How do extortion email scams work?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You open an email and your stomach drops. Someone claims they've recorded you through your webcam, or they have proof of something embarrassing, or they'll expose you unless you send Bitcoin by Friday. It feels urgent. It feels personal. It's designed to feel that way.
Here's the first thing to know: the vast majority of extortion emails are pure bluff. The sender almost certainly has nothing. What they do have is your email address, a template, and the psychological certainty that fear makes people act before they think.
How they get your info
Attackers buy or download data breach dumps from the dark web. Those dumps often include email addresses, old passwords, full names, and sometimes phone numbers. When an extortion email shows you a real password you recognize, that's where it came from. Not from your webcam. Not from malware on your device. From a breach database that was already public.
The password is a prop. It's there to make you believe everything else in the email is also true. It rarely is.
The main types of extortion email
- Sextortion claims the attacker has webcam footage of you visiting adult websites. They threaten to send it to your contacts unless you pay. Almost always fake. (See sextortion scams for the full breakdown.)
- Credential-based blackmail uses a real leaked password to add credibility. The email implies system access. Usually there's none.
- Business extortion threatens a DDoS attack against a company's website unless payment arrives. Sometimes coordinated, but often empty.
- Fake legal threats claim to have evidence of illegal activity and offer to stay quiet for a fee. Pure intimidation.
Why people pay even when it's probably fake
The psychology is simple: the cost of being wrong feels catastrophic. If there's a 5% chance the footage is real, some people decide it's cheaper to pay than to find out. Attackers know this. They price demands low enough to feel manageable but high enough to be worth running the campaign at scale.
Paying doesn't make it stop, by the way. It marks you as someone who pays. You'll hear from them again.
What to actually do
- Don't pay. Seriously. Even if you're scared. Paying confirms you're reachable and willing, and it funds the next wave of attacks against other people.
- Don't reply. Any response confirms your address is active.
- Save the email. Forward it to your spam folder and screenshot the headers if you can. That's your evidence if you decide to report it.
- Report it. In the US, report to the FBI's Internet Crime Complaint Center (IC3) at ic3.gov. In the UK, report to Action Fraud. In most countries, your national cybercrime unit has an online form. It takes five minutes and helps build cases against repeat operators.
- Change the exposed password if you still use it anywhere. Then move on.
If the email landed in your inbox instead of spam, that's worth noting too. Well-configured spam filters catch most of these before you see them. If yours didn't, your email filtering setup might need a look.
Still feeling rattled or want a second set of eyes on a suspicious email? Our SOS hotline is free and there's no pitch attached.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.