People reach out to us after receiving a blackmail email saying “I know your password”. We receive often messages like this:
“A few days ago, someone sent me an email with a threat where one of my old passwords was listed in the message, and the sender claimed to have incriminating video footage of me and threatened to release it to my contacts online. The email had a bitcoin address where the sender wanted to be compensated for around USD$2700.”
The FTC reported an increase in these types of Bitcoin blackmail scams. Perhaps the most common of the blackmail emails being the sextortion email that threatens to distribute compromising sexual material to friends, family, and work colleagues unless you pay into their Bitcoin account. The scammer will pretend to be a criminal hacker who (1) gained access to your computer and (2) also installed malware to take control of your webcam, and recorded your activity. To confirm their hacking credentials, they will include a username and password that you will likely recognize as being one that you use or used in the past.
(NOTE: You should NEVER use the same password for different services)
First, let’s see if this supposed hacker really gained control of your computer, and how he knows your password in the first place?
How do hackers know your password?
So, you received a blackmail email with a password included as proof that your account has been hacked. The password is probably displayed right there in the subject line, and you recognize the password as genuine as it is one you use or used in the past. You may get one of these blackmail emails saying “I know your password” because your email was exposed in a data breach. The hacker will likely have obtained your password by simply searching any of the numerous data breach databases available on criminal forums.
If you are someone who only has a small number of passwords, and uses the same password repeatedly for different sites and services, then your password is likely to be found among those stolen during a data breach at one of the poor-security sites involved. If that’s the case, you may, or may not have been notified of this data breach, and advised to change your password for that service and anywhere else you used that password.
If you do receive one of these password hacking emails, your reaction is most likely a gut-wrenching panic. An emotion that the scammer is hoping for to make you throw common sense out of the window so you will pay the Bitcoin they asked for. Instead, take a breath, and let’s have a closer look at the email, to see if the hacker really has any compromising material.
Could this hacker have gained control over my email, computer, and webcam?
Yes, they could. However, the chance of that being the case is very, very small. So small, that you can simply dismiss blackmail email saying “I know your password”. Just think about it: if the hacker has control over your computer and webcam, then why would they send you an email? Ransomware is readily and cheaply available to hackers and much more likely to result in a successful blackmail than just claiming to have recordings of someone masturbating to online pornography. Surely, if they actually had compromising material, they would include a small clip as proof? Wouldn’t that be a way to ensure payment? Some hackers may claim in their blackmail emails that if the victim asks for proof, they will send a video to her family. This instills fear of course, but it does not make sense. Why would they not just sent the material to the victim instead, along with the blackmail demands? Unless, of course, they have no compromising material, but only empty threats.
What to do when receiving blackmail emails saying “I know your password”.
Take a breath, and think about what the scammer is really saying. Like I said before, if the scammer was such an elite hacker, why is he/she sending you an email when he could just lock you out of the computer he supposedly has full control over? Or why would he not include the compromising material to prove he really has any material? Most likely because he has no control over your computer, and he has no compromising material.
Change that password wherever you have used it.
If the password quoted in the email is one that you still use, then change it immediately. Everywhere that you use it.
And STOP using the same password at multiple sites and services. If you find it difficult to remember passwords, use a password manager like 1Password that can randomly generate strong and unique passwords for every service, and helps you to use them without having to remember what they are.
Ignore the email, and don’t reply to the scammer. But don’t delete the email, as you may want to keep it as evidence. If you have been scammed and paid the money, then report the scam to your local FBI field office in the U.S. or your local police force in the U.K, or Australia, or your juristiction. If you have spotted the scam for what it is in time, then you should still report the scam. But then to the Internet Crime Complaint Center (IC3) in the U.S. and Action Fraud, the National Fraud and Cyber Crime Reporting Centre, in the U.K. In Australia, you can report scams to the ACCC through the Scamwatch report a scam page. Also, report the email address to the service provider as a scammer.