There's another relatively new
fear marketing [1]/blackmail email scam doing that rounds in which someone claiming to be an *cough*
ethical white-hat hacker*cough* sends an unsolicited report, from an anonymous email account, stating they've found "critical" website or email service bug(s) or vulnerability(ies) and wants a reward for bringing them to the victim's attention (essentially exploiting legitimate 'bug bounty' schemes with what is euphemistically referred to as a '
beg bounty').
Initially reports tend to relate to common website iframe (
x-frame bypass), or email (
DNS service, DMARC, SPF or DKIM) issues that can be discovered using tools freely available online
[2], potential misconfigurations that might make it easier to spoof an email or gain unauthorised third-party
[3] use of, or access to, services or content they wouldn't ordinarily be able to; malicious users (re)hosting webpage content within an iframe plastered with adverts from which they earn click-revenue (click-jacking) for example, or email spammers able to access mail servers to send unsolicited junk or mass-mailings from an address they don't actually control, often without the service owner's knowledge.
While these can be legitimate concerns they can thankfully be dealt with in any number of more fruitful ways than the type of unsolicited
Bug Bounty Blackmail (beg bounty) that typically escalates in severity once the scammer knows they have a responsive target or victim; over time the scammer reports more bugs alleged to be increasingly severe, that only they can fix or provide information for, while demanding greater and larger rewards, or else
[4].
Messages like this are a 'crap-shoot' for their authors however, as they are often little more than edited copy/paste boiler-plate texts or templates downloaded from internet, modified with the victim's details swapped in using a script that pulls the information from a scraped of harvested mailing list.
Needless to say, if there are concerns about the veracity of the bug or vulnerability disclosed, the best course of action is to get in touch with a business or professional that can check what's reported, and advise or action it appropriately.
In other words, a genuine, professional, security consultant wouldn't send a poorly written email, from an anonymous Gmail, Hotmail or other throwaway account, absent contact and/or business information, demanding payment for something, never mind a response.
Footnotes:
1: Fear marketing or fear appeal is a form of manipulative marketing that uses fear as a means of persuading the target into taking action they might not otherwise engage in, the blackmail then being the threat of consequence if a 'reward' or payment for action/disclosure is not paid.
2: For more on x-frame bypass see here https://www.google.com/search?q=X-Frame-Bypass+check, for more on SPF, DKIM, DMARC configurations check here https://www.google.com/search?q=spf+dkim+dmarc+check
3: Spoofing email addresses does not require unauthorised service access; the address emails appear to be from, the 'From' address or identifier displayed in an email's header, is just a text string that can be an email address, a person's name or other label, and can be altered in Outlook or other email client.
4: Unless a server or service is significantly compromised scammers are not 'hacking' services but instead taking advantage of knowledge deficits and 'social engineering' techniques to coerce compliance from the victim.