Not to be confused with the more serious crime of sextortion, the essence
of the extortion scam is that you receive a
message from a stranger saying they’ve hacked into your computer and
gathered embarrassing material. Commonly, they claim to have used your
computer’s camera to record you performing a sex act; and they threaten to
send the video to your friends, family or colleagues if you don’t make a
payment.
The stranger almost certainly does not have this material. Nor did they
hack into your computer. They’re not even interested in you in particular:
they’ve just used a mass-mailing tool, and you’re one of thousands or even
millions of people who received the same hoax message.
You can safely ignore or delete it.
Inclusion of real information
One tactic employed by these scammers is to include real information about
you in the message, such as:
- A password you’ve used before. The scammer will have obtained it from a
historic data breach — that’s when a company’s
customer records get stolen and often published online.
- Information about where you live or work, for example. Consider that
this is often public anyway: you might have it on social media, or you
might be mentioned on your employer’s website. In other words, there’s a
simple explanation for how the scammer got this information, without going
to the trouble of compromising your device or accounts.
So, the inclusion of a password or other real information about you in an
unsolicited message should not make it more believable. Again: you’re not
being personally targeted.
That said, if you receive an extortion message that mentions a password you
recognise because you still use it today, you should
change it. Not because this scammer in particular
knows it, but because it must have been breached in the past and should now
be considered no good.