Short answer: Don't pay. No video exists. This is a mass-automated extortion scam. The password they know came from an old data breach - not from your computer. You are one of tens of thousands receiving an identical email.

How the Scam Works

The scam operates in three steps that make it convincingly personal, even though it's fully automated and mass-targeted:

Step 1 - They buy your breached password. Data breaches from LinkedIn, Adobe, Dropbox, Yahoo, and hundreds of other sites have exposed billions of email/password combinations. These are freely traded in criminal marketplaces. The password in the email is real - it's one you used on a breached site, possibly years ago.

Step 2 - They scrape your LinkedIn profile. LinkedIn is public. Your name, title, employer, profile photo, and connection list are visible to anyone. The email references this information to create the impression of surveillance.

Step 3 - They send a mass automated email. The email is generated from a template, populated with your email address, the breached password, and sometimes your LinkedIn photo or employer name. Thousands of people receive the same email simultaneously. The scammer never watched you, never had access to your computer, and has no video.

Why It Feels So Real

The psychological impact is significant - seeing your own password in the email creates a visceral sense that your computer is compromised. This fear response is the entire mechanism of the scam. The scammer is counting on the combination of embarrassment (about the alleged content) and apparent proof (the password) to override rational thinking.

The fact that the password may be one you still use - or used to use - is alarming, but it's not evidence of computer compromise. It's evidence that a site you used was breached. This is a data problem, not a malware problem.

What to Do

  • Do not pay. Payment confirms your email is active and willing to pay - you will receive more extortion attempts.
  • Change the password immediately on any account where you still use it.
  • Enable MFA on all accounts that support it, especially email, banking, and Microsoft/Google accounts.
  • Check if your credentials have been breached at haveibeenpwned.com.
  • Don't reply to the email - it confirms your address is active.
  • Report it to the Canadian Anti-Fraud Centre at antifraudcentre.ca if you're in Canada.

What ThreeShield Does for Clients

ThreeShield monitors for breached credentials for managed clients - if your email address and password appear in a new breach, we alert you before a scammer does. Lavawall® includes dark web credential monitoring as part of the platform, so your team is notified when their work accounts appear in breach data.

We also deliver security awareness training that specifically covers this type of social engineering, so employees recognize the scam and report it rather than panicking or paying.