"I am a professional hacker. I have gained full access to your account. I have a video of you… pay me $2,500 in Bitcoin within 50 hours or I will send it to everyone you know."

Your stomach drops.

Stop. Breathe. Here's what's actually happening — and why you almost certainly have nothing to worry about.

This is a mass-produced scam. You are not special.

That sounds harsh, but it's genuinely reassuring. This email wasn't written for you. It was written once, then blasted out to millions of people at the same time, most of whom will never have visited a single dodgy website in their lives.

The scammers are playing a numbers game. If one person in a thousand panics and pays, they make money. The email is designed to trigger fear and shame so quickly that you don't stop to think it through. The moment you do stop and think, the whole thing falls apart.

"But it came FROM my own email address!"

Yes. And this is the cleverest part of the trick — and the part that's easiest to explain once you understand how email actually works.

When you send a letter in the post, you write your return address on the envelope yourself. There's nothing stopping you from writing someone else's address there instead. Email works in almost exactly the same way. The "From:" name you see in your inbox is just a label — anyone can type anything they like in that field.

It doesn't mean your account has been hacked. It doesn't mean they have your password. It just means they know your email address (which is probably listed on your website, or was in a data breach years ago) and they typed it into the "From" box.

It's a magic trick. Once you know how it works, it's not magic at all.

What about the scary technical details?

The email may include things like:

• A "real" password you recognise — this is pulled from old data breaches (try checking haveibeenpwned.com — your email may well be in dozens of them). Change any password you still use, but this is not proof of current access.
• Claims about your webcam, microphone, or screen — there is no such malware. This is fiction designed to feel plausible.
• Fake "encryption" strings at the top and bottom — random-looking characters to make it look technical and legitimate. They mean nothing.
• The image format — you may notice the message is actually a picture rather than text. That's specifically to fool spam filters, which scan words but can't read images. It's a red flag, not a sign of sophistication.

Why didn't my spam filter catch it?

Spam filters are clever, but they're not perfect. This type of scam deliberately uses images instead of text, which makes it much harder to detect. The email I received scored just 1.0 on the spam scale — not quite enough to block it automatically. The filter did flag the image trick with a score of 2.0 on that factor, but other elements balanced it out.

Think of it like a burglar alarm: it's very good, but determined scammers test emails against filters before sending them.

So what should I actually do?

Do not pay. Do not reply. Do not click anything.

Paying achieves nothing except proving you're willing to pay — which usually results in more demands. There is no video. There is no hacker watching you.

Here's your actual checklist:

1. Change your email password if you haven't recently, and make sure it's strong and unique.
2. Turn on two-factor authentication on your email account if you haven't already.
3. Check haveibeenpwned.com to see if your email appears in any known data breaches, and change any passwords that were exposed.
4. Report it — forward to report@phishing.gov.uk if you're in the UK.
5. Tell someone — these scams thrive on shame and secrecy. The more people talk about them, the less effective they become.

What if I'm a business owner?

If the email appeared to come from your own business address, there may be a small technical tweak worth making to your email setup — essentially tightening the instructions you give to other email servers about who's allowed to send on your behalf. This won't stop the scammers trying, but it will make it much more likely their emails get caught or rejected before they reach anyone.

If you're not sure whether your email is set up correctly in this regard, I offer a free website and email health check — just get in touch.

The bottom line

These emails are unpleasant. They're designed to make you feel watched, ashamed, and alone. But they are factory-produced threats sent by people who know nothing about you, have never seen you, and have no access to anything of yours.

Delete it. Change your password. Have a cup of tea.

You're fine.

Abbie Thoms runs Polyspiral, an award-winning web design and SEO company based in Suffolk. If you received something like this and you're not sure what to do, feel free to get in touch — I'm always happy to help.