How to respond to a sextortion email – Which Computing Helpdesk

Getty Images/iStockphoto

There’s a new scam doing the rounds, and it’s scaring people: hackers are sending emails saying that they’ve got into your computer and have evidence of you visiting porn websites or have compromising photos or videos of you. Here's an example of that email:

The worrying thing about this is that the email quotes a real password you’ve used. The scammer, having thoroughly scared you, then threatens to release evidence of you using adult websites unless you pay a ransom, usually in Bitcoin.

What should you do?

Check your password

The first and most important piece of advice is check if the password the scammer is quoting is still current anywhere, and if so, to change that password immediately anywhere you use it.

If you use a small number of passwords on several websites, check to make sure they haven’t been compromised too.

You can check them with the password tool on the Have I Been Pwnd website. It’s safe to type in a password on this page: it’s run by Troy Hunt, one of the most respected names in the security industry.

While you’re on the Have I Been Pwnd website, also check to see if any of your email addresses have been compromised in a data breach: type in your email address here. Chances are it has been compromised at some point, so if it has and you have a lot of online accounts – online stores, banking, memberships etc – registered to that email account, check that the passwords for those are strong and recent.

The reason for that is if you use the same email address and password with lots of different accounts, a hacker could get into all of those using those login details.

We’ve got detailed advice on how to choose secure passwords here, but briefly, a secure password isn’t based on any personal information at all (so not your home town, your favourite football team, your pet’s name, etc), and is a phrase made up of more than one word.

If you’re not already using a password manager, now is a good time to start. We haven’t done a detailed review of all the password managers, but many of us on the Computing and Helpdesk team use LastPass. Do check out other alternatives such as 1Password, Dashlane, RoboForm and KeePass. Most of these have a free and a paid-for option, and most will have apps and browser extensions so that you can use them on all your devices – your laptop, your mobile, your tablet or your Chromebook.

Don’t panic

Try not to panic. Don’t reply to the scammers: they almost certainly haven’t gone to the trouble of compromising your computer and are trying to scare you into paying up. Someone who really did have evidence of you doing something unsavoury would probably send you a screengrab or similar to convince you and scare you further.

Scan your device

Just to be on the safe side, run a full scan of your computer or Android device using up-to-date antimalware (we rounded up the best antivirus packages earlier this year). That will pick up any malware that might have accessed your computer in the way the scammer is threatening.

Cover your webcam

Make a point of covering your webcam when you’re not using it. The chances of your webcam being compromised are small, but it’s an easy extra step to take. You can buy covers to stick on to your laptop that slide open when you want to use the camera, but a piece of masking tape over it will do the job just as well.

Report it

If you have already responded to one of these emails and paid the ransom, report it to the police. Action Fraud additionally says that if you haven’t paid, you should report the attempt to them via their website as a phishing attempt.

Keep sensitive data secure

And finally, if you are tempted to take photos or videos that could be compromising, never share them and make sure they’re kept in a safe place: an encrypted external hard drive that is never put online is the best bet.

How did the hackers get your password?

It’s likely they got them on the dark web. There are marketplaces there where scammers can buy login details from previous data breaches, and they can be surprisingly cheap. A Which? investigation found that your Facebook login could be sold for as little as £3.74.

The scam emails we’ve seen tend to suggest that the passwords the hackers have at the moment are old ones: one of my friends said the one a scammer sent her was 10 years old, and others have said the same.

But that doesn’t mean scammers won’t try and get their hands on more up-to-date passwords, so as ever, our main piece of advice is to make sure your passwords are strong, unique and protected by two-factor authentication.