What are sextortion scams?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You open an email and your stomach drops. The sender claims they have a recording of you watching adult content. They want payment in Bitcoin or they'll send it to everyone you know. It feels urgent, humiliating, and terrifying.

Take a breath. There's a very good chance this email is a complete bluff.

Sextortion scams are mass-sent threat emails designed to shock you into paying before you think clearly. The scammer has no recording, no video, nothing. What they often do have is an old password pulled from a data dump (more on that in a second), which they drop into the email to make the threat feel real. It's a psychological trick, not evidence.

Here's how to tell a scam from a real threat:

  • They show you a password you recognise. That password came from a compromised database, not your webcam. Sites like Have I Been Pwned let you check which old data dumps contain your email address. Change that password everywhere it's still in use.
  • The threat is vague. No specific screenshots, no clip, no file preview. Just generic claims about what they "saw."
  • They demand cryptocurrency. Bitcoin payments are irreversible and hard to trace. That's not a coincidence.
  • You get a deadline. Urgency is the tool. They want you to panic and pay before you stop to think.
  • The email went to thousands of people. You weren't targeted. You were just in a list.

If the email matches all of the above, it's a scam. Do not pay. Paying confirms you're a live, scared target and often leads to more demands, not silence.

Real sextortion is different. It's targeted, not mass-blast. It usually involves someone who actually has compromising images or video, often obtained through relationship manipulation or catfishing. In those cases, the threat comes with proof. The advice is still to not pay (payment rarely stops escalation), but to report it to law enforcement immediately and document everything.

For the scam version, here's what to actually do:

  • Don't reply, don't pay, don't click any links in the email.
  • Change the password mentioned in the email if you haven't already.
  • Report it to your national cybercrime authority (in the US that's the FBI's IC3; in the UK it's Action Fraud).
  • Mark it as spam so your inbox learns to catch the next one.

If you're a sender wondering why these emails keep slipping through filters, the patterns filters look for in blackmail emails are worth understanding. And if you're managing a domain that's being spoofed to send this kind of content, our SOS hotline is free.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Paste in what the email says (remove personal details) and I'll walk you through whether it's a scam and exactly what to do next.

I received an email threatening to release compromising content about me unless I pay in Bitcoin. It includes a password I've used before. Based on my situation, can you tell me: Is this likely a scam or a real threat? What specific red flags should I look for in this email? What should I do right now, step by step? Please ask me any details you need to give me a clear answer.

Edit the yellow boxes, then send to the AI of your choice.