How do filters detect ransom or blackmail patterns?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Picture the email: "I've been watching you. I have footage. Send $1,400 in Bitcoin to this wallet or everyone you know will see it." It's unsettling. And yet, spam filters catch millions of these every single day. So how do they actually know?

It comes down to three layers working together.

Content signals are the most obvious layer. Ransom and blackmail emails share a remarkably consistent vocabulary: threatening phrases ("I have access to your device", "I recorded you", "you have 48 hours"), cryptocurrency payment demands, specific dollar or Bitcoin amounts, and claims of surveillance or compromised accounts. Filters scan for these combinations. One threatening phrase alone might not trigger anything. But threatening phrase plus Bitcoin wallet address plus countdown deadline? That fingerprint is hard to fake your way past.

Structural signals go deeper than the words. These emails often come from freshly registered domains with no sending history, no legitimate business context, and no prior relationship with the recipient. They rarely contain footers, unsubscribe links, or the kind of structure a real business email has. Filters trained on millions of legitimate emails know what normal looks like. A cold email claiming to have your passwords, sent from a two-day-old domain, with no HTML structure and a crypto address pasted in plain text, sticks out badly.

Reputation and campaign signals are where things get really powerful. Ransom campaigns don't usually target one person. They go out in bulk, often using the same Bitcoin wallet address across thousands of emails. When Gmail or Outlook sees the same wallet hash appearing in emails to hundreds of different users, that pattern gets flagged fast. Filters also share intelligence from confirmed user reports. Once a few thousand people mark something as spam, the whole campaign gets caught at the gate.

Modern filters also use machine learning, not just static rules. Instead of a checklist of banned phrases, the model learns what extortion emails look like structurally and semantically, even when scammers change the wording. That's why swapping "Bitcoin" for "cryptocurrency" or tweaking the threat language doesn't fool a decent filter for long. The underlying pattern is still recognizable.

One thing worth knowing: sextortion scams and webcam blackmail emails often include a "proof" detail, like a real (but old and leaked) password, to make the threat feel credible. Filters have adapted to catch this too. Leaked credential databases are well-documented, and the presence of a real password combined with extortion language is itself a strong detection signal now.

And if you're curious how a specific message made it through to your inbox, our free Email Header Analyzer can show you exactly what happened at each hop. And if something feels genuinely threatening rather than just spammy, report it to your mail provider and your local authorities. Filters catch most of these. They don't catch all of them.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check my emails against ransom detection signals

Based on what I've learned about how filters detect ransom and blackmail emails, can you help me audit my own legitimate email campaigns? I want to make sure I'm not accidentally using language or structural patterns that could trigger the same detection signals. Give me a ranked list of the most common false-positive triggers for legitimate senders, what to avoid in subject lines and body copy, and any structural best practices that keep my emails looking clean to filters.

Edit the yellow boxes, then send to the AI of your choice.