'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
uk Technology & digital loss extortion email about stolen files • blackmail message says files copied • ransomware style demand bitcoin • data theft threat email • hacker claims they have my files • scam email says i was hacked • email says they know my password • sextortion style blackmail email • i got an extortion dm • someone threatens to leak my data • unsure if breach is real • urgent payment demand message • account compromise warning email • files exfiltrated threat • received blackmail invoice email • cyber extortion message • email claims webcam recording • data breach fear email What to do if…
What to do if…
you receive an extortion message claiming your files were copied and you are unsure if it is real
Short answer
Don’t reply or pay. Preserve the message, then quickly check for any real account/device compromise (from a clean device) and report it via the UK’s official reporting routes.
Do not do these things
- Don’t pay, even “to make it go away” (it can trigger more targeting).
- Don’t reply, negotiate, or click any links/attachments/QR codes in the message.
- Don’t forward it to friends/colleagues “to ask if it’s real” (you may spread malicious links or expose personal data).
- Don’t panic-change passwords on a device you suspect is infected (do changes from a clean device).
- Don’t delete everything immediately (keep evidence first, then clean up).
What to do now
- Get to a calm pause and contain risk. If you clicked a link/opened an attachment or entered a password, disconnect that device from Wi-Fi/mobile data (airplane mode) and stop using it until you’ve checked it.
- Preserve evidence (2 minutes). Take screenshots of the message, note the sender address/handle, payment details they provided, dates/times, and keep the original email/message (don’t “clean up” your inbox yet).
- Report the message safely (UK).
- Email: forward the suspicious email to report@phishing.gov.uk, then delete it.
- Text message: forward suspicious texts to 7726 (this spells SPAM on most keypads), then delete it.
- In-app message/DM: use the platform’s Report function and block the sender.
- Check whether this is likely a bulk scam vs a real compromise (quick indicators).
- If the email includes an old password you recognise: treat it as a warning sign your details were in a past breach, not proof they’re in your device now.
- If they provide no specific proof (no real filenames, no accurate private details, no unique screenshot of your files), assume scam until proven otherwise.
- Check your accounts for real signs of compromise (from a clean device).
- Email account first: review recent sign-ins, unfamiliar devices, and any auto-forwarding rules or “mail filters” you didn’t create.
- Cloud storage (e.g., iCloud/Google/Microsoft/Dropbox): review recent activity and any unfamiliar shared links or third-party app access.
- Lock down your key accounts (from a clean device).
- Change your email password first (email is the reset key for everything).
- Turn on two-factor authentication (2FA) for email and cloud accounts.
- Change passwords for any accounts that reused the same password; sign out of other sessions/devices where the service allows it.
- If you suspect your device is infected, do a “clean check.”
- Run a reputable antivirus scan and apply operating system updates.
- If signs persist (unknown admin accounts, security tools disabled, repeated logins you don’t recognise), stop troubleshooting and get help from a trusted repair professional or a cyber incident responder (especially for work devices).
- If this involves work/school systems, escalate immediately. Use your organisation’s IT/security contact (not the attacker). Don’t “handle it quietly” on your own.
- If you think money, identity, or accounts are at risk, report as cybercrime.
- England/Wales/Northern Ireland: report to Action Fraud (keep any reference number).
- Scotland: report to Police Scotland via 101 (or your local police route).
- If there’s an immediate risk to you (threats of violence, stalking, or blackmail involving imminent harm), contact police via 999 (emergency).
What can wait
- You do not need to decide today whether you will “pursue” anyone or make public statements.
- You do not need to wipe your devices immediately; evidence and account control come first.
- You do not need to contact the attacker to “test” them—silence is safer.
Important reassurance
These messages are commonly sent in bulk and are designed to trigger panic and fast payment. Feeling shocked or embarrassed is normal — but you can slow this down, verify calmly, and regain control step by step.
Scope note
These are first steps to stabilise the situation and reduce harm. If you confirm a real compromise (especially involving work systems or sensitive personal data), you may need specialist technical and/or legal advice later.
Important note
This guide is general information, not legal or professional security advice. If you believe you’re in immediate danger or being targeted directly, contact UK emergency services. If you’re dealing with organisational systems, follow your organisation’s incident process.