“Your Password is ______.

Brace yourself for the latest in email scams: “Your password is ____”
Scammers are getting exceptionally clever lately and have started sending out very scary and convincing emails. These emails usually put a user’s actual password in the subject line to make it more credible, claim that they’ve hacked the recipient’s computer, and threaten to release very personal information to friends and family via social media if the scammer isn’t paid a large amount of money. While this is a very convincing trick, it’s still only a trick.

Here’s how they do it:

When websites get hacked, attackers often make off with a database of usernames, email addresses, and “hashed” (encrypted) passwords. While the passwords aren’t immediately useful, the hashes are usually posted to the internet where they can be reverse engineered and decrypted. If you were one of the affected users, anyone in the world can get a copy of your email and the password you used for that site.

Here’s a couple tips you can use to protect yourself:

  • Check https://haveibeenpwned.com. Enter your email address(es) into the field to see if any of your addresses have ever been affected by a breach. If so, you should assume that the password you used for that site is compromised and you should change it on any and all sites that share that password.
  • Use unique passwords for each website. If you use a password manager likechttps://www.lastpass.com/ or https://1password.com/, you can generate unique, secure passwords for every service you use and never have to remember them. If a site you use ever gets breached, attackers will only have your password for that site, instead of every site you use.
  • Change your passwords often, especially if you are informed that a service you use has been breached.

More phishing: Avoid taking the bait!

Please be especially vigilant for phishing emails. We’ve noticed an increased number of suspicious messages coming to faculty and students that are particularly clever.

Features of the current campaign have included:

  • Messages sent as a “reply to” a message already in the infected user’s inbox, which makes it harder to detect.
  • The body of the message does not contain a greeting, a signature or an explanation for why the user would be sending you a link rather than including the information in the message.  Messages may appear similar to this screenshot below.
  • Messages include a link that directs you to an unrecognized, possibly malicious site (usually addresses that end in something other than “osu.edu,” as depicted in the screenshot below).

The Office of the Chief Information Officer is working on this issue. In the meantime, please do click any links in suspicious emails and forward all suspicious emails to report-phish@osu.edu.