An extortion scam is a type of scam where someone threatens, coerces, or blackmails the victim into providing a payment or service.

How Does it Work?

During an email extortion scam, the scammer will send extortion emails to many individuals. The email threatens to make embarrassing information public unless the victim pays up. Payment is made via Bitcoin, allowing scammers to collect money anonymously easily. To make the extortion look believable, the email may include a password that an individual has used to log into a website. This may lead victims to believe they've been hacked and decide to pay the extortion demand.

Providing a password in the message opening is intended to establish the extortioner's credibility, and motivate the recipient to comply with the extortion request. The cited password may be an old, valid password that was disclosed due to a prior compromise of an unrelated account or service (such as LinkedIn, Yahoo, Tumblr, MySpace, etc.). The attackers may also be leveraging old lists of compromised credentials to narrow the range of target recipients of their campaign.

Many users have reported receiving emails that are known to be part of large-scale extortion campaigns. The following distinct features identify messages from these campaigns:

  • The message opens by disclosing a password to the recipient that is believed to be related to the targeted account holder, e.g., "I'm aware that <password> is your password."
  • The message will then claim that the attacker has a compromising video of the recipient and threatens to release this video publicly unless a cryptocurrency payment is made to the extortioner, generally within 24 hours.

If You Have Received an Extortion Email Message

  1. Do not panic. These individuals likely do not have any compromising video of you.
  2. If the password in the email is a password you recognize, change the password for any account where this password was used. New, unique passwords should be used for separate accounts to prevent the potential for an attacker to compromise multiple accounts with a single reused password.
  3. Please report the original message, including full headers, to [email protected] so that our incident response team can analyze and block these messages.