Q: I received an email showing me one of my passwords and that my computer had been compromised. They say they’re going to release my private information and a video they took of me with my computer’s webcam unless I pay in Bitcoin. What should I do?
A: This is a long-running variation of what’s called a “sextortion” scam that claims that the scammer has captured you in a sex act of some sort.
The scammers will generally claim that they gained access to your computer through malware and had full access to spy on you using your own webcam and gather up all your private data. They then claim that they removed the malware when they were done, so there would be no trace that they were ever there.
They add an element of stress to the scam by saying that you have three days to figure out how to pay them and that they have access to your email account, so they will know that you have read the message.
There was a huge increase in extortion-based scams in 2018 according to the FBI Internet Crime Complaint Center because they are generating lots of money for the scammers.
The scarier they can make the situation sound, the more likely the victim will act hastily. Here is an example of this type of scam.
They have my password!
They tend to start the message saying they know one of your passwords, which they include to try to grab your attention right away.
If you’re the type of user that tends to use the same password on lots of sites, it can be scary to see that they have a valid password and perhaps they have done what they say they’ve done.
The reality is that they simply made use of password data dumps that are plentiful on various nefarious websites, which cross-reference the stolen password with an email addresses — this is how you became a target.
Scammers know how common it is to use the same password, so they’re simply playing the odds that some small percentage of those that get the message will believe them because it’s a password the victim is currently using.
You can quickly check to see how many of the publicly known breaches exposed your password and email address at sites, such as Have I been Pwned.
What to do
The first thing to know is that none of what is in the email is true; it’s simply a very cleverly constructed scam message.
In many cases the password that they include is an old one that you haven’t used in years, but if it is a password you’re currently using, you should immediately change it on each and every website that you are using it on.
This is just another clear reason why it’s critical to always use long, unique passwords on each of your online services and the only way to manage that is with some form of password manager.