What are ransom phishing scams (fake threats)?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You open an email and your stomach drops. It says someone has footage of you from your webcam, knows your browsing history, and will send it to everyone you know unless you pay in Bitcoin within 48 hours. It even includes a password you recognize.

Here's the thing: in the vast majority of cases, it's a bluff.

Ransom phishing is a type of scam where the attacker claims to have compromising information about you and demands payment to keep it quiet. Unlike actual ransomware, there's no real attack, no infected device, no footage. There's just fear, a deadline, and a crypto wallet address.

The password trick is the most effective part of the whole con. Scammers buy old data dumps from past breaches, pull a password that was linked to your email address, and paste it into the message as "proof" they're inside your system. They're not. They just know a password you probably stopped using years ago.

Other classic signals that what you're reading is a scare tactic and not a real threat:

  • The email is vague. No specific details about what they supposedly found or when.
  • There's no actual file, screenshot, or evidence attached. Just claims.
  • The language is designed to create panic, with tight deadlines and dramatic warnings.
  • Payment is always requested in cryptocurrency, because it's harder to trace and reverse.
  • The same email has been sent to thousands of people. Yours isn't special.

Real attackers who actually have something on you tend to prove it. They'll share a sample of the data, a screenshot, a file name. Scammers just assert it, because asserting is free.

So what should you actually do if one of these lands in your inbox? Don't pay. Don't reply. Don't click anything in the email. If the password mentioned is one you still use anywhere, change it now and turn on two-factor authentication for that account. Then report the email as spam so your provider's filters can catch the next batch.

Ransom phishing is increasingly easy for filters to catch because the scripts are repetitive and the pattern is well-documented. But some still slip through, especially when they include a real password, which can make them look more credible to both humans and filters.

If you're getting a flood of these at a business domain, it's worth checking whether your domain has appeared in a known breach. Our free blocklist checker won't show breach data, but it'll tell you if your domain's reputation has taken a hit. For the breach side, HaveIBeenPwned is the right tool for that.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Paste the threat and get a plain-English read on whether it's real

I got an email threatening me unless I pay in Bitcoin. It includes an old password I recognize. Tell me what type of scam this is, whether I should be worried, what the password trick actually means, and the exact steps I should take right now.

Edit the yellow boxes, then send to the AI of your choice.