I call this the “Pegasus Extortion Scam” but to be honest, it’s been around for a while and didn’t always reference the spyware product. Earlier versions just mentioned they infected you with a generic “virus”.
If you’ve ever panicked over an email that seems to come from your own email, then you’re not alone. Lots of people get it because scammers hope that of the thousands of people they send this to. It’s one of the most common phishing emails I see being sent to employees, and many other people post to various and sundry help groups about it.
I’m trimming down this page a bit because scammers are changing up this script almost at the speed of light, but here’s a rundown:
You get a random email, usually one that seems to come from your email address.
This email may have the scam pasted in the message body or in a PDF.
The email might mention a password or phone number associated with you.
The ‘hacker’ has hacked into your computer/mobile device. Sometimes this is just random malware, sometimes it’s RDP (which is not a common thing outside Windows), and some versions use Pegasus.
This is usually because you haven’t been careful with where you’ve been surfing, and the ‘hacker’ “implanted malware” on a porn site that you visited.
The ‘hacker’ has video of you “pleasuring yourself” and threatens to spread video of this to all your friends and family, since they have all of your contacts.
However! If you send them some form of cryptocurrency payment, they won’t send anything.
You have 24/48/72 hours to make the payment.
They nicely give you instructions on how to get crypto.
They’ll go away if you pay them.
My counters to this:
Spoofing an email is very easy.
Usually the phone number or password is from a data breach. Phone numbers are not protected information! Also, if you are still using the password it’s really really time to change it.
Hackers like to stay hidden. If they really had a RAT (Remote Access Trojan) they would not be trying to blackmail you, they would log into your bank account and take your money.
If someone mentions “Pegasus” as the way they got access to your device, be aware that Pegasus is sold to governments and very powerful people, not ‘hackers’, and also, it is a mobile-only malware.
They definitely have not been watching you “pleasuring yourself”.
Scammers are not people of their word. If you send them money you’re just telling them you’re an easy mark and they will come back again and again and again.
By the way, no, they don’t have a magic pixel to tell whether you’ve opened their email.
Incidentally, this scam is so common that the people on the Scams subreddit see it 10-20 times per day, just with different wording.
How to protect yourself:
First of all, breathe. These people are trying to evoke fear and shame because fear and shame are powerful negative emotions that can keep you from thinking clearly.
If you got a variant where they quote a password and you’re still using that somewhere, change it. Now.
And after that? Delete it. Breathe again. This email is sent out to thousands of people each day. The scammer doesn’t know you, doesn’t have anything on you other than leaked data, they cannot harm you and they’re not going to send out video that doesn’t exist to a list of contacts they don’t have.