NOTICE: Extortion scam emails with stolen passwords not credible (updated)

Friday, September 28, 2018

September 28, 2018 update: People continue to see variations of this scam: A new kind of 'sextortion' scam is on the rise (Yahoo Finance, 9/25/18).

July 26, 2018 update: People continue to see variations of this scam: Tech Tip: An Old Scam With a New Twist (The New York Times, 7/23/18).

This information below was sent via email to the IT Security Community and Frontline Notify (FLN) groups on July 17, 2018.

We've had some reports of members of the U-M community seeing a new variation on a old scam—an email claiming that the recipient has viewed pornography and demanding payment (often via crypto-currency like Bitcoin) to keep this from becoming public. See a sample of the text at Sextortion Scam Uses Recipient’s Hacked Passwords (Krebs on Security, 7/12/18).

The new twist with this particular scam is that the email includes a password previously associated with the recipient's email address for an online account—likely a compromised password that was used many years ago.

Please reassure people in your units that this is a scam. The sender does not have evidence of the viewing of pornography, and recipients should not pay the money.

How You Can Tell This Is a Scam

  • There are numerous reports of this scam on the web. Copy a sentence from the extortion email and Google it, and you likely will see numerous articles describing the scam.

Both Information Assurance and U-M's Division of Public Safety & Security consider the emails not credible.

How to Protect Yourself From Scams Like This

  • Use two-factor authentication. Set it up for all your personal accounts that offer it, and turn it on for your U-M account.
  • Do not use the same password for multiple sites. Use a unique password for each account.
  • Do not recycle old passwords. Some people have a small collection of their favorite passwords that they cycle through when they change passwords. We recommend creating a new password when you change a password or set up a new account.
  • If you suspect an account has been compromised, change your password for that account. See What to Do if Your Account May Be Compromised.
  • Report it if your UMICH password is involved. If you receive a scam email that includes your UMICH (Level-1) password, report it. Information Assurance staff will follow up to see if there are logins to your U-M account from suspicious Internet Protocol (IP) addresses.