NOTICE: Extortion emails increasing at U-M

Monday, October 1, 2018

The information below was sent to the IT Security Community and Frontline Notify (FLN) groups through email on October 1, 2018.

We are seeing a resurgence of email extortion scams across higher ed, and ask that you, share the information below within your unit as appropriate.

Extortion Emails Increasing at U-M

Across higher ed, including the U-M community, there are increasing reports of extortion scam emails akin to ones from this summer. These scam emails usually claim that the recipient viewed pornography and demand payment (often via crypto-currency like Bitcoin) to keep this from becoming public.

The emails may address people by their name or uniqname and include one of their passwords—usually an old password compromised due to a data breach at a non-university site that uses email addresses as login IDs.

  • See a specific sample extortion email received at U-M.
  • See a general sample extortion email in Sextortion Scam Uses Recipient’s Hacked Passwords (Krebs on Security, 7/12/18).
  • This is a scam. The senders do not have evidence of pornography viewing. They are working from large, publicly available lists of email addresses and passwords associated with past data breaches. They hope that by sending you a password you recognize, you will fall for the scam. Do not pay the extortion money.

The FBI called attention to the increase in reports of this scam in August (FBI, This Week: Sextortion Reports on the Rise). Both Information Assurance and U-M's Division of Public Safety & Security consider the emails not credible.

How You Can Tell This Is a Scam

  • There are numerous reports of this scam on the web. Copy a sentence from the extortion email and Google it, and you will likely see numerous articles describing the scam.
  • The password included in the scam message is typically one you used outside the university in the past that was exposed in a large data breach. Such passwords are widely available to attackers on the Dark Web. For example, millions of passwords exposed in data breaches years ago at LinkedIn, Yahoo, Sony, eBay, and others remain publicly available to attackers. This is why it is so important that you not reuse old passwords.  

How to Protect Yourself From Scams Like This

  • Use two-factor authentication. Set it up for all your personal accounts that offer it, and turn it on for your U-M account.
  • Do not use the same password for multiple sites. Use a unique password for each account.
  • Do not recycle old passwords. Some people have a small collection of their favorite passwords that they cycle through when they change passwords. We recommend creating a new password when you change a password or set up a new account.
  • If you suspect an account has been compromised, change your password for that account. See What to Do if Your Account May Be Compromised.
  • Report it if your U-M password is involved. If you receive a scam email that includes your UMICH (Level-1) password or your Michigan Medicine (Level-2) password, report it. Information Assurance staff will follow up to see if there are logins to your U-M account from suspicious Internet Protocol (IP) addresses.