FRAUD RESOURCE CENTER
En español | According to a 2019 AARP study, people are more likely to respond to threatening scam messages than to those that promise rewards. That might explain the growth of email extortion scams that threaten to publicize compromising information about you — true or not — if you don’t make a quick payment.
Extortion scammers have a valuable scare tactic at their disposal: They show in their messages that they know a password you’ve used for online accounts. They claim they’ve implanted malware on your computer that lets them capture your keystrokes, watch through your webcam and amass evidence that you, say, frequent adult websites. And they say they’ll share that information with all your email and social media contacts — perhaps with a video of you enjoying your viewing — unless you pay hush money, typically several hundred dollars in the form of Bitcoin.
Don’t panic. There’s little chance the cyber-blackmailer has really invaded your computer. Extortion scammers send out threats indiscriminately, using big batches of email addresses and associated passwords that they likely obtained on the black market following big corporate data breaches. They hope to stumble across a few people who don’t change their passwords regularly or do have some secret they don’t want known. That there have been actual cases of hackers gaining access to people’s webcams gives the scam a veneer of plausibility.
To make it even more intimidating, some scammers tinker with their email messages, filling in the “From” section with your actual email address to create the illusion that they have control of your account.
This ruse is rampant. Cybersecurity company Symantec says its software blocked almost 289 million extortion emails in the first five months of 2019. When the message does get through, it can be lucrative. The FBI’s Internet Crime Complaint Center (IC3) documented 43,101 cases of online extortion in 2019, with victims suffering losses of $107.5 million.
The pornography scenario, termed “sextortion,” accounts for a large share of email extortion complaints, and these have spiked amid the coronavirus outbreak as people are spending more time at home and online, according to the FBI. Online extortionists might also claim to have caught you in a different sexually compromising situation, like cheating on your spouse, or even to have planted a bomb at your workplace.
- The email includes a password you use online or one you used in the past.
- The message seems generic and doesn’t cite any specific websites the sender claims you visited.
- The threat is poorly worded and includes grammatical errors.
- You are given a short deadline to respond, typically a day or two — a classic high-pressure scam tactic.
- Do a web search for a phrase or two from the threatening email, to see if it’s a spam message that’s been sent to many people.
- Do change the password you use for a website you’ve learned has been hit by a data breach.
- Do use two-factor authentication when it’s available. With two-factor authentication you need something besides your password to enter a website — for example, a code the site’s owner texts to your phone. This means a hacker can’t access your account with just a stolen password.
- Do keep your operating system, web browser and antivirus programs up to date.
- Do cover the lens on your computer’s webcam with a piece of opaque tape when you’re not using it, to block a hacker who might actually use it to spy on you.
- Do check that security settings on your social media accounts are activated and set for maximum protection.
- Don’t reply to an extortionist’s email.
- Don’t pay up in hopes that the blackmailer will go away. He or she may just ask for more money.
- Don’t keep using the password the scammer mentioned in the email. Change it immediately.
- Don’t use the same password for multiple sites. If you have trouble keeping track of multiple passwords, use a password manager to track and store them.
- Don’t click any links or open attachments in an extortion email. They could be ploys to infect your computer with malware.
- Don't store sensitive or potentially embarrassing information online or on mobile devices.
- Report online extortion attempts to the IC3 or to an FBI field office in your area. Include the sender’s email address and payment information, if provided (for example, the number of his or her Bitcoin “wallet”), which may help with the investigation.
- The website Have I Been Pwned? collects information from major data breaches and lets you check whether email addresses and passwords you use for online accounts may have been compromised. You can learn about how the site handles that data on its privacy page.
Updated October 5, 2020
About the Fraud Watch Network
Whether you have been personally affected by scams or fraud or are interested in learning more, the AARP Fraud Watch Network advocates on your behalf and equips you with the knowledge you need to feel more informed and confidently spot and avoid scams.
More From the Fraud Resource Center