Phishing/Extortion Alert: Extortion Messages Using Old Passwords


Stock Photo


Recently, a new variation of phishing/extortion message has emerged that makes use of old passwords obtained from previous breaches of various popular websites and online services external to York. While typically the passwords are old and no longer in use, the messages include these passwords in order to make the phishing message appear more legitimate, implying they have gained access to the victim’s accounts and computers, and then go on to demand a payment to avoid future damage.

If you receive such a message, delete it, and do not click any links or open attachments in the messages. If you are still using a password that is mentioned, on any York or non-York account, change it immediately.

Additionally, please keep in mind these safe online practices:

  • Use a different password for each online service/account. In particular, do not use your Passport York password for any other account within or external to York.
  • Change your passwords at least annually.
  • Always be suspicious of emails requesting sensitive information, financial transactions, or that insist on immediate response.
  • Do NOT click links or open attachments in unsolicited email from people or groups you don’t recognize.
  • For familiar contacts or expected messages, examine the “From” field of email messages to verify the sending address is correct – be wary of different spellings of the sending email address that could indicate fraud.
  • For links within email messages, use the “hover over” technique to validate the actual location it will send you to – move the mouse pointer over a link (without clicking!) and wait a moment; most email programs will show the real web location the link will take you to – if it does not match what you expect that could indicate fraud.
  • Take the York Cyber Secure online training, available to all staff, faculty, and students:


Useful Resources

How to choose a secure password:

Cyber-security Awareness Training:

- York’s Information Security blog:
- Follow York Information Security on Twitter (@YorkU_Infosec), Facebook (, and Instagram (yorku_infosec).


Please direct any questions or concerns to UIT Client Services - email: or visit