People reach out to us after receiving a blackmail email saying “I know your password”. We often receive messages like this:
“A few days ago, someone sent me an email with a threat where one of my old passwords was listed in the message, and the sender claimed to have incriminating video footage of me and threatened to release it to my contacts online. The email had a bitcoin address where the sender wanted to be compensated for around USD$2700.”
The FTC reported an increase in these types of Bitcoin blackmail scams. Perhaps the most common of the blackmail emails is the sextortion email that threatens to distribute compromising sexual material to friends, family, and work colleagues unless you pay into their Bitcoin account. The scammer will pretend to be a criminal hacker who (1) gained access to your computer and (2) also installed malware to take control of your webcam, and record your activity. To confirm their hacking credentials, they will include a username and password that you will likely recognize as being one that you used or used in the past.
(NOTE: You should NEVER use the same password for different services)
First, let’s see if this supposed hacker gained control of your computer, and how he knows your password in the first place.
How do hackers know your password?
So, you received a blackmail email with a password included as proof that your account has been hacked. The password is probably displayed right there in the subject line. You recognize the password as genuine as it is one you use or have used in the past. You may get one of these blackmail emails saying “I know your password” because your email was exposed in a data breach. The hacker will likely have obtained your password by simply searching any of the numerous data breach databases available on criminal forums.
If you are someone who only has a few passwords, and uses the same password repeatedly for different sites and services, then your password is likely to be found among those stolen during a data breach at one of the poor-security sites involved. If that’s the case, you may, or may not have been notified of this data breach, and advised to change your password for that service and anywhere else you used that password.
Your reaction is most likely a gut-wrenching panic if you do receive one of these password-hacking emails. An emotion that the scammer is hoping for is to make you throw common sense out of the window, so you will pay the Bitcoin they asked for. Let’s examine the email carefully to see if the hacker has any compromising information. Take a moment to relax and focus.
Could this hacker have gained control over my email, computer, and webcam?
Yes, they could. However, the chance of that being the case is very, very small. So small, that you can simply dismiss a blackmail email saying “I know your password”. Just think about it: if the hacker has control over your computer and webcam, then why would they email you? Ransomware is readily and cheaply available to hackers and is much more likely to result in successful blackmail than just claiming to have recordings of someone masturbating to online pornography. Surely, if they had compromising material, they would include a small clip as proof? Wouldn’t that be a way to ensure payment? Some hackers may claim in their blackmail emails that if the victim asks for proof, they will send a video to her family. This instils fear of course, but it does not make sense. Why would they not just send the material to the victim instead, along with the blackmail demands? Unless, of course, they have no compromising material, but only empty threats.
What to do when receiving blackmail emails saying “I know your password”.
Don’t panic.
Take a breath, and think about what the scammer is saying. Like I said before, if the scammer was such an elite hacker, why is he/she emailing you when he could just lock you out of the computer he supposedly has full control over? Or why would he not include the compromising material to prove he has any material? Most likely because he has no control over your computer, and he has no compromising material.
Change that password wherever you have used it.
If the password quoted in the email is one that you still use, then change it immediately. Everywhere that you use it.
And STOP using the same password at multiple sites and services. If you find it difficult to remember passwords, use a password manager like 1Password that can randomly generate strong and unique passwords for every service, and helps you to use them without having to remember what they are.
Report it.
Ignore the email, and don’t reply to the scammer. But don’t delete the email, as you may want to keep it as evidence. If you have been scammed and paid the money, then report the scam to your local FBI field office in the U.S. or your local police force in the U.K., Australia, or your jurisdiction. If you have spotted the scam for what it is in time, then you should still report the scam. But then to the Internet Crime Complaint Center (IC3) in the U.S. and Action Fraud, the National Fraud and Cyber Crime Reporting Centre, in the U.K. In Australia, you can report scams to the ACCC through the Scamwatch report a scam page. Also, report the email address to the service provider as a scammer.
