blackmail scam has been less successful because... it is a little more far-fetched but it’s playing on people’s fears,” Miller added. “The bad guys buy the names and passwords in bulk from the dark web, so if you send out 300,000 of these emails you only need a few people to fall for it to make a nice profit for very little investment.”The COVID-19 scam that has concerned police is based on a “porn-extortion” fraud from 2019. In that scam, which law enforcement sources say was very successful, potential victims were sent an email with their username and password. The sender would write, “now that I have your attention I need to tell you I have access to all your accounts and your passwords, as well as the kind of material you’ve been looking at.”
“The email goes on to imply that the target has been caught looking at all kinds of porn sites and other disgusting material and that the writer of the email has been able to access the users WebCam and record video from the camera as well as screen and now has split screen recordings of the material,” the NYPD official told The Daily Beast.
As it turns out, it’s all a bluff! Fraudsters never have access to the victim’s WebCam, iPad or computer but why the scam is such a success is the victim has no way of knowing for sure they have not been compromised, and the fact the conman has their email and password gives the scammer credibility in the mind of the victim.
The COVID-19 fraud the NYPD now has on its radar is a new twist on the “porn-extortion” scam and the intelligence document states, “based on the researched dataset, this type of fraud has had limited success.” It’s unclear how the criminals would be able to carry out their callous threats.
"The reason to talk about it is so that people will recognize it if they get one of these," Miller said referring to emails from scam artists. "They also need to know this person has not hacked their computer, hasn’t had access to all their information, and that the fraud depends on people believing that those claims are true”
Scammers typically gain a person’s email and password from websites that have been hacked such as the Capital One data breach and where user credentials from the site were posted on the Internet. Criminals, legitimate security researchers, and others can access those password dumps on hacking forums, illicit dark web markets, or file-sharing sites.
As far as this COVID-19 blackmail scam goes, the simple advice for anyone who is targeted. “The only correct thing to do is delete it. There’s no value in interacting with the sender. You should delete it and reset your passwords.