NOTICE: Online extortion scams increasing during COVID-19 pandemic
The FBI's Internet Crime Complaint Center (IC3) has seen an increase in online extortion scams, and U-M is experiencing a similar increase.
4/29/20 update: The Federal Trade Commission (FTC) reports that these emails are continuing to increase: Scam emails demand Bitcoin, threaten blackmail (FTC, 4/29/20).
Emails received at U-M
Subject lines vary, but the emails seen at U-M claim to have the recipient's password for accounts such as Facebook, LinkedIn, or other popular services, as well as embarrassing or compromising video or photos obtained through spyware. The emails threaten to forward the video or photos to others unless payment is made using Bitcoin or other cryptocurrency.
This is a resurgence of an old scam seen at U-M in the past:
- IA Notice: Extortion emails increasing at U-M (10/1/2018)
- IA Notice: Extortion scam emails with stolen passwords not credible (updated 9/28/2018)
The password included in the scam messages is typically one used outside the university that was exposed in a large data breach. Exposed passwords are widely available to attackers on the Dark Web. For example, millions of passwords exposed in data breaches years ago at LinkedIn, Yahoo, Sony, eBay, and others are still used by cyber criminals and other attackers. This is why it is so important that you not reuse old passwords.
Do not reply
This is a scam. The sender does not have explicit photos or video of you. Do not reply to the extortion email. Do not pay the ransom. If you are still using the password included in the email anywhere, change it immediately.
If your UMICH account or password is involved, change your password and report the incident. ITS Information Assurance staff will follow up to see if there are logins to your U-M account from suspicious Internet Protocol (IP) addresses and advise you if any action is needed.
How to protect yourself from scams like this
- Use two-factor for your personal accounts whenever it is available. That stops a scammer with a stolen password from getting into your accounts.
- Do not use the same password for multiple accounts. Use a unique password for each account.
- Do not recycle old passwords. Some people have a small collection of their favorite passwords that they cycle through when they change passwords. We recommend creating a new password when you change a password or set up a new account.
- If you suspect an account has been compromised, change your password for that account. See What to Do if Your Account May Be Compromised.
You can check Phishes & Scams on the Safe Computing website for examples of recent phishing and scam emails received at U-M.
- Online Extortion Scams Increasing During the COVID-19 Crisis (FBI Public Service Announcement, 4/20/20)
- FBI: Extortion scammers more active due to stay-at-home orders (Bleeping Computer, 4/20/20)