'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
us Technology & digital loss extortion email about stolen files • blackmail message says files copied • ransomware style demand bitcoin • data theft threat email • hacker claims they have my files • scam email says i was hacked • email says they know my password • bitcoin blackmail email • i got an extortion dm • someone threatens to leak my data • unsure if breach is real • urgent payment demand message • account compromise warning email • files exfiltrated threat • received blackmail invoice email • cyber extortion message • email claims webcam recording • data breach fear email What to do if…
What to do if…
you receive an extortion message claiming your files were copied and you are unsure if it is real
Short answer
Don’t reply or pay. Save the evidence, then check for real account/device compromise from a clean device and report it through U.S. reporting channels.
Do not do these things
- Don’t pay (payment often leads to repeat demands).
- Don’t reply, argue, or try to “catch them out.”
- Don’t click links, open attachments, or scan QR codes in the message.
- Don’t change passwords on a device you think might be infected (use a clean device).
- Don’t immediately factory-reset or throw away devices before capturing basic evidence.
What to do now
- Create a safer pause and contain exposure. If you clicked anything or entered a password, disconnect that device from Wi-Fi/cellular and stop using it until you’ve checked it.
- Preserve evidence (2 minutes). Screenshot the message, save the email in a way that keeps the sender details, and record the sender info, dates/times, and any crypto wallet/payment instructions.
- Assume “scam until proven” unless they show real proof. Many extortion emails reuse leaked passwords or generic claims. If they provide no verifiable details (real filenames, accurate private info you haven’t shared publicly, unique proof), treat it as likely mass-spam.
- Check your most important accounts for compromise (from a clean device).
- Email account first: review recent sign-ins, unfamiliar devices, recovery email/phone changes, and any auto-forwarding you didn’t set.
- Cloud storage: check recent activity, shared links, and connected third-party apps.
- Lock down accounts (from a clean device).
- Change your email password first and enable multi-factor authentication (MFA).
- Change passwords anywhere you reused that password; sign out of other sessions where possible.
- Scan and update devices.
- Run a reputable antivirus/anti-malware scan and update the operating system and browser.
- If you see persistent signs (new admin accounts, security tools disabled, repeated unknown logins), stop experimenting and get help from a trusted professional—especially for a work computer.
- If this involves work/school systems, report internally immediately. Contact your IT/security team. Don’t use personal email or the attacker’s channel for “proof.”
- Report it (USA) — and avoid fake “reporting” sites.
- File a complaint with the FBI’s Internet Crime Complaint Center by typing ic3.gov directly into your browser (don’t use links from the extortion message or ads/search results).
- Report the scam to the FTC at ReportFraud.ftc.gov.
- Be cautious if anyone claims to be “IC3” or “FBI” and asks for money, gift cards, crypto, or a “recovery fee.”
- If you’re in immediate danger or being threatened with imminent harm, call 911.
- If money or identity is at risk, take one extra protective step.
- Check recent bank/credit card activity and consider placing a fraud alert or credit freeze if you shared sensitive info or suspect account takeover.
What can wait
- You do not need to decide right now whether you will “pursue” the person or publicly respond.
- You do not need to wipe devices immediately; account control and evidence come first.
- You do not need to contact the attacker to confirm anything.
Important reassurance
These messages are designed to trigger panic, shame, and fast payment. Even if the message feels personal, many are automated and sent at scale. You can slow down, verify calmly, and take control with a few concrete checks.
Scope note
These are first steps only. If you confirm a real compromise (especially with work systems or sensitive personal data), you may need specialised technical help and may want legal advice later.
Important note
This guide is general information, not legal or professional cybersecurity advice. If you believe you are in immediate danger, contact emergency services. If this involves workplace or school systems, follow their incident reporting process.
Additional Resources
- https://consumer.ftc.gov/consumer-alerts/2020/04/scam-emails-demand-bitcoin-threaten-blackmail
- https://reportfraud.ftc.gov/
- https://www.ic3.gov/
- https://www.ic3.gov/PSA/2025/PSA250418
- https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/spoofing-and-phishing
- https://www.cisa.gov/stopransomware/ransomware-guide