This is a well-known scam. as uSlackr describes. But that doesn't mean it can't be done. People are always finding new exploits. Everything can't be done until someone figures out how to do it. With hacking, the safe assumption is to assume almost anything is, or will be, possible, so take precautions.
For example, no hacker can make the camera see through painter's or gaffer's tape if you leave a flap of it in place when you don't actually need the camera.
But taking precautions is different from reacting to a claim that somebody actually did it to you.
Some scams work because there actually is such an exploit, making it seem more credible even if it wasn't used on you. There are lots of things that can be done by a very proficient, motivated, hacker. Intelligence agencies, with the resources of a government behind them, can pull off some pretty fancy spy craft.
When you have been told that someone hacked your system, part of evaluating the potential truth of it is to weigh the scenarios. You can never completely rule out that someone might potentially have done it, but you can compare likelihoods. If you aren't a valuable target (foreign dignitary, owner of really valuable secrets, a terrorist, etc.), it isn't too likely that someone is going to invest serious time, money, and effort to hack your system. If you're going to be a "hacking" victim, it's much more likely that it will be some simple target of opportunity or just a scam, where there wasn't actually any hack.
The scam you mention relies on easily available information, the human nature of the victim, and requires no actual hacking. Why would anyone go to the trouble of hacking your system when they can fake out a lot of people without really doing anything?
When a well-known scam like this is going around, the odds heavily favor that you're a scam victim rather than an actual hacking victim. There's an old aphorism coined by a medical school professor about not jumping to an exotic medical diagnosis when a more commonplace explanation is more likely: "When you hear hoofbeats, think of horses not zebras."
2I'm voting to close this question as off-topic because its a fake scenario. – Jason – 2019-05-01T23:19:26.843
8@Jason, yes this is a common scam, but is it a legitimate question? Can hackers enable the camera after the user has disabled it? – Jay – 2019-05-02T01:48:54.027
2"laptop doesn't have any real protection. just windows defender and firewall." Sounds real to me. What do you want? A security guard patrolling? – sbecker – 2019-05-02T06:47:13.403
2@Jason I don’t understand your comment. What makes you think this is a fake scenario? Do you not believe that SG_MTS has an acquaintance who received one of these very common scam mails and is nervous? Do you not believe that he found the camera enabled in the settings after previously disabling it? Nothing about the scenario seems likely to be fake to me. – Janus Bahs Jacquet – 2019-05-02T11:46:09.527
"The spammer sent him an old password he used in an old email as proof" Used in or used for? – Acccumulation – 2019-05-02T15:16:24.980
@JanusBahsJacquet Ransom scams having access to your camera is a fictional plot device from shows like Black Mirror. If you google say,
ransom webcam
you will see numerous articles confirming this. – Jason – 2019-05-02T15:55:21.440@Jason Yes, I know that. That doesn’t mean (a) that this question is a fake scenario as your comment says, or (b) that there aren’t ways of remotely activating a device’s webcam. – Janus Bahs Jacquet – 2019-05-02T16:00:36.023
@Jay At best it's a poor question with a false premise. Someone with full access on your computer can do anything you can. – Jason – 2019-05-02T16:10:08.763