Sextortion and "I Know Your Password" Email Scams: What to Do

If an email has just landed in your inbox showing one of your real passwords and threatening to send embarrassing webcam footage to your friends and family unless you pay in Bitcoin, take a breath. It is frightening by design, but it is almost certainly a bluff. These messages are sent out by the million in the hope that a tiny fraction of people will panic and pay.

This guide explains, in plain English, what these scams actually are, why seeing your own password does not mean you have been hacked, exactly what to do next, and how to report it properly in the UK in 2026. We will also show you the few simple steps that make you a much harder target in future.

The short answer

You have not been filmed, your computer almost certainly has not been hacked, and you should not pay a penny. The criminals are guessing. As the UK's National Cyber Security Centre puts it in its own sextortion guidance, the people behind these emails "do not know if you have a webcam, or know if you've visited adult websites," and the password "in all likelihood has been obtained from historic breaches of personal data."

So the plan is simple: do not pay, do not reply, forward the email to report@phishing.gov.uk, then delete it. If the password shown is one you still use anywhere, change it and turn on 2-step verification. That is the whole response, and the rest of this guide explains why.

What an "I know your password" email actually is

This type of scam is known as sextortion. The criminal sends a threatening email claiming they have planted malware on your device, watched you through your webcam while you visited an adult website, and recorded everything. To "prove" it, they include a password you recognise. They then demand payment, usually in cryptocurrency, within a short deadline, and threaten to send the footage to your contacts if you do not pay.

It is convincing for one reason only: the password is genuine. That single detail makes the rest of the threat feel real. But it is a trick of presentation. The email is one of millions sent automatically, with your address and old password slotted in from a list. The National Crime Agency and police treat these as financially motivated extortion, and the overwhelming majority are empty threats with no footage and no malware behind them.

Why showing your password does not mean you were hacked

When a website you once signed up to suffers a data breach, the email addresses and passwords from that site can end up traded or dumped online. Criminals buy these old lists and use them to make sextortion emails look legitimate. So the password is real, but it came from a third-party breach, not from your computer or your webcam.

That is the key thing to understand, and it is why the threat falls apart once you know how it works:

What the email claims	The reality
"We hacked your computer and webcam"	They have not. It is a mass-mailed bluff sent to millions of addresses.
"We filmed you through your camera"	There is no footage. They are guessing you might have a webcam.
"Your password proves we were inside"	The password came from an old breach of a website, not your PC.
"Pay in Bitcoin within 48 hours"	Paying marks you as a real target and funds the criminals. Never pay.
"We will email all your contacts"	An empty threat designed to panic you into paying quickly.

If the password they quote is old, or one you have already changed, it is harmless. If it is one you still use, that is the only real risk here, and it is easily fixed by changing it, which we cover below.

What to do if you receive one

Work through these steps and you have dealt with it properly:

1. Do not panic and do not pay. The threat is almost certainly empty.
2. Do not reply, and do not click any links or open any attachments in the email.
3. If the password shown is one you still use anywhere, change it straight away and make the new one unique to that account.
4. Turn on 2-step verification on your email and other important accounts, so a stolen password alone is not enough to get in.
5. Forward the email to report@phishing.gov.uk, the NCSC Suspicious Email Reporting Service, then delete it.
6. Check haveibeenpwned.com to see which breach exposed your details, and update any other accounts that share that password.
7. If you have already paid, report it (see below), tell your bank, and know that free emotional support is available from Victim Support on 0808 168 9111.

How to report it in the UK (2026)

There is one important change to be aware of. Action Fraud no longer exists. On 4 December 2025 it was replaced by Report Fraud, run by the City of London Police, as the UK's national fraud and cybercrime reporting service for England, Wales and Northern Ireland. The phone number is unchanged.

• Report online: reportfraud.police.uk
• By phone: 0300 123 2040
• In Scotland: Report Fraud does not yet cover Scotland. Report to Police Scotland directly on 101.
• Suspicious emails: forward them to report@phishing.gov.uk. This NCSC service has received tens of millions of reports and has helped take down hundreds of thousands of malicious websites.
• Scam texts: forward them to 7726 (free, and it spells "SPAM" on a keypad).

Reporting takes a couple of minutes and genuinely helps. Every report feeds the national picture that gets scam websites taken offline.

How to protect your accounts

A sextortion email is really just a reminder that one of your old passwords is floating around. A few simple habits make you a much harder target and neutralise these threats almost entirely.

• Turn on 2-step verification (2SV). The NCSC calls this one of the most effective ways to protect your accounts. Even if someone has your password, they cannot get in without the second step. Do it on your email first, since that is the account that can reset all the others.
• Use a strong, unique password for your email. The NCSC recommends combining three random words to make a password that is long and memorable but hard to crack, rather than fiddly character swaps like changing "o" to "0".
• Let a password manager do the work. A password manager creates and remembers a unique password for every account so you do not have to. Passkeys, where offered, are an even simpler and more secure way to sign in.
• Keep antivirus simple. For most home users, Microsoft Defender, which is built into Windows, free and on by default, is enough. It scores top marks in independent AV-TEST results. Just keep it switched on and do not run two antivirus products at once.
• Install Windows updates promptly. Security updates close the holes criminals rely on, so turn on automatic updates.

One more thing worth flagging: free support for Windows 10 ended on 14 October 2025. If you are still on Windows 10, you are no longer getting regular free security updates, which matters a great deal for staying safe online. It is worth seeing whether your PC can move to Windows 11, or looking at Microsoft's paid Extended Security Updates as a stopgap.

Worried your account really has been hacked?

Most of the time, a sextortion email is all bluff and the steps above are all you need. But if you are genuinely worried, if a password you still use has leaked, if you have spotted logins you do not recognise, or if you simply want peace of mind, it is worth having things checked over properly.

We help people across Manchester with exactly this. Whether it is a full virus and malware check, securing a compromised email account, a wider computer security health check, or moving you safely onto Windows 11, we will give you honest advice with no scare tactics. If you have had one of these emails and it has unsettled you, get a free, no-obligation quote or call us on 0161 820 1992 and we will put your mind at rest.