The "Incriminating Video" Scam - Schneier on Security

Comments

wiredog • August 12, 2025 8:26 AM

I don’t have a webcam or a mic. So I’ve always just deleted those emails.

Ian Stewart • August 12, 2025 9:35 AM

My wife had one of these recently, two weeks after an education Zoom conference she was on was hacked and pornography replacing the education lectures. This was almost certainly a coincidence. The email came from her email address, which the hacker claimed was proof he had infiltrated our system – no images of our building though. The hacker said we were watching all this on ‘one of our devices’, had he infiltrated our system he would have known what device was used. Obviously neither of us were in the least bit worried and just erased it immediately.

Anonymous • August 12, 2025 9:43 AM

When there’s sufficient photo or video footage of you in the web, attackers create deep-fakes to blackmail you with that. Of course you’ll claim it’s fake, but who wouldn’t?

Tamas Papp • August 12, 2025 9:57 AM

I occasionally get these, but they demand crypto as payment. Among the people I know, the intersection of (1) those who would fall for this scam, and (2) are capable of setting up bitcoin without asking a friend for help, who would them (hopefully) calm them, is empty.

Anonymous • August 12, 2025 10:22 AM

This type of scam will die as soon as deep fakes cannot be distinguished from real footage anymore. Might as well let them publish the real thing then.

Mexaly • August 12, 2025 10:40 AM

What’s my safe word?

wiredog • August 12, 2025 10:44 AM

@Mexaly
supercalifragilisticexpialidocious

Clive Robinson • August 12, 2025 12:03 PM

With regards,

“BuzzFeed has an article talking about a “shockingly realistic” variant, which includes photos of you and your house—more specific information.”

Photos of your “house” is often obtained via Google…

As for finding your address, in the UK there is a register at “Companies House” that has a list of every company you have ever been an officer, as well as all the adresses you’ve ever used in relationship to any company.

Thus When Microsoft failed to do something they should have done the Managing Director of Microsoft got a visit, all the vehicles were photographed and the ownership was checked and checked on an insurance database.

From that point on checking financial details was fairly easy.

Work that took around half a day to do.

Using a US database filled by Meta and Google gave a wealth of other information (some deliver to your home companies put other information up…

Presenting her with the details one by one kind of convinced her that the employees at Microsoft had better pull their fingers out…

The reason I mention all this is two fold,

1, It’s what Debt collection agencies do as a normal activity.

2, People don’t realise just how much information they hemorrhage into these commercial databases via social media and the like.

But there is a third aspect which is once your home address is known getting photos or video of the occupants is trivial and they do not have to be in very high resolution.

Because AI systems can “fill in” to more or less any resolution these days.

Back last century I had a falling out with one part of my family because they stuck up a “family tree” that had lots of details and they also put up photos of family members.

I went absolutely ape about it and I was basically told I was being “paranoid”…

Three decades later was I just guessing the future or paranoid?

Let me put it this way, such information has value, and my experience since the early 1980’s is people will make money any which way they can…

So the reality was as far as I was concerned,

“Even with protective legislation and regulation, certain types of people would collect information. And the more legislation and regulation the higher the price they would ask for it… And there are always those who will hunt it out no matter what the cost or legality as their form of “due diligence”…

For instance in the UK anyone who has been a member of a Union has their details stored away in a US database run by one of “The three GOP families”…

As our host @Bruce has noted technology advancements make attack capability considerably easier.

AI now allows what to the average human eye and ears are 100% accurate fakes…

The thing is that few when presented with these fakes realise they are fakes. And that is where Cognitive Bias leaps in and people will believe what they want to believe irrespective of factual evidence to the contrary.

And mud once thrown tends to leave it’s mark…

Hundreds of these scams • August 12, 2025 1:29 PM

I’ve probably seen over 1000 of these demands for payment over the years.
They never include any photos.
They never have my real name.
Setup email blocks on the mail server and filters on email clients so we never see anything like them and neither do any of my users. There are about 10 different, copy/pasted, messages sent. Because they use the same template, easy to filter.

I’ve gone to lengths to never have my real name on the internet – had a stalker in the early 2000s and immediate scrubbed everything I could with my real name. My important email addresses are never shared on social networks.

