A sextortion scam is a type of email scam where a cybercriminal attempts to blackmail you by claiming they have compromising information about you. Typically, they say they’ve hacked your computer and installed trojan, recorded you through your webcam, or obtained your browsing history on sensitive websites. Their goal is to scare you into paying them money to prevent this “information” from being shared with your family, friends, or the public.
Here’s an explanation of how it works and why the hacker may have the correct passwords:
- How the Hacker Got the Password?
- The password mentioned in the email likely comes from a data breach. Hackers often obtain passwords through large-scale breaches of online services where user data is stolen. These breached passwords are then sold or shared on the dark web.
- If you have reused the same password on multiple websites, especially older or less secure ones, it’s possible that the password was compromised in one of these breaches.
Your can check if email and password were part of any known data breaches using sites like Have I Been Pwned (www.haveibeenpwned.com).
- What the Email Is Trying to Do?
- This is a phishing attempt designed to scare the recipient into paying money to the scammer. The hacker claims to have recorded compromising videos, but this is a bluff—they have no such videos. The goal is to use the shock of seeing a familiar password to make the scam feel more credible and frightening.
- These emails often claim they installed malware or accessed a webcam, but they typically have no access to the recipient’s device.
- What the Customer Should Do?
- Don’t respond to the email or pay any money. It’s a bluff, and paying won’t stop similar emails.
- Change the password immediately if it’s still in use anywhere, especially for sensitive accounts like email or banking.
- Use strong, unique passwords and update them regularly: Avoid reusing passwords across multiple sites, and make sure to use complex passwords that are hard to guess. Changing them periodically, especially for important accounts, reduces the risk of compromise.
- Enable cpanel login notification “If someone logs in to your account” for an extra layer of security.
- Run a malware scan on your computer for peace of mind, although these emails are usually just social engineering without actual device compromise.
NOTE:
These types of emails are scams sent in bulk. They don’t have access to your device, webcam, or personal files. By following the steps above, you can stay safe and avoid becoming a victim of these scare tactics.
References:
1. https://www.ncsc.gov.uk/guidance/sextortion-scams-how-to-protect-yourself
2. https://excellence-it.co.uk/insights/how-to-deal-with-sextortion-cyber-security-email-advice/
3. https://www.malwarebytes.com/blog/news/2024/09/hello-pervert-sextortion-scam-includes-new-threat-of-pegasus-and-a-picture-of-your-home
4. https://www.quora.com/My-friend-received-an-email-that-said-they-had-hacked-her-computer-and-actually-did-have-one-password-they-also-said-they-planted-a-trojan-and-they-want-bitcoin-for-extortion-What-should-be-done