Ngā tāware mure

Extortion scams

While there are real cases of criminals extorting money from people online, scammers sometimes run blackmail or extortion scams, hoping to exploit your fear of having your private information or explicit images being made public.

What it is

An extortion or blackmail scam is where an online attacker claims to have sensitive or damaging information about you and threatens to make it public unless you pay them. These attackers may have some of your information, in most cases a password, which they use for credibility, but often do not have the damaging information or explicit images they threaten to release.  

This page covers extortion scams where scammers use scare tactics to get money from you, not actual blackmail, extortion or sextortion. If you are the target of a real extortion attempt, you can report to New Zealand Police. If you aren’t comfortable approaching the Police directly, CERT NZ or Netsafe can do so on your behalf.

Netsafe’s website has a section for more information on what to do if you are being blackmailed by someone who has your intimate images or other sensitive information.  

Sextortion - Netsafe

Report to CERT NZ

How it works

The scammers contact you, typically by email, claiming to have monitored your internet activity. They also claim to have damaging information or content, such as your internet search history or a webcam recording. They may try to prove they have this info by sending you your password, or sending the email from what looks like your own email address to make it look like that they have your password.

Usually, they have obtained your password in a data breach or through phishing and don't have any other information.

This image below is an example of an extortion scam where the scammer is hoping to scare the receiver into sending money. 

Image of an unsettled payment email

The anatomy of an extortion scam email

  • The email appears to have come from the receiver’s own email ID

    Scammers will make it look like the email has come from your own email ID. This is called spoofing and it’s a common tactic scammers use to make you believe they have access to your account. 

    Email header

  • The sender claims to have your password

    This could be the actual password you use for this email account, an old password, or one you use for a different account. The scammer would have obtained this in a data breach or an online dump.

    Image of the password mentioned in the email

  • The sender claims to have installed a malware or spyware on your computer

    They also follow it up with the claim that their malware is invisible to antivirus software. This is usually a bluff. 

  • The sender is asking for money

    Scammers will ask you to pay for not making your information public. They usually ask you to send money to a cryptocurrency wallet to avoid leaving a trail. 

    The email sender is asking for money