New sextortion scam combines stolen data to target victims directly
By combining previously compromised data, scammers are able to make the scam chillingly personalized
The latest sexual extortion, or "sextortion" scam sees scammers use victims' personal data in order to convince them that Pegasus spyware has been deployed on their device.
This scam sees victims receive an email that contains their personal information, including their full name, phone number, and address as well as the ransom threat in a PDF file. In the PDF is an image of the victim's home/the building the address given is associated with.
This is undoubtedly highly alarming and distressing to victims, especially if they already take steps to protect their data, for example by using one of the best VPNs.
However, it is important to note that the image comes from Google Maps and the data contained in the email is very likely sourced from previous data breaches, meaning that the hackers have not been able to steal information from victims directly.
What is the Pegasus sextortion scam?
The threat itself warns the victim that the hackers have deployed Israeli-made Pegasus spyware on their device via "a app [sic]" they "frequently use", which is how they know so much information about the victim.
The message explains the spyware further, saying: "Pegasus is a spyware that is designed to be covertly and remotely installed on mobile phones running iOS and Android. And when you got busy watching our videos, your system started functioning as a RDP (Remote Control) which provided me total control over your device.
"I can peep at everything on your screen, switch on your camera and mic, and you wouldn’t even suspect a thing. Oh, and I’ve got access to all your emails, contacts, and social media accounts too."
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
This, according to the scammers, is how they have obtained evidence of the victim "doing embarrassing things in [their] room" and viewing "filthy videos and venturing into the darker corners of cyber space". While they claim they will "send this filth to every one of [the victim's] contacts", no evidence of the victim viewing these videos or accessing the supposed "darker corners" is given in the message.
The purpose of the message is quickly made clear when the scammers directly ask the victim for almost $2,000 worth of Bitcoin to be paid in 24 hours or risk the compromising images being made public, which they say can be paid by scanning a QR code included in the PDF.
Is the Pegasus sextortion scam real?
While it is definitely more sophisticated than other sextortion scams, it is very likely that (just like any other scam email that claims to have compromising images or videos of you) this message is just that – a scam.
While the inclusion of the victim's personal information and a thinly-veiled threat that the hackers will show up at their door if they don't pay (the message asks if visiting their location is a "more convenient way to contact" if they don't "take action") may be worrying to victims, it's important to remember that scammers include this information in order to pressure you into paying them.
This is functionally the same as older sextortion scams which promised to send compromising videos and pictures to your entire address book if you didn't follow their demands, minus the personal information and threat of spyware. As alarming and upsetting as it may be, it is directly designed to upset victims and make them feel as though they have to pay the scammers.
If you are a victim of a sextortion scam, whether it is the Pegasus sextortion scam or otherwise, you should contact your local FBI office by calling 1-800-CALL-FBI. If you are outside the US, contact your respective federal law enforcement agency.
How to keep your data safe online
While it is not your fault if you are a victim of a scam or you receive an extorting email, there are some steps you can take to better protect your data.
This will also help you identify these messages and ultimately prevent you from becoming a further victim of hackers and scammers.
Hide your phone number
In the case of the new sextortion scam, the amount of information the scammers have on their victims can make it seem infinitely more real and threatening. If a scammer has your phone number, not only can they attempt to impersonate you, they also have another layer of your personal information.
It can be hard to avoid giving out your phone number, especially to sites that require it to send you information like shipping updates. With this in mind, the creator of one of the fastest VPN services, Surfshark, has invented a way to mask your phone number.
Surfshark's Alternative Number means that you can generate a fake phone number to give out as needed, masking your actual phone number and allowing you to delete this number should it be compromised.
This is useful not only to protect your data from hackers, but to protect it from anyone that you would rather not have your mobile number.
Use a fake email address
This new sextortion scam directly targets email addresses, which is common, and for good reason from a hacker's perspective – more than 90% of successful cyber attacks start with a phishing email.
In this digital age, we are constantly giving our email address in order to interact with things online, whether this social media or eCommerce. Unfortunately, this puts you and your data at risk, and opens you up to the risk of phishing campaigns.
This is where email masking comes in. One example you may be familiar with is Apple's Hide My Email, which auto-generates an email proxy for you to use whenever you need to input your email address. Any information sent to this email address will be sent to your personal email, but your actual email will stay safe. This makes it a lot easier to simply delete the account if that email address is compromised.
Another email masking service comes from the creator of what we rate as the best VPN service, NordVPN, which offers email masking as part of its password manager, NordPass.
If you use a masked email address, you can easily tell when your data has been stolen or sold, allowing you to quickly secure your data. It also means you can more easily spot phishing campaigns, as if you are only using one email per service, if an email not from that service is sent to that email address, it is obvious it is not to be trusted.
Don't give out your real personal information
How do you keep your personal data safe online? Don't give it out at all. This may sound impossible, but you can actually create a brand-new online-only identity thanks to Surfshark, creator of one of the best VPNs.
In its latest online security offering, Surfshark has introduced Alternative ID, a service which allows you to create an entirely new identity that you can give out online. Surfshark generates the data, allowing you to use it across the web and keep your actual identity safe.
Alternative ID is available across all of Surfshark's security bundles.
The best VPN that hides your personal info: Surfshark
Surfshark is proof that you don't have to make a compromise between price and quality.
Not only does it have impressive unblocking skills, excellent speeds and great security, it also has a whole host of added cybersecurity extras as part of its offering.
Try Surfshark out from $2.19 a month, with a 30-day money-back guarantee.
Olivia joined Tom's Guide in October 2023 as part of the core Future Tech Software team, and is the Commissioning Editor for Tech Software. With a background in cybersecurity, Olivia stays up-to-date with all things cyber and creates content across TechRadar Pro, TechRadar and Tom’s Guide. She is particularly interested in threat intelligence, detection and response, data security, fraud prevention and the ever-evolving threat landscape.