‘Your Computer Has Been Hacked’ Scams UK

Spot the three dominant “your computer is compromised” scam patterns in 2026 — sextortion blackmail email, fake ransomware extortion, and the browser pop-up panic alert — with the rules that defeat them.

Last reviewed: 13 May 2026 · ScamSupport research

The “your computer is hacked” scam family

A broad category of UK consumer scams plays on the universal anxiety that one’s computer might already be compromised. The category covers email-based sextortion blackmail, fake-ransomware extortion notes, browser pop-up panic alerts about “detected viruses”, and (overlapping with our Microsoft tech-support scam guide) cold-call “your computer is infected” pretexts.

What these have in common: none of them are real. The criminals don’t actually have access to the victim’s computer. They’re using generic data from public breaches, scripted threats, and visual intimidation to extort payment in cryptocurrency or gift cards. The defence is consistent across variants — verify the claim, don’t pay, and don’t engage.

UK Finance and Report Fraud both report computer-extortion scams as one of the highest-volume email-driven scam categories, with average extortion demands in 2026 ranging from £200 in cryptocurrency for sextortion variants to £1,500-£5,000 for fake-ransomware variants. Most victims of these scams don’t actually have compromised computers — they have alarmed minds, which is what the criminals are exploiting.

Three “computer hacked” scam variants currently in circulation

Variant 1 — Sextortion email: “we have your webcam footage”

From: Often a spoofed version of the recipient’s own email address, or from a randomly-generated Gmail / Outlook address.

Subject: “I know your password is [actual old password]” or “Pay or your contacts see this” or “Last warning — we have everything”.

Body: Claims the sender has installed malware on the recipient’s computer that has recorded webcam footage of them watching adult content. The email may include the recipient’s real (but old) password as “proof”. Demands payment in Bitcoin (typically £200–£1,500) within 24-72 hours, threatening to send the “footage” to email contacts / family / employer if not paid.

Red flags:

  • The password is real but very old. Sourced from a public data breach (LinkedIn 2012, Adobe 2013, Yahoo 2014, Collection #1 2019, MOAB 2024). Check yours at haveibeenpwned.com. If the password is one you used years ago and have since changed, the criminals have no current access.
  • The threat is uniformly generic. No specific reference to your computer, your habits, or any actual content. Real compromises would name specifics. Generic threats are mass-mail templates.
  • The sender doesn’t have your contacts. The threat to email family / employer / colleagues is bluff. If they had your contact list, they’d include a recipient name to prove it. They don’t.
  • No actual footage is ever sent. Even when victims refuse to pay, the “footage” never materialises because it doesn’t exist. The entire campaign is psychological extortion based on a single old breached password.
  • Payment demand is always cryptocurrency. Specifically Bitcoin (sometimes Monero or Ethereum). Real legal demands would be invoiced via banking; the crypto requirement is the diagnostic feature.
  • Do not reply. Do not pay. Delete the email. Replying confirms the address is active and may trigger follow-up. Paying confirms vulnerability and triggers escalating demands.

Variant 2 — Fake ransomware blackmail: “all your data is encrypted”

How it presents: An email claiming the sender has gained access to the victim’s computer / business network and exfiltrated all data. The email threatens to publish the data on the dark web / sell it to competitors / report it to GDPR enforcement unless a ransom is paid. May include a small sample of “evidence” (typically generic file names, an old contact list from a breach, or fabricated screenshots).

Red flags:

  • Real ransomware encrypts your data before demanding payment. If your files still open normally, no encryption has occurred. Real ransomware victims see ransom notes on every drive and unopenable files. Absence of those signs = no ransomware.
  • The “evidence” is generic or from a public breach. File names like “passwords.xlsx” or “customer-list.csv” are stock placeholders. Real data exfiltration would reference specific identifiable file names from your actual systems.
  • Targets small businesses and freelancers disproportionately. The criminal hopes the victim doesn’t have technical expertise to verify the claim and will pay to make the threat go away.
  • Payment in cryptocurrency only. Same diagnostic feature as sextortion variants.
  • Threats of GDPR / regulator reporting are bluff — real GDPR breaches are reported BY the data controller (you), not by criminals. The threat exploits compliance anxiety but has no enforcement teeth from the criminal’s side.
  • Verify by checking your actual systems. Open critical files. Check backups. Run a malware scan with Windows Defender Full Scan or Malwarebytes. Absence of malware = empty threat.

Variant 3 — Browser pop-up panic: “Your computer has been infected”

How it presents: While browsing (often after clicking a suspicious link, viewing pirated content sites, or visiting compromised sites), a full-screen browser pop-up appears with alarming red text, audio, and a phone number to call. “CRITICAL VIRUS DETECTED — 3 viruses identified on your computer. Call McAfee Support immediately on 0800-XXX-XXXX to remove.” Variants impersonate McAfee, Norton, Windows Defender, AVG, or generic “Security Alert”.

Red flags:

  • Real antivirus software never displays a phone number to call. McAfee, Norton, AVG, Windows Defender alerts appear inside the antivirus dashboard, not in your browser. Real alerts never include “call this number for support” instructions.
  • Browser pop-ups cannot scan your computer. The webpage has no access to detect viruses, malware, or system state. The “3 viruses detected” claim is fabricated for visual intimidation.
  • The page tries to lock the browser. Repeated dialogue boxes, full-screen API tricks, audio loops — all designed to prevent you from closing the tab. Real antivirus alerts never trap your browser.
  • If you call the number: the script is identical to the Microsoft tech-support scam — remote-access install, password request, gift-card extraction, screen-share banking manipulation. Same operation, different brand impersonated.
  • Close the page: on Windows / Mac, press F11 to exit full-screen, then close the tab. If unresponsive, press Ctrl+Shift+Esc (Windows) or Cmd+Option+Esc (Mac) to force-quit the browser. The pop-up has no persistence beyond the page itself.
  • After closing: clear browser history, run a real malware scan with your installed antivirus or Windows Defender Full Scan to confirm no actual infection.

What real computer compromise actually looks like (vs the scam framing)

  1. Real malware infections rarely announce themselves. Genuine compromises run silently, harvesting credentials and data. Loud, alarming “you’ve been hacked” messages are extortion theatre, not real malware.
  2. Real ransomware encrypts files. Your files won’t open. You’ll see ransom notes (.txt files named something like “HOW-TO-DECRYPT.txt”) on every drive. Software-as-a-Service like Microsoft 365 / Google Workspace will display encryption errors. Absence of these signs = no ransomware.
  3. Real antivirus alerts appear in the antivirus dashboard. Not in your browser, not via email, not via SMS, not via phone call. To verify if you have antivirus software, check Settings / System Preferences for installed apps.
  4. Real data breaches affecting you specifically are notified by the breached service. Not by anonymous threatening emails. Real notifications include specific data fields (your email, perhaps an old password) and link to the breached service’s own incident-response page.
  5. Verify breached accounts at haveibeenpwned.com — the canonical UK-trusted database of public breaches. If your email appears, change passwords on those specific services (not on services not listed).

What to do right now if you received a computer-hacked scam email

  1. Do not reply. Do not pay. Do not click any links. Engagement signals an active address and triggers escalation.
  2. If the email includes a real (old) password: change that password everywhere it’s still in use, and ensure all accounts have unique passwords + 2FA via authenticator app. The breach is real; the extortion is not.
  3. Run a malware scan with Windows Defender Full Scan or Malwarebytes (free tier is fine) to confirm no actual infection. Absence of detected malware = the threat is empty.
  4. Check your webcam. Cover it with a sticker / tape if you want belt-and-braces assurance. Some laptops have a hardware shutter; engage it. Costs nothing; ends the entire sextortion category as a possibility.
  5. Report the email to report@phishing.gov.uk (NCSC Suspicious Email Reporting Service). NCSC takes down over 100,000 scam URLs each month using these reports.
  6. Delete the email. Don’t engage in any way.

What to do if you saw a fake antivirus pop-up

  1. Close the browser tab. Press F11 to exit full-screen mode, close the tab, then close any remaining alert dialogues.
  2. If the pop-up is unresponsive: force-quit the browser (Ctrl+Shift+Esc on Windows, Cmd+Option+Esc on Mac > end the browser process). Restart the browser without restoring the previous session.
  3. Clear your browser history and cache for the site that triggered the pop-up. This removes any persistent scripts.
  4. Run a real malware scan with Windows Defender Full Scan / Malwarebytes / your installed antivirus. The scan should come back clean. If it doesn’t, follow the remediation prompts.
  5. Do NOT call the number on the pop-up. The pop-up is the entire scam; calling triggers the tech-support remote-access fraud.

If you’ve already paid an extortion demand

  1. Card payment: call your bank’s fraud line. Use the Chargeback & Section 75 Generator for credit cards.
  2. Cryptocurrency: recovery is very limited. Report to Report Fraud immediately on 0300 123 2040. Specialist crypto-tracing firms exist but cost is high relative to typical extortion amounts.
  3. Gift cards: if codes are unredeemed, contact the gift-card issuer (Amazon, Apple, Google, Steam) and request they be frozen. Recovery probability drops sharply once codes are used.
  4. Do not pay any “second instalment”. Paying once flags you as a viable victim; further demands will escalate. The defence is to stop paying entirely.
  5. Report to Report Fraud at reportfraud.police.uk regardless of recovery outcome — the report feeds the UK fraud intelligence picture.

Related scam guides

Use the Scam Message Scanner →