11.06.2024 - Over the past few days, the NCSC has again received a number of reports of fake sextortion emails. Some of the emails appear to have been sent by the recipient themselves, or contain their actual password. How is this possible – and how should you respond if this happens to you?
The term "fake sextortion" consists of three parts: "fake", "sex" and "extortion". Targets of this type of scam receive an email claiming that their device has been infected with malware that has hijacked their webcam and filmed them engaging in sexual activity. The scammer will then blackmail the victim, threatening to release the video if they do not transfer money to a bitcoin address within a certain period of time (e.g. 48 hours). This story, which is sent to thousands of people, is a completely fabricated intimidation tactic designed to scare the victim into giving the scammers money.
These kinds of fake extortion emails have been around for a very long time – which makes it all the more surprising that not all email providers are able to filter them out.
However, many people now recognise these types of email for what they are and ignore them. But when the email appears to be from their own account and includes their own password as "proof", some people may be concerned.
When the email comes from your account
Unfortunately, it is very easy to forge an email address – you can change an email's "From:" field to anything you like. All a scammer has to do is enter the recipient's email address in this field (for more on this topic, see «Cybermyth: I can trust every email sender I know!»). Not all email providers are able to detect this kind of spoofing.
So if you receive an email from your own address, don't worry: you have not been hacked. The email was not sent from your account; it just looks like it.
Your own password in the fake sextortion email
A trickier case is when a scammer tells you they have access to your account, and they can prove it to you: they know your password. The trick is that the password was not actually stolen from the recipient's device, but from an online service provider (e.g. a forum or webshop), usually long ago. Scammers assume that passwords are rarely changed and that people use the same password across multiple accounts. Unfortunately, the scammers are often right. The password shown in the sextortion email may therefore indeed be the recipient's valid email password, or one that they use for other accounts.
Quick action is key
If you receive a fake sextortion email with a valid password, you need to act quickly. Other criminal groups will also have access to the leaked data and will try to make use of it.
The scammers will try to log in to various services with the leaked email address and password. For example:
- The recipient's email account
- Social media platforms (e.g. Facebook, Instagram, X, LinkedIn)
- Streaming services
- Gaming portals
- Payment services (e.g. Paypal, Klarna)
Once the scammers have gained access to your email account, they may also be able to take over other services, as the NCSC explained in a previous weekly report.
It is essential that you change the leaked password immediately everywhere you have used it.
Of course, your password may have been compromised even if you have not received a fake sextortion email. We recommend the following:
- Check to see if your information has been leaked by visiting a trusted website that offers this service, for example:
- It is a good idea to check several of these kinds of services. Just because one website does not report that your password has been stolen, this does not mean that another service won't find that it has.
- If one of the websites tells you that your address has been leaked, don't be surprised. Unfortunately, the odds are relatively high. The Have I Been Pwned website can tell you what data may have been leaked and where. If the leaked data includes a password, you should change it immediately.
- In general, use strong passwords with at least 12 characters (ideally uppercase and lowercase letters, numbers and special characters).
- Use a different password for every service.
- Use a password manager.
- Use two-factor authentication or passkeys for services that allow it.
Current statistics
Last week's reports by category:
Last modification 11.06.2024
