Advisory: Extortion Email Scam

Over the past week, many University community members have received scam email commonly referred to as “sextortion.” Though they differ in approach and wording, sextortion scams always include the following pieces:

  • A claim that attackers have hacked your computer and recorded videos or pictures of you in your home in compromising situations.
  • An old, previously valid password to prove the validity of their claims.
  • A threat to release the video to your friends and family if you do not pay the attackers.
  • A method to pay, usually via bitcoin.

The claims and threats are false. The passwords used to try to convince victims of the validity of those claims are usually from previous breaches at other organizations that have been made public. The attackers use those available email addresses and passwords to build their victim pool. This current increase in attacks seems to be from a breach of usernames and passwords at LinkedIn that was made public in 2016.

The attackers use several techniques to evade filters, including but not limited to changing sender addresses, shifting subject lines, obscure text encoding and numerous subtle changes in the body of the message from victim to victim.

This attack is not limited to Syracuse University. There have been similar reports around the world. The Information Security Department’s advice aligns with that of law enforcement agencies: Once identified, these emails should simply be deleted. Also, if you are still using the password that the attackers used to convince you of their “hack,” you should change it anywhere it’s being used.

To learn more about cybersecurity, visit the Information Security website.