Cybercriminals are sending a new wave of sextortion emails claiming they have complete access to victims' computers, phones, and online accounts.
The scammers often include an old password obtained from a previous data breach to make their threats appear legitimate.
Security experts say the threats are almost always fake and victims should not pay the cryptocurrency ransom being demanded.
If a scam is effective, you can bet it will be tried time and time again. Cybersecurity firm Malwarebytes warns that consumers are once again being targeted by a familiar but effective online extortion scheme.
In a consumer alert, the company reports a resurgence of so-called sextortion emails, claiming hackers have gained complete control of victims' devices.
The emails typically allege that the sender installed malware on the recipient's computer through a browser vulnerability or malicious website. The scammer claims to have full access to the victim's files, email accounts, contacts, webcam, and microphone, and threatens to release embarrassing videos or private information unless a ransom is paid in cryptocurrency.
Why threats may seem real
To make the threat seem credible, many of the messages include an actual password associated with the recipient. However, Malwarebytes says these passwords generally come from old data breaches and are unrelated to any current compromise of the victim's devices.
One recent version of the scam claims the victim's browser was infected through a "drive-by exploit" that allegedly provided the attacker with complete control over the device. The email then demands payment in Bitcoin within a few days, threatening to distribute compromising material to family members, friends, and social media contacts if the victim refuses.
Security researchers say the messages rely on fear, embarrassment, and urgency rather than actual hacking. In many cases, scammers send the same email to thousands of people, hoping a small percentage will panic and pay.
What not to do
Malwarebytes advises consumers not to respond to the emails, not to send any money, and not to click on attachments or links contained in the messages. Recipients who recognize a password included in the email should immediately change it if they are still using it on any account.
Experts also recommend enabling multi-factor authentication, using unique passwords for every account and monitoring for signs that personal information may have been exposed in a data breach.
The scam's persistence reflects the continuing profitability of sextortion schemes. Researchers have found that such campaigns can generate substantial revenue for cybercriminals despite their relatively simple tactics.
Consumers who receive one of these emails should remember that the presence of a real password does not mean a hacker currently controls their devices. In most cases, cybersecurity experts say, the message is simply another attempt to turn old stolen data into a new payday.