Everyone needs a few different email addresses.
1) Social network email addresses / probably want to use this with family. (I’ve found I can’t trust family to NOT share my contact data).
2) Banking email addresses should never be used anywhere else. 1 email address per bank. Don’t share them anywhere else.
3) Online store aliases – one per store. Make them unique, not just the name of the store.
4) One email address for work. Only use it work work-related things and don’t use your full name. If your company requires that, see if you can’t get initials with 5 random numbers for an email address/login instead. “js54329” for John Smith.
5) An email address to give to spammers or for those “free entry” cards. I add “spam” somewhere in the alias and only check it a few times a month.

Lastly, use a virtual phone number which makes blocking calls and texts trivial. Never give out real phone numbers. A $5/month VoIP service can do this easily.

The overall goal is to make connecting your different online personas to you in the real-world non-trivial.

I refuse to provide an email address or phone number to any part of the govt (city/local/state or federal). They can use snail mail to contact me. I use snail mail for all govt interactions possible. If a stamp can save me from standing in a line, that’s a great value to me. The last few years, USPS mail has taken 2-3 weeks to deliver anything local, so this does require planning ahead.

not important • August 12, 2025 4:39 PM

@Clive said ‘For instance in the UK anyone who has been a member of a Union has their details stored away in a US database run by one of “The three GOP families”…’

Yeah, deep state is inventive to overcome legal restrictions, so Brits spy on US citizens, Americans on UK citizens, then exchange information.

Regarding mics and cameras: is it (bleeping) possible finally to have design which allow user to shut them off by kill switch -hardware- so hacking based of software is going to be not possible. Same with any other type of gadget.

Bilateralrope • August 12, 2025 7:16 PM

@not important

My chrombook has a built in shutter which covers the camera. It’s a red shutter, so I can glance at the camera and see if it’s closed. I’ve seen people use post-it notes for the same effect.

My desktop doesn’t have a webcam, but if it did I could always unplug it because it would be connected through one of the front USB ports.

My phone is a bit tricky. If it’s out of my pocket, I’d need to put something on top of it to block the camera. Just a piece of paper.

As for this scam itself, I’d have a few defenses:
– I have not posted any photos of my bedroom anywhere. That would make it tricky for any AI to generate such a video of me
– I have a medical condition that would be present in any real video, but an AI would again get the details wrong.
– Even if the video is real somehow, I am not scared about people finding out anything that would be on the video. I’d prefer to keep it all private, but nobody would be surprised.

Not Him Again • August 13, 2025 12:14 AM

@Bilateralrope: Search online for cases with a “rear camera lens cover.” Many slide across; a few are hinged like a door. Most are opaque. Under $20 USD.

Jon (a different Jon) • August 13, 2025 12:25 AM

Not quite the same, but along the same lines:

I’ve been getting quite a few emails allegedly from “Sirius XM” (the satellite radio outfit) asking me to “Confirm my email address”.

I do not have a Sirius XM subscription. I don’t own anything that can receive their signals*. Those emails get deleted unread (tracking pixels, anyone?).

I suspect it’s a cheerful way to scrape lots and lots of valid email addresses for later spam attacking (with a sideline of “Do they have a Sirius XM subscription?).

(at least, not decipherably. Technically, it’s all radio).

jbmartin6 • August 13, 2025 8:27 AM

It’s a red shutter, so I can glance at the camera and see if it’s closed.

My laptop has the same thing. I get irritated because the red warning color should be visible when the camera is open (DANGER) not when it is closed.

JR • August 13, 2025 11:13 AM

@Bruce
“I calmed several people who were legitimately worried with that one fact.”

So I guess several people had a concern they had done something incriminating in front of their computer/webcam(?) Or people just worry far more than necessary.

JR • August 13, 2025 11:20 AM

@Hundreds of these scams
“Everyone needs a few different email addresses.”

I have for a long time used a personal domain through Gandi, as they made it easy to create forwarding email addresses. They forward to my main email address. So I use them for various online services where I had some need to register with email.

Mark Ng • August 14, 2025 7:51 PM

With AI, why would I worry about this. People can grab my mug from facebook and deepfake anything anyway nowadays. I can explain it away even if they really hacked my cam.

The “Incriminating Video” Scam

Comments

Leave a comment Cancel reply