NOTICE: Email extortion scams continuing with variations
The information below was sent to the IT Security and Frontline Notify (FLN) groups via email on October 24, 2018.
We are continuing to get reports of members of the U-M community receiving extortion emails from scammers claiming to have incriminating evidence of inappropriate online behavior. We are hearing a lot of questions and concerns about this and suspect that some of you may also be hearing from your colleagues.
We continue to see new variations on the extortion scam. In the latest of these, the extortion email appears to come from the recipient's own email address, making it look like the scammer has access to the recipient's email account. In actuality, the "From" address has been forged.
Below is information you can share with those who ask you questions about this.
Key Points About the Scams
- The scammer claims to have evidence that the recipient has viewed pornographic websites or engaged in other inappropriate behavior.
- The scammer threatens to reveal this evidence unless the recipient sends immediate hush money in bitcoin or some other cryptocurrency.
- Some of the most recent emails appear to be from the recipient's own email address, making it look like the scammer has access to the recipient's email account. In actuality, the "From" address has been forged.
- The extortion email sometimes includes a password previously associated with the recipient's email address for an online account—most likely a compromised password that was used many years ago. Passwords revealed over the years in data breaches at companies and social media sites are publicly available, and scammers use these in their extortion emails. This is why we instruct the U-M community to not reuse their U-M password for other accounts.
What You Can Do to Protect Yourself
- Be skeptical of emails that claim things you know to be untrue. It is never a good idea to pay money to extortionists. If you are unsure about the legitimacy of an email, you can send it to Information Assurance at ReportPhish@umich.edu, or you can contact the ITS Service Center.
- Use two-factor authentication. Set it up for your personal accounts wherever it is available, and turn on two-factor for Weblogin (Duo) to protect your U-M account. This was done for Michigan Medicine faculty and staff earlier this month, and will be done for faculty, staff, and sponsored affiliates on the Ann Arbor, Dearborn, and Flint campuses in January.
- Do not use the same password for multiple sites. Use a unique password for each account.
- Do not recycle old passwords. Some people have a small collection of their favorite passwords that they cycle through when they change passwords. We recommend creating a new password when you change a password or set up a new account.
- If you suspect an account has been compromised, change your password for that account. See What to Do if Your Account May Be Compromised.
- Report it if your U-M password is involved. If you receive a scam email that includes your UMICH (Level-1) or Michigan Medicine (Level-2) password, report it. Information Assurance staff will follow up to see if there are logins to your U-M account from suspicious Internet Protocol (IP) addresses.
What the University is Doing
- We are expanding the use of two-factor for Weblogin. Two-factor is the most effective protection we can offer against account compromise. It provides an additional layer of security to stop a password thief from accessing your account. Michigan Medicine began requiring it of employees and sponsored affiliates on October 10. It will be turned on for faculty, staff, and sponsored affiliates at UM-Ann Arbor, UM-Dearborn, and UM-Flint on January 23, 2019.
- Information Assurance investigates reports of email scams and other attacks on U-M users and systems. We also work with the U-M Division of Safety and Security (DPSS) as appropriate. Both Information Assurance and DPSS consider these emails scams and do not believe any of the U-M accounts targeted by the scams have been compromised.
- Information Assurance reports malicious activity from users of other internet service providers to those service providers, who can then act to limit that activity.
- Both U-M Google Mail and Michigan Medicine Outlook/Exchange use filters to prevent phishing and scam emails from reaching U-M email inboxes, but no technology can stop all phishing and scams.
- We inform the university community about email scams through alerts on Safe Computing, emails to IT support staff, and social media (@umichTECH). See these notices about the extortion scams:
- Extortion emails increasing at U-M (10/1/18)
- Extortion scam emails with stolen passwords not credible (7/17/18; updated 7/26 & 9/25)
- Beware sextortionists spoofing your own email address (Naked Security by Sophos, 10/15/18)
- Scam Of The Week: Sextortion With A RATty Twist (KnowBe4, 10/21/18)
- New Sextortion Scam Pretends to Come from Your Hacked Email Account (Bleeping Computer, 10/12/18)