I get these emails every now and then, and I know other people do to. To me they're a mild annoyance I usually bin as soon as I see them. For someone who isn't a massive nerd like me, it might be hard to immediately spot why these emails are fake. Sometimes the sender pulls a couple of tricks to make it seem so real, and I'll cover those off too. So, lets take a look at how you can spot them.

To begin, here is the message I received and will use as a reference for the rest of this post.

Hello.

19/08/2019 - on this day I hacked your OS and got full access to your account ******@samcater.com

You can check it - I sent this message from your account.

After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).

This means that I have full access to your device and accounts. I've been watching you for a few months now.
The fact is that you were infected with malware through an adult site that you visited. If you are not familiar with this, I will explain.
Virus gives me full access and control your devices.
This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it.
I also have access to all your contacts and all your correspondence.
Why your antivirus did not detect malware? answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent.
I made a video showing how you satisfy yourself in the left half of the screen, and in the right half you see the video that you watched.

With one click of the mouse, I can send this video to all your emails and contacts.
If you want to prevent this, transfer the amount of $796 to my bitcoin address
(if you do not know how to do this, write to Google: "Buy Bitcoin").
My bitcoin address (BTC Wallet) is: 1Q2pVgd9YradB42risptr8tsydKrVDSD2A

After receiving the payment, I will delete the video and you will never hear me again. I give you 48 hours to pay.
I have a notice reading this letter, and the timer will work when you see this letter.
Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitcoin address.
I do not make any mistakes.

If I find that you have shared this message with someone else, the video will be immediately distributed.

First of all, note the language and tone. English is far from the default language of the world, but if I were emailing someone to blackmail them for $796 I would take the time to invest in getting my grammar correct. The slap-dash wording feels unnatural and that's often a sign of someone who is creating multiple spam-campaigns and just wants to churn out as many slightly different variants of the same email as possible to avoid being caught in spam filters. The core message is the same, extortion and blackmail - but to appear distinctly different to any intermediary spam filters, the email appears to have been dragged through a thesaurus backwards, leading to the odd expressions such as:

I have a notice reading this letter, and the timer will work when you see this letter.

Second, an easy spot is to think about the date they're claiming all this happened on. In my case, they refer to 19/08/2019. This is a tactic to instil fear in you that, by providing a fixed date, they do actually have something on you. Easiest thing to do is look at your calendar, what were you doing on the 19th?

The next part:

on this day I hacked your OS and got full access to your account ******@samcater.com

As well as the terminology being all over the place, if you 'hack an OS', you don't inherently get access to my email address. For so, so many reasons having a foundational control of someone's computer does not automatically equate to being able to view their emails (which they're probably viewing in Outlook or Chrome).

You can check it - I sent this message from your account.

The email does appear to come from my account! This is scary, and must mean that even if he didn't 'hack the computer' he did somehow get my email password?

Nope. Email is a very old protocol and subject to a lot of trickery. Over the years various new standards and tools have come into play to stop spam mails and detecting fraud but ultimately there are still a lot of loopholes - one of them is 'From Spoofing'. So, steering a little more technical... When an email client stamps the 'From' address in an email, it only usually places your email address there because, well, that's what you'd probably want. There is no enforcement in the default SMTP (email-sending) protocol which enforces that you absolutely 100% must put your own email in that field. The software we use to send emails usually puts 2+2 together and defaults to whatever our Email Account is, but there are many tools that let you put whatever you want in that field. If you wanted you could have bob@bob.com or b@test.email.net.com.a in there, and they are perfectly legal. They'll set off a stack of spam filters, but that's a problem further down the line.

There are many other reasons spam filters would trip up a spam email like this one, (with your address in the From field). It is not specifically because of the email seeming to be self-sent. How else would you send email to yourself or forward attachments if that was a red flag? The spam sender spoofs your own email address in this field, and it's as simple as that. In some cases, tools like GMail see your own email in that field and might convert it to your own name. Looks scary, but is completely harmless.

If you want to have a look yourself (and this varies from email tool to email tool so have a Google),  click 'View Source'. In there you'll find a set of technical data but then also the real senders address. For me it looked like the text below. Consider, if a spammer emailed me through my own email account, why has it got a return path and origination from Germany (.de)?

Received: from armtekru.schretterhof.de (unknown [14.231.191.1])
Message-ID: <157364744184.950.17606367885916613996@schretterhof.de>
Return-Path: <Fancy@schretterhof.de>

All done with the From field. Going back to the spam email, we've got the line about taking a full dump of the disk. For most people these days thats about 256GB+ of uncompressed data, up a broadband pipe of maybe 4Mb.... not going to happen.

Next, this bit may be true:

The fact is that you were infected with malware through an adult site that you visited. If you are not familiar with this, I will explain.

You definitely can get infected with web-bourne malware through Adult sites. So, this adds a small amount to his credibility. Then he ruins it with the bad english:

Virus gives me full access and control your devices.

Then after a bit more of the same comes:

Why your antivirus did not detect malware? answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent.

This bit made me smile. Saying 'My Malware uses the driver' is sort of equivalent to saying 'My car uses the hamster'. There's no connection. What he probably meant to say was 'My Malware uses special code'. Sadly for him the pulled-through-a-thesaurus-backwards issue means it came out how it did. Incidentally, what he is describing is polymorphic code, which is a real and very clever thing. Detection these days is getting better and better though, and it is insanely hard to make anyway. Why would an attacker spend all that time creating something so superior that he would use it just to extort $796 from you?

The amount of $796 is bizarre, and way more expensive from a few months ago when I remember it being in the $200 region. He also doesn't specify whether I'm sending USD, SND, AUD, CAN... so I'd find the one with the best conversion rate.

The rest is general extortion and blackmail designed to scare the recipient into panicking and paying. There is also the urgency caused by the '48 hour' window, also designed to confuse people and make them pay before they think too much.

Hope that was a bit interesting. Might put another one up on the tell-tale signs of phony-SMSs.