Threat Alert: Extortion Emails about Data Breaches

SCAM ALERT red Rubber Stamp over a white background.
[This alert is from a recent IC3 Threat Alert. Please share with others in your organization and make sure employees are aware of the threats and consequences of these kinds of phishing emails.]

Have you heard about the massive data breaches with LinkedIn, MySpace (no joke, it’s still around), and Tumblr? The Internet Crime Complaint Center (IC3) continues to receive reports from individuals who have received extortion attempts via email related to these recent high-profile data breaches.

Recipients are told that personal information, such as their name, phone number, address, credit card information, and other personal details, will be released to the recipient’s social media contacts, family, and friends if a ransom is not paid. Recipients are instructed to pay in Bitcoin, a virtual currency that facilitates anonymous transactions. The recipients are typically given a short deadline, so they do not have the opportunity to verify whether their personal information has actually been compromised.  The ransom amount ranges from 2 to 5 bitcoins or approximately $250 to $1,200.

Fraudsters quickly use the news release of a high-profile data breach to initiate an extortion campaign. The FBI suspects multiple individuals are involved in these extortion campaigns based on variations in the extortion emails.

Examples

The following are some examples of the extortion emails:

“Unfortunately your data was leaked in a recent corporate hack and I now have your information. I have also used your user profile to find your social media accounts. Using this I can now message all of your friends and family members.”

“If you would like to prevent me from sharing this information with your friends and family members (and perhaps even your employers too) then you need to send the specified bitcoin payment to the following address.”

“If you think this amount is too high, consider how expensive a divorce lawyer is. If you are already divorced then I suggest you think about how this information may impact any ongoing court proceedings. If you are no longer in a committed relationship then think about how this information may affect your social standing amongst family and friends.”

“We have access to your Facebook page as well. If you would like to prevent me from sharing this dirt with all of your friends, family members, and spouse, then you need to send exactly 5 bitcoins to the following address.”

“We have some bad news and good news for you. First, the bad news, we have prepared a letter to be mailed to the following address that details all of your activities including your profile information, your login activity, and credit card transactions. Now for the good news, you can easily stop this letter from being mailed by sending 2 bitcoins to the following address.”

Best Practices

  • Do not open email or attachments from unknown individuals.
  • Use strong passwords, and do not use the same password for multiple websites.
  • Never provide personal information of any sort via email.
  • Ensure security settings for social media accounts are turned on and set at the highest level of protection.
  • When providing personally identifiable information, credit card information, or other sensitive information to a website, ensure the transmission is secure by verifying the URL prefix includes “https”, or the status bar displays a “lock” icon.
  • Do not store sensitive or embarrassing photos online or on your mobile devices.
Print Friendly, PDF & Email