This is generally known either as “webcam blackmail” or “sextortion scam” and the email should have been diverted to your spam folder.

Very few people ever make the requested payment. However, since the cost of sending millions of spam emails is basically zero, even a few payments are easy profits.

What’s on the hook?

Random spam emails probably don’t have much success, so the would-be blackmailers have been trying to personalise their attacks in various ways. The most common ones are email spoofing, including a password, and including all or part of a phone number.

Most email services have no way of authenticating the From: and Reply to: fields in email messages, so spammers can fill these fields with anything they like. Your attacker simply made the From: address the same as the To: address, so it looked as though you had sent the email yourself. You hadn’t.


Other versions of this phishing attack include one of the recipients’ passwords and/or part of a phone number. These have usually been obtained from one of the security breaches that have exposed details of billions of users. In 2017, Yahoo admitted that its data breaches compromised 3 billion accounts. Other major breaches involved Marriott International (500 million customers), LinkedIn (164 million), Adobe (153 million), eBay (145 million), Sony’s PlayStation Network (77 million), Uber (57 million) and Ashley Madison (31 million).

Password checking

There’s a good chance that one of your passwords was exposed in one or more of these breaches. You can check by typing your email addresses into the website, Have I Been Pwned?

If your email address comes up in HIBP? then you must change the password that you used for all the sites that suffered data breaches. If you used the same password for any other sites – that’s a bad idea, obviously – you should also change the password on those.

If the Pwned Password page reveals that one of your passwords has been exposed, you should change that as well: you may not have been pwned, but your password is not unique. Some are quite common. For example, the password “12345” has been exposed 2.3m times, “secret” 221,972 times, “god” 32,804 times and “arcticmonkeys” 649 times.


If in doubt on any email or if you feel your email account has been compromised – contact your IT Support today.