Body
Hello all,
There’s been a lot of reports of two types of fraudulent emails lately – and it’s worth sending another alert about them.
Extortion emails
The first type – which can be very alarming – are the extortion emails. These are almost always marked as spam – but some do get through (and they can be alarming even if they are in the Junk folder). These emails always have the following components:
- A claim of compromising information – the scammers will claim to have some compromising information about you (usually they say they obtained this via a virus on your computer). They may claim they know what you’ve done online or that they have pictures of you from your webcam, or even access to your emails
- A fake sign of authenticity – they will almost always have a password that they say that they have of yours – to prove that they are telling the truth. These passwords obtained from past data breaches of third-party sites that have been released online (for example, Adobe or LinkedIn data breaches). By putting something in there that is not terribly private – but that the recipient thinks is private – they are trying to provide evidence that they have actually compromised your accounts.
- A blackmail threat – they claim they will send out this supposed incriminating information to your contacts.
All of this is an attempt to scam you out of money – over information that they do not have on you. They are trying to use the natural reaction of fear to get you to overcome your skepticism and caution over their claims.
What should you do if you receive these?
- If they mention a password that you still have in use anywhere – you should change those passwords.
- If the message was already marked as Junk and placed in your Junk Email folder – just ignore/delete it. Do not respond to the criminals.
- If the message was not marked as Junk – you can use the PhishAlert button or forward it to InformationSecurity@newpaltz.edu so we can update the filters to better catch the messages.
CNBC has an article with more information about these:
https://www.cnbc.com/2019/06/17/email-sextortion-scams-on-the-rise-says-fbi.html
Impersonation emails
These emails will typically be sent to all members of a department, and will be sent to appear as if they are from the department chair/director/dean/etc. What they do is sign up for a Gmail or other free email account with the name of that department head. They may get an email that looks like but isn’t the same.
The emails will all start with a generic question like “Are you available?” or “Are you free?” or “Do you have a minute?” If you respond, they will (within a message or two) ask you for a favor. They will ask you to purchase gift cards for them, with a promise of repayment (usually with an excuse that they are stuck in a meeting, have missed someone’s birthday/anniversary/Christmas/etc. present).
These emails will all have the CAUTION banner though, so if you receive a message with the caution banner indicating the message is from off-site, but the message is supposedly from one of your colleagues or your supervisor – don’t respond.
Beyond the fact that they are targeting different departments – the scam hasn’t really changed over the past year since previous alerts. The article at the link below from the Chronicle of Higher Education talks more about it:
https://www.chronicle.com/article/Phishing-Scheme-Targets/245535