How do fake “hacked your webcam” scams operate?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You open your inbox and there it is. An email claiming a hacker has recorded you through your webcam while you were visiting an adult website. They want Bitcoin, and if you don't pay within 48 hours, they'll send the video to everyone in your contacts. Oh, and they've included one of your real passwords to prove they're serious.

It feels terrifyingly real. But here's what's actually happening.

These emails are almost always a complete bluff. There's no footage. There's no malware. Nobody has been watching you. What you're looking at is a mass-produced scare campaign sent to thousands of people at once, and the scammer is counting on fear to do the work for them.

So how does that password end up in the email? That part is real, and it's worth understanding. Over the years, hundreds of major websites have suffered data breaches that exposed billions of username and password combinations. Those credential lists get traded and sold on the dark web. Scammers buy them, write a script that pulls your email address and one of your old passwords, and drops them into a template email automatically. When you see your password in that email, your brain screams "they're inside my accounts." They're not. They found it in a list.

The email itself is engineered to short-circuit your rational thinking. It typically includes a few of these pressure tactics:

  • A real (old) password as supposed proof of access
  • Technical jargon about malware, remote access trojans, or browser exploits (all invented)
  • A tight deadline to pay before the video gets sent out
  • Specific-sounding details about sites you supposedly visited
  • A Bitcoin wallet address so payment is untraceable

None of these things prove anything real happened. They're just levers designed to make you panic before you think clearly.

If you receive one of these, here's what to actually do. Don't pay. Don't reply. Change the password shown in the email if you still use it anywhere. And if it's an old password you already stopped using, don't lose a second of sleep over it. Reporting it to your national cybercrime authority (the FBI's IC3 in the US, Action Fraud in the UK) takes two minutes and helps track these campaigns.

If you want peace of mind about webcam access, a physical webcam cover costs about three dollars. That's the one concrete thing worth doing. (The email scammer is hoping you'll spend a few hundred dollars in Bitcoin instead.)

These campaigns land in spam folders regularly because email filters have gotten good at spotting the patterns. If yours slipped through, our free Email Header Analyzer can show you where it actually came from and how it bypassed your filters.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Paste the subject line and sender details below and I'll help you figure out whether this is a scam or something that needs real action.

I received an email claiming someone hacked my webcam and recorded me watching adult content. They included one of my real passwords and are demanding Bitcoin payment. I'm scared and don't know if this is real. Can you walk me through exactly how this type of scam works, whether my password being in the email means they actually have access to my device, and what steps I should take right now?

Edit the yellow boxes, then send to the AI of your choice.