Extortion Scam: Don’t Fall for Email Threats.

Some of our users have recently reported seeing a widely-used Username and Password scam that cybercriminals are using to extort money from recipients. Our email security software has been stopping these messages and sending a follow up notification that a malicious email has been contained. But cybercriminals change tactics regularly, so we wanted you to be aware in case a message gets through our defenses.

Extortion email screenshot

Why is this happening?

In most cases, cybercriminals purchase a username and password – possibly on the dark web. When contacting the target, the criminal often does not provide the current password but a previous password used in services outside Ohio State.

However, if a criminal can provide an accurate password used in the past, it is an excellent scare tactic and is often successful in acquiring money or information from a target. A legitimate password makes the threat seem legitimate.

Usually, the cybercriminal attempts to extort money in exchange for not sharing the password with others and/or uses that data to impersonate you on sites that use that password. The attached screenshot is an example.

If you receive this type of threat, do not engage with the sender. Instead:

  • Immediately change your password on any site where the exposed password was used.
  • Do not use the same password on multiple sites.
  • Find out if any of your accounts have been compromised by visiting
  • Consider using a password manager to help create and store passwords. Password managers assist in generating and retrieving unique complex passwords, potentially storing such passwords in an encrypted database or creating them on demand.

For help and information, contact the IT Service Desk by phone 614-688-HELP (4357), by email at servicedesk@osu.edu or by logging in online at go.osu.edu/it.