Blog
← Back to Blog
February 14, 2019 cybersecurity

Valentine's Day 2019: The Rise of Sextortion Email Scams

Online scam and fraud protection Email scam and digital threats

Happy Valentine's Day. Let's talk about one of the creepiest email scams of the past year: sextortion. Not exactly romantic, but relevant. These scams have flooded inboxes since late 2018, and we've had multiple clients call us in a panic after receiving one.

What the Email Says

The typical sextortion email goes something like this:

"I hacked your computer and recorded you through your webcam while you were visiting [adult website]. I also have your contact list. Pay $2,000 in Bitcoin within 48 hours or I'll send the video to everyone you know."

To make it more convincing, the email often includes one of your actual passwords in the subject line. Something like: "Your password is fluffy2015. I know everything."

Seeing your real password is terrifying. It feels like proof that the hacker actually accessed your computer. But here's the truth: they didn't.

How It Actually Works

The passwords come from old data breaches (LinkedIn, Yahoo, Adobe, etc.). Attackers buy lists of email-password combinations from the dark web and use them in mass email campaigns. They didn't hack your webcam. They didn't install malware. They found your old password in a breach database and used it to scare you.

There is no video. There is no access to your contacts. It's a bluff powered by a leaked password.

Why It Works

These scams are effective because:

  • The password is real. Seeing an actual password you've used creates immediate fear and credibility.
  • Shame and privacy. Even people who haven't visited compromising websites worry about what a webcam might have captured.
  • Time pressure. "48 hours or else" prevents rational thinking.
  • Bitcoin anonymity. Payment is untraceable, which makes it feel like the attacker is sophisticated.

The FBI's Internet Crime Complaint Center received over 51,000 sextortion complaints in 2018, with victims losing more than $83 million.

What To Do If You Receive One

  1. Don't panic. It's a mass scam. There is no video.
  2. Don't pay. Paying only confirms you're a responsive target.
  3. Don't respond. Any response confirms your email is active.
  4. Change the password mentioned in the email (if you're still using it anywhere). This is the one actionable item.
  5. Check haveibeenpwned.com. See which breaches exposed your credentials.
  6. Report it. Forward the email to the FBI's IC3 at ic3.gov.

The Bigger Lesson

These scams work because of password reuse. If you use unique passwords for every account (via a password manager), a leaked password from one breach can't be used to scare you or access other accounts.

If your password showed up in a sextortion email, take it as a wake-up call: get a password manager, generate unique passwords for everything, and enable two-factor authentication wherever possible.

Happy Valentine's Day. Change your passwords. It's the most romantic thing you can do for your digital safety.