How to Stop Sextortion Emails and Protect Yourself

If you received an email claiming to have compromising photos or videos of you and demanding payment, here is the most important thing to know: it is almost certainly a bluff. These emails are sent to millions of people at once using automated scripts. The sender does not have what they claim to have.

Sextortion emails are one of the most common email scams operating today. They are designed to trigger panic so you pay before thinking clearly. This guide explains exactly what is happening, what to do right now, and how to protect yourself going forward.

What sextortion emails actually are

Sextortion emails are mass-sent scam messages that claim the sender has:

• Recorded you through your webcam
• Captured your browsing history on adult websites
• Obtained compromising photos from your device
• Installed malware that monitors your activity

They demand payment (almost always in Bitcoin) within a short deadline, threatening to send the material to your contacts if you do not pay. Some include an old password of yours to make the threat seem credible.

The reality: these are bulk scams. The sender has no photos, no videos, and no access to your webcam. They got your email address (and possibly an old password) from a data breach database, and they are sending the same threatening email to thousands of people hoping a small percentage will pay out of fear. For a detailed breakdown of how these emails are constructed, see our anatomy of a sextortion email.

What to do right now

If you just received one of these emails, follow these steps in order:

Step 1: Do not reply and do not pay

Do not respond to the email in any way. Do not negotiate. Do not pay the Bitcoin ransom. Responding confirms your address is active and may lead to more messages. Paying proves you are a viable target and invites further demands.

Step 2: Do not click any links

Sextortion emails sometimes include links that claim to show "proof." These links may install malware, redirect to phishing pages, or simply track that you clicked (confirming your address is active). Ignore all links in the email.

Step 3: Check if they mentioned a real password

Many sextortion emails include an old password to make the threat seem legitimate. If the password they listed is one you currently use anywhere:

• Change it immediately on every service where you use it
• Enable two-factor authentication on those accounts
• Use a password manager to generate unique passwords for each service going forward

The password came from a data breach, not from monitoring your computer. You can check which breaches exposed your information at haveibeenpwned.com.

Step 4: Report the email

• Mark it as spam in your email client (this trains the spam filter)
• Forward to reportphishing@apwg.org (Anti-Phishing Working Group)
• Report to the FBI''s IC3 at ic3.gov (United States)
• Report to Action Fraud at actionfraud.police.uk (United Kingdom)
• For other countries, report to your national cybercrime authority

Step 5: Move on

The email will not be followed up on. The sender does not have what they claim. In a few days, you will stop thinking about it. That is the right outcome.

How to tell if it is a bluff

Almost all sextortion emails share these characteristics that reveal them as mass-sent scams:

Sign	What it means
Generic greeting (no name, or wrong name)	The sender does not know who you are — they only have your email address
Demands payment in Bitcoin or cryptocurrency	Untraceable payment is the hallmark of mass scams
Mentions an old password you no longer use	Pulled from a years-old data breach, not from monitoring you
Short deadline with urgency language	Designed to prevent you from thinking clearly
No specific details about you	If they actually had compromising material, they would describe it specifically
Claims to have "installed software" on your device	Technically implausible at the scale these are sent
Sent from your own address (spoofed)	Email spoofing is trivial — this does not mean they accessed your account

When to take it more seriously

In rare cases, sextortion is targeted rather than mass-sent. Take it more seriously if:

• The email references specific personal details that are not publicly available
• The email includes actual photos or screenshots (not just claims)
• The sender contacted you through multiple channels (email, social media, text)
• You were previously in contact with the sender (romance scam escalation)

If any of these apply, contact local law enforcement immediately. Targeted sextortion is a criminal offense in most jurisdictions, and law enforcement agencies have dedicated cybercrime units that handle these cases.

How your email ended up in a sextortion campaign

Sextortion scammers do not hack individual accounts. They buy or download breach databases containing millions of email-password pairs, then send the same threatening template to every address in the list. The password they mention is from that breach, not from monitoring you.

Major breaches at services like LinkedIn, Adobe, Dropbox, and MyFitnessPal have exposed billions of records over the years. If your email has been active for more than a few years, it is almost certainly in at least one breach database.

Prevention: stop your email from being in future breaches

You cannot undo past breaches, but you can limit future exposure:

Use a unique email alias for every service

Instead of giving your real email to every service, use a unique alias for each one. When a service is breached, only that alias is exposed. Scammers cannot connect it to your real address or your other accounts.

If that alias starts receiving sextortion emails, you disable it. Your real address never sees the spam. For a comparison of this approach versus Gmail''s plus addressing trick, we have a detailed breakdown.

Use unique passwords everywhere

The "we have your password" trick only works if you reuse passwords. A password manager generates and stores unique passwords for every account. When a breach exposes one password, nothing else is affected.

Enable 2FA on everything

Even if a password is exposed in a breach, 2FA prevents anyone from accessing the account without your second factor. Prioritize 2FA on your email, banking, and social media accounts.

Check your exposure

Visit haveibeenpwned.com and enter your email address. It shows which breaches your address appeared in, when they happened, and what data was exposed. For a broader guide to reducing your digital footprint, we cover additional strategies.

Frequently asked questions

Should I respond to tell them I know it is a scam?

No. Any response confirms your email is active and monitored. Silence is the best response.

Should I pay to make it stop?

Absolutely not. Paying does not guarantee silence — it guarantees they know you are willing to pay, making you a target for further demands.

Can they actually access my webcam?

In mass-sent sextortion, no. The claim is fabricated. However, as general good practice, keep your operating system and browser updated, and consider covering your webcam when not in use.

I received multiple sextortion emails. Does that mean they are targeting me?

Not necessarily. Your email address may be in multiple breach databases, and different scam operations use different lists. If the emails are generic (no specific personal details), they are mass-sent.

Will the emails stop on their own?

Usually yes. Most sextortion campaigns are one-shot — the sender moves on to other addresses. If you continue receiving them over weeks, your address is in an actively traded spam list. Marking as spam, blocking the sender, or disabling the alias receiving them are your options.

Should I report it to the authorities?

Yes. Reporting helps law enforcement track sextortion campaigns, identify Bitcoin wallets, and occasionally shut down operations. Your individual report adds to a larger intelligence picture even if it does not result in an immediate arrest.