Named-Target Sextortion Scams

Personalized extortion emails that use your real name in the subject line

Published April 13, 2026 | By the OpenEFA Security Team

Phishing Extortion High Severity ✓ Actively Blocked by OpenEFA

Overview

A persistent wave of email extortion scams is using victims' real names — harvested from data breaches and public records — in the subject line to manufacture credibility. The email claims the sender captured compromising video via malware on the victim's webcam, and demands payment in cryptocurrency under threat of distributing the video to the victim's contacts.

The threat is empty. In nearly every case, the attacker has no video, no webcam access, and no malware. The scam relies entirely on panic and the coincidence that they know your name.

OpenEFA is detecting and quarantining these at the content-analysis layer despite the sender authenticating successfully, because the attackers use legitimate free-mail accounts rather than spoofed infrastructure.

Known Campaign Variants

Variant A: "About you, [Your Name]?" Subject Line

Email arrives with the victim's real full name in the subject line — for example, About you, [First Last] ? — pulled from a breached data set. The body claims the attacker has recorded the victim via their webcam and demands a Bitcoin payment to a provided wallet address within 24 to 72 hours.

Typical subject patterns: About you, [Name] ?, [Name], you should read this, Concerning [Name]

Variant B: Breached Password as "Proof"

Email cites one of the recipient's real (but old, breached) passwords as supposed proof of account compromise. The password was almost certainly harvested from a public data-breach dump, not captured from the victim's current devices. If the cited password matches one you actually use anywhere, that account — not your webcam — is the real risk.

Typical phrasing: Your password is [password] — I have access to everything

Variant C: Fake "Recorded Your Screen" Claim

Email claims the attacker installed malware when the victim visited an adult website and recorded their screen and camera simultaneously. The claim is fabricated — the emails are sent in bulk to millions of recipients regardless of browsing history, betting that some percentage will feel guilty enough to pay.

Typical phrasing: I recorded you visiting [site] and turned on your camera

Common Characteristics

All variants share the same attack pattern:

  • Your real name in the subject line — harvested from a breached data set containing name+email pairs, not from hacking you
  • Sent from a throwaway free-mail account — Gmail, iCloud, Outlook, or ProtonMail, not a mass-mailer or spoofed infrastructure
  • SPF, DKIM, and DMARC all pass — because the sender really is that free-mail account; authentication confirms the sending server, not the honesty of the message
  • No actual evidence attached — no screenshot, no video clip, no sample of what they claim to have
  • Cryptocurrency demand — Bitcoin, Ethereum, or Monero to an attacker-controlled wallet (untraceable, irreversible)
  • Short deadline — 24 to 72 hours, designed to short-circuit careful thinking
  • Threat to release to contacts — claim they'll send the "video" to your family, colleagues, or social-media followers
  • Recycled body text — the same message is sent to thousands of victims with only the name field swapped in

Red Flags to Watch For

  1. Your name in the subject means nothing. Scammers purchase bulk lists of name+email pairs from public breach dumps. Knowing your name does not mean they know anything else about you.
  2. They don't have video. This is the single most important fact about sextortion. In the overwhelming majority of cases, the attacker has no recording, no webcam access, and no malware. The entire scam is social engineering.
  3. No actual evidence is ever attached. Real blackmail would include a sample. Sextortion emails never do, because there is nothing to sample.
  4. A breached password in the email is not proof of current access. If they cite a password that looks real, it came from a public data breach — not from hacking your device today. Verify at haveibeenpwned.com.
  5. Cryptocurrency payment demand. Untraceable and irreversible — no legitimate party demands crypto.
  6. Legitimate sender authentication, illegitimate message. SPF, DKIM, and DMARC confirm the sending server is who it claims to be. They do not confirm the message is truthful. A well-authenticated email from a disposable Gmail account is still a scam.
  7. Identical body text across victims. Paste a unique phrase from the email into a search engine; if it matches thousands of other complaint posts, you are dealing with a mass campaign.
  8. Urgency pressure. Any 24- to 72-hour deadline is designed to make you react before you think.

What You Should Do

  • Do not reply. Any response confirms your email is active and marks you as engaged — escalating future targeting.
  • Do not pay. Paying marks you as a willing victim; more demands will follow. There is no "one-time" payoff for these attackers.
  • Do not panic. The threat is empty in the overwhelming majority of cases.
  • Check haveibeenpwned.com with your email address to see which breaches your information appeared in. If the email cites a password you recognize, change it everywhere you used it and enable multi-factor authentication (MFA).
  • Enable MFA on email, banking, social-media, and any other account where it is available.
  • Cover your webcam if it makes you feel safer. Physical camera covers cost a few dollars and are reasonable low-cost insurance regardless.
  • Report to the FBI IC3 at ic3.gov and the FTC at reportfraud.ftc.gov.
  • Delete the email.

How OpenEFA Protects You

Sextortion emails authenticate correctly — the sender really is a disposable Gmail or iCloud account — so SPF, DKIM, and DMARC alone cannot stop them. OpenEFA closes that gap with layered content and behavioral analysis:

  • NLP Content Analysis — Detects the extortion-language pattern: cryptocurrency demand + video threat + urgency deadline
  • First-Contact Signals — Flags senders and domains never seen before in your message history
  • Mass-Campaign Fingerprinting — Recognizes recycled body text across thousands of variants, even when the name field changes
  • Free-Mail Provider Heuristics — Identifies disposable-account patterns at Gmail, iCloud, Outlook, and ProtonMail
  • Quarantine Disposition — These are held for review rather than auto-deleted, so a real message using the same language is not silently lost

Because the sender's authentication is legitimate, traditional filters that rely only on SPF/DKIM/DMARC let these messages through. OpenEFA's content and behavioral analysis catches what authentication cannot.

References

OpenEFA publishes security advisories when we identify significant campaigns affecting our customers and the broader community. Bookmark this page or follow us for updates.

OpenEFA® is an AI-powered email security platform by Quantum Logic Systems, LLC. Learn more at openefa.com.

← Back to Security Advisories