NOTICE: Extortion scam emails with stolen passwords not credible (updated)
September 28, 2018 update: People continue to see variations of this scam: A new kind of 'sextortion' scam is on the rise (Yahoo Finance, 9/25/18).
July 26, 2018 update: People continue to see variations of this scam: Tech Tip: An Old Scam With a New Twist (The New York Times, 7/23/18).
This information below was sent via email to the IT Security Community and Frontline Notify (FLN) groups on July 17, 2018.
We've had some reports of members of the U-M community seeing a new variation on a old scam—an email claiming that the recipient has viewed pornography and demanding payment (often via crypto-currency like Bitcoin) to keep this from becoming public. See a sample of the text at Sextortion Scam Uses Recipient’s Hacked Passwords (Krebs on Security, 7/12/18).
The new twist with this particular scam is that the email includes a password previously associated with the recipient's email address for an online account—likely a compromised password that was used many years ago.
Please reassure people in your units that this is a scam. The sender does not have evidence of the viewing of pornography, and recipients should not pay the money.
How You Can Tell This Is a Scam
- There are numerous reports of this scam on the web. Copy a sentence from the extortion email and Google it, and you likely will see numerous articles describing the scam.
Both Information Assurance and U-M's Division of Public Safety & Security consider the emails not credible.
How to Protect Yourself From Scams Like This
- Use two-factor authentication. Set it up for all your personal accounts that offer it, and turn it on for your U-M account.
- Do not use the same password for multiple sites. Use a unique password for each account.
- Do not recycle old passwords. Some people have a small collection of their favorite passwords that they cycle through when they change passwords. We recommend creating a new password when you change a password or set up a new account.
- If you suspect an account has been compromised, change your password for that account. See What to Do if Your Account May Be Compromised.
- Report it if your UMICH password is involved. If you receive a scam email that includes your UMICH (Level-1) password, report it. Information Assurance staff will follow up to see if there are logins to your U-M account from suspicious Internet Protocol (IP) addresses.
- Sextortion Scam Uses Recipient’s Hacked Passwords (Krebs on Security, 7/12/18)
- Don't Fall for This Scam Claiming You Were Recorded Watching Porn (Gizmodo, 7/17/18)
- A frightening email that is spreading online (Kim Komando, 7/10/18)
- Phishing scam known as 'sextortion' is using people's real passwords to blackmail them for supposedly watching porn (Mirror, 7/16/18)
- Scam Alert: Sextortion Email Using Real Passwords (Infogressive, 7/13/18)