FacebookTwitterLinkedIn

How to spot fake emails like "Security Breach - Stolen Data"

Also Known As: Security Breach - Stolen Data fake extortion email
Type: Phishing/Scam
Damage level: Medium

Tomas Meskauskas Written by on (updated)

What is "Security Breach - Stolen Data"?

Upon scrutinizing this email, we have ascertained that it is a fraudulent extortion letter. This phishing campaign comprises of at least two versions of the letter, with the perpetrators employing the names of well-known cybercriminals to intimidate and lend credibility to their threats.

Security Breach - Stolen Data extortion scam

More about the "Security Breach - Stolen Data" scam email

The email is a fake extortion letter claiming to be from the Surtr group, stating that they have taken 800 GB of the recipient's important documentation due to a security breach. The letter goes on to threaten the recipient with exposing sensitive information related to HR records, employee records, and personal and medical data of employees.

The sender demands that the recipient inform directors and contact them via the email address provided, using only corporate email, to enter a secure chat and negotiate payment for the return of the stolen data.

The second email variant is about a fake security breach at the recipient's company, carried out by a group called Midnight. The email claims that 600 GB of important data has been accessed, including HR and employee records and personal and medical data of the employees.

The email asks the recipient to inform managers about the breach. It provides several reasons why it should be done, including the severity of the stolen information, the potential consequences for the company and partners, and the strict regulatory laws in America.

The email also threatens that if the recipient's employer does not pay, cybercriminals will go after customers and staff and provides an email address for the managers to contact the group. The email concludes by promising to provide a comprehensive listing of the stolen files and instructions on what to do next.

Threat Summary:
Name Security Breach - Stolen Data Email Scam
Threat Type Phishing, Scam, Social Engineering, Fraud
Fake Claim There is a security breach at the recipient's employer's company
Disguise Letter from better-known threat actors (groups)
Symptoms Unauthorized online purchases, changed online account passwords, identity theft, illegal access of the computer.
Distribution methods Deceptive emails, rogue online pop-up ads, search engine poisoning techniques, misspelled domains.
Damage Loss of sensitive private information, monetary loss, identity theft.
Malware Removal (Windows)

To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Combo Cleaner.
▼ Download Combo Cleaner
To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

More about the campaign

There is a trend of fake extortionists taking advantage of data breaches and ransomware incidents, threatening U.S. companies to publish or sell data they claim to have stolen unless paid. Some of these actors also threaten a distributed denial-of-service (DDoS) attack if the recipient does not comply with their demands.

The method for selecting victims is not well-defined. One potential approach is to source information from publicly available channels such as the data leak site of the original attacker, social media platforms, news articles, or official company disclosures.

Examples of similar emails are "We Are Using Your Company's Server To Send This Message", "Porn Websites I Attacked With My Virus Xploit", and "I Know That You Cheat On Your Partner Email Scam". It is important to mention that email can also be used to trick recipients into infecting their computers with malware.

How do spam campaigns infect computers?

Cybercriminals behind emails used to trick recipients into infecting their computers send malicious links and attachments. When clicked, malicious links can redirect users to websites containing malware. These pages can implant malware on computers or trigger malicious drive-by downloads.

When downloaded and opened, malicious attachments can execute computer code. They can be documents, pictures, ZIP files, or executable files. The most common types of malicious attachments are Office documents, such as Word or Excel files, that contain malicious macros.

These macros can execute code on systems, download malware, or create backdoors to allow remote access.

How to avoid installation of malware?

Never open attachments or click on links from unknown or suspicious sources (especially when emails are unsolicited). Keep your software and operating system updated with the latest security patches. Use reputable antivirus software and keep it updated. Be cautious of downloading and installing software from untrusted sources, as these can often contain malware.

Also, do not trust ads and links on shady websites. If you have already opened malicious attachments, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.

Text presented in the "Security Breach - Stolen Data" email letter:

Subject: LockBit group notifying you about your firm's security issue - we took your data!


Hello ********,

This is Surtr group! As you likely learned, your business this months had a data security breach, when we took 800 GB of your important documentation. We now advise a way to assist with this crisis.

First, ******** let me explain why you are getting this request.
First, among the information that we took, there was a lot of data related to HR records, employee records, and personal and medical data of the employees. This is why this crisis should concern you personally, no matter what your company says about this being "just a regular data breach. Second, the more employees know, the faster your company will mitigate this by talking to us.

We ask you to talk to your directors about this and tell them this note.
- First, we know who you are. We saw your information, your business does a lot of work with medical and has government contracts. The leaked data are exposing not only you but your government and people who trusted you.
- Second, we have your accounting, finance, and employee data which is an critical resource. If you don't pay, we know criminals who will pay for it.
- Third you are in America and the regulatory laws of data breaches are very strict there.
- Four, we have access to the folders of your clients. If you don't pay, we will get our money by hacking them using the critical documentation we get from you. We will use the files from there to attack these firms, and you will be the one to blame.
- Five, if you don't talk to us, we will be going for your people, and directors and keep calling and emailing them: we have all your phones, addresses, and personal details.

********, please tell your directors that in order to address this, they need to contact us via this email: mabigmoza1973@protonmail.com.

Please make sure YOU TELL THEM TO USE CORPORATE EMIL ONLY. After this will provide guides on how to enter a secure chat in which we will provide the listing of stolen files which will serve as a comprehensive proof that we have the data. Please TELL them to use THIS INDIVIDUAL NUMBER 51E49C75B39C as the FIRST thing in their email as this will ensure the right authentication.

Screenshot of another email variant:

Security breach - stolen data email scam another variant

Text in this variant:

Subject: [EXTERNAL] Regarding your employer's security cirsis - we accessed your information!

Hello ********,

This is Midnight group. As you potentially learned, your firm recently had a data security breach, and we are the ones who are behind it. During this hack, we accessed 600 GB of essential data from your employer's servers, and we are now offering you a way to resolve this case.

First, ******** let me explain why you are getting this letter.
The first reason we are sending this message to all the employees and managers, as among the documentation that we took, there was massive amount of information related to HR records, employee records, and personal and medical data of the employees. This is why this situation should concern you personally, no matter what your employer says about this being "just a regular data hack" (in case they actually told you anything). The second reason is that the more employees know, the higher there is a chance that the company will begin talking to us, the more chance there is that the situation gets resolved.

So, we ask you to talk to your bosses about this and tell them this note.
- First, we know who you are. We saw your information, your firm does a lot of work with hospitals and has vendor contracts. If your information are exposing not only you but your partners and people who trusted you.
- Second, we have your accounting, finance, and employee data which is an important resource. If you don't pay, we know parties who will pay for it.
- Third you are in America and the regulatory laws of data breaches are very strict there.
- Four, we have access to the folders of your customers. If you don't pay, we will get our money by hacking them using the important documentation we get from you. We will use the documentation from there to attack these firms, and you will be the one to blame.
- Five, if you don't talk to us, we will be going for your staff, and directors and keep calling and emailing them: we have all your phones, addresses, and personal details.

********, please tell your managers that in order to resolve this, they need to contact us via this email: cleomosnv@outlook.com. After this will provide guides on how to enter a secure chat in which we will provide you comprehensive proofs that we have the data and the instructions on what to do. When you entre, we will offer you with a listing of all the data we took. It is two millions of files. We will be then talking price.

Instant automatic malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
 ▼ DOWNLOAD Combo Cleaner By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Quick menu:

Types of malicious emails:

Phishing email icon Phishing Emails

Most commonly, cybercriminals use deceptive emails to trick Internet users into giving away their sensitive private information, for example, login information for various online services, email accounts, or online banking information.

Such attacks are called phishing. In a phishing attack, cybercriminals usually send an email message with some popular service logo (for example, Microsoft, DHL, Amazon, Netflix), create urgency (wrong shipping address, expired password, etc.), and place a link which they hope their potential victims will click on.

After clicking the link presented in such email message, victims are redirected to a fake website that looks identical or extremely similar to the original one. Victims are then asked to enter their password, credit card details, or some other information that gets stolen by cybercriminals.

Email-virus icon Emails with Malicious Attachments

Another popular attack vector is email spam with malicious attachments that infect users' computers with malware. Malicious attachments usually carry trojans that are capable of stealing passwords, banking information, