Corporate sextortion used to be the kind of junk mail most security teams shrugged off. A clumsy email claiming to have hacked your webcam, a decades‑old password pasted in for effect, a demand for crypto in exchange for silence.
Raf Sanchez (pictured), head of cyber services at Beazley, says that era is over.
“Sextortion is a type of social engineering or phishing attack,” he said. “It is an extortion. It is an attempt to obtain money from someone.”
What has changed, in his view, is not the basic goal – it is still about leverage and shame – but the way attackers are able to personalize the threat using breach data, open‑source intelligence and simple AI tools. The result is a class of attacks that can feel convincing enough to rattle senior leaders and spark bad decisions.
In its earlier incarnations, sextortion relied heavily on the fact that most people reused passwords across multiple accounts. After a major breach, stolen credentials would circulate widely on the dark web.
“The way sextortion used to work was fairly basic,” he said. Recipients would get an email claiming they had been “watching naughty videos online,” followed by a password the attacker had scraped from an old breach.
What happened in the victim’s mind was more important than any real compromise. “You might think, ‘Oh my God, yes, my work password is ‘Madrid’. They must have hacked me,’” Sanchez said.
In reality, nothing on the corporate network had been touched. The attacker was simply betting that a familiar password and a generic allegation would be enough to shake loose a payment.
Sanchez recalls a small‑company CEO who called Beazley’s incident response line after receiving one of these messages. Despite being told it was a low‑grade scam, the executive insisted on explaining that he had watched adult content on a hotel Wi‑Fi connection while travelling and was convinced the attackers had spied on him.
“While I applauded his honesty,” Sanchez said, “he had not been hacked.”
What worries him now is how those crude templates are being upgraded.
“Now what we’re seeing is threat actors are doing OSINT – open‑source intelligence – to enhance their attack, and it’s not humans doing this. It’s AI tooling,” he said.
Rather than relying solely on an old password, attackers can scrape social media, review sites and data‑broker feeds to build a more convincing picture. A victim might receive a message that references a restaurant they recently reviewed, a city they live in, or an old email address and maiden name they have not used in 20 years.
Sanchez describes a ransomware case – not sextortion, but illustrative – where a female CEO refused to deal with the attackers. In response, they emailed her on a long‑defunct address using her pre‑marriage name.
In another sextortion incident in the Nordics, a chief executive became so convinced the threat was real that he paid the demand out of his own pocket to avoid involving his company. When the criminals came back a second time, threatening to disclose his supposed misconduct to shareholders unless he paid more, he finally escalated the matter to his internal incident team and to Beazley.
“Before, it was a low‑level annoyance that many organizations wouldn’t notify an insurer,” Sanchez said. “Now, in some cases, it’s actually scaring senior individuals who are being targeted, and those individuals know they can access services from their insurers to help them.”
The sums involved in sextortion are generally small compared with multimillion‑dollar ransomware demands. But Sanchez sees a different kind of exposure for organizations: reputational and professional risk if senior people panic or try to hide what is happening.
He notes that attackers are increasingly willing to weaponize information about political views, sexuality or other sensitive topics scraped from old breaches and social feeds.
“You can imagine somebody saying, ‘We know you expressed support for Russia in 2021. We’re going to tell your employer, because we know your employer has an anti‑Russia stance,’” he said. Similar tactics could target comments on social issues, sexual orientation or anything else that might be controversial in a given workplace.
That puts pressure on executives and public-facing employees who may fear embarrassment or career damage more than financial loss. If they respond by paying quietly, they may invite further extortion. If they ignore the threat without telling anyone, they risk being blindsided if the attacker goes public.
“I see it as a reputational risk for organizations if they ignore it,” Sanchez said.
For insurers and brokers, the message is that sextortion can no longer be dismissed as background noise. Even when the underlying attack is unsophisticated, the human factors around shame and secrecy mean it can escalate fast.
Sanchez urges insureds to treat suspicious messages as triggers for early advice rather than private dilemmas.
“We handle about 5,000 incidents a year,” he said. “If an organization has never seen a particular type of sextortion attack and wants an objective view if it’s something they should be worried about, they can call us. We may well say, ‘We’ve seen 30 of these in the last week, and we’re worried because they have ended up in material claims – or we may say, ‘Ignore it. Don’t worry about it.’”
