---

You have no idea how much I wish I was writing this a few years ago. Things were so much simpler. Obvious scams were obviously fake. The threats they made were hollow. The consequences nonexistent.

Sadly, thanks to Generative AI this topic is no longer quite so cut-and-dry. I remain wholly unconvinced about the revolutionary capacity of GenAI, but that’s a topic for another time.

What I wish I could write…

Scams are everywhere online: in your email, sliding into your DMs, on WhatsApp… and if you’re reading this thinking “I’ve no idea what you’re on about”, then you’re either very lucky (and I’m jealous) or someone who really needs to read this article.

In over 10 years of working with email security, I’ve seen a lot of junk email. The range of quality, effort, and intent that goes into these things would surprise you. For this article, I want to focus on one specific example: the “hacker” who has video evidence of you watching adult content.

These types of emails all tend to follow a predictable formula:

1. The email appears to have come from your own address,
2. The scammer claims to have been watching you for months,
3. Malware? They’ve heard of it, and there’s apparently a “Trojan Virus” on your machine which updates every 4 hours or so,
4. Your contacts, your email, they’ve got access to it,
5. The threat: that they have a side-by-side recording of your “private time”, and the material you were watching during it.
6. The remedy: pay some Bitcoin, and the whole problem goes away!

What a load of rubbish, right?

Almost definitely, yes. In truth, if a hacker had unfettered access to your device for months, do you really think the worst they’d do is get one video of you watching adult content and threaten to share it unless you send them some Bitcoin?

Let’s break down why this particular email scam is garbage.

Where’s the proof?

Surprisingly this one’s easy: there is none. Sure, sometimes the hacker’s “proof” is a password that you’ve used. Does this mean that you’re hacked? No, probably not. However, many people unfortunately do at least one of the following “bad practices” when it comes to passwords:

• Use the same password in more than one place,
• Choose a common, easily guessed password, such as “password123!”,
• Rarely, if ever, change their password,
• Don’t use a password manager to generate and store “good” passwords.

Yes, that password which the hacker has put in the email may be one you recognise. It may be the one you use to log in to your computer, or Facebook, or your email. However this doesn’t mean your computer has been hacked.

Lots of people’s passwords – including mine – have been exposed by websites that they use being hacked, and their information stolen. This info gets sold or traded in underground criminal forums for people to use for stuff like these scam emails.

If there was really a video of you in a compromising state, good proof of that would be a couple of stills or a short clip, right? “Here’s a few seconds of the video; there’s plenty more that I can share!” is a far more effective threat than “Trust me, I’ve got a secret recording of you. Don’t ask to see it, just pay up to keep it quiet!“.

You want how much!?

The scammers making these threats typically demand $1000 – $2000, though the amounts can vary wildly. But let’s think about that for a second.

This “hacker” has total access to your computer, right? They’ve got all your passwords, they’ve been watching you for months… So, surely, they know where you shop. They know where you bank. They’re in your email. Best of all, you had no idea about any of this!

Considering they went undetected for months, why pop up and announce themselves now? On top of that, total control of your accounts was theirs for the taking so why ask for your money rather than simply taking it?

The simple answer is that it’s a numbers game. These emails get sent to thousands of people at once. Since the scammers don’t actually have access to your tech, they can’t just take your money. They’re banking on a handful of people to believe them and pay up. Demanding $1500 from 120,000 people, and getting just 0.1% of them (120 people) to pay gets you $180,000.

What should I do?

Nothing. Don’t panic. Ignore the urge to respond. Do not pay up. Definitely don’t open anything attached to the email.

That being said, there are things you can do if you find that you’ve received one of these emails. If you’re in the UK, you can report the email to Action Fraud.

Additionally if the email contained a password which you recognise and are still using, you should change it immediately. Especially so if you’re using it somewhere sensitive, like your bank.

Furthermore whilst I’m pretty confident that the person sending you these emails hasn’t actually dropped some malware on your computer, it doesn’t hurt to do a scan and check. In this situation it’s good to reassure yourself that your computer is clean, and you probably ought to be doing a scan every now and then anyway.

Finally, you can look and see where the scammer may have got your info from. You can do this quickly and easily using the excellent Have I Been Pwned? website, just by entering your email. Run by a well-known figure in cybersecurity, Troy Hunt, HIBP? can help you identify credentials that you should have changed yesterday.

An incomplete AI picture…

As much as I would love to end there, I can’t. Because of AI there is now a growing likelihood that some of what I’ve said is complete garbage.

To be clear, I’m not saying that AI is making it easier to hack into your computer. (Although, come back another day as it is kinda doing that so I might well write about it!) Neither am I saying that AI is stealing your data…

The truth is that AI makes it so much easier for these sextortion scammers to fake the compromising material they’re threatening to release. As a result, all the scammer needs is a photo of you from your social media and a couple of clicks later they’ve got “your nudes”. Until now you’d need some skills with Photoshop or similar to pull this off. Not any more.

This isn’t hyperbole, either. As I said in a previous post, this is a very real threat for young people in particular online. Even if someone is comfortable enough to send nudes to a potential romantic partner, that’s a wholly different scenario to having some rando in your email threatening to send fakes to your employer or family.

In cases like these, it’s important to note that even creating these deepfakes is a crime and there are avenues open to deal with it. Police.UK provide an excellent resource on this, in particular.

Under those circumstances and faced with a convincing fake, I don’t imagine it would be easy to remain calm. But keep in mind that even in scenarios like this, you’re better off not interacting and reporting the incident. If you pay them off once, there’s a very real chance you’ll end up on a list of marks and find that more threats and fakes come your way.

In conclusion…

Hopefully if you’ve made it this far, you’ve got a bit of an idea of one example of the kind of junk you can safely ignore should you find it in your inbox. Also, I sincerely hope you never end up on the receiving end of a deepfake threat.

Below are some resources relating to this topic which I hope you’ll find useful. I’ll keep updating it if I find anything new which may be relevant. In addition, our Resources page is where I link to a broader range of material that I think is beneficial for people.

— TTFN

Additional Resources

Links will open in a new tab.

• UK NCSC Sextortion Infographic (PDF)
• UK NCSC Cyber security advice for you and your family (Webpage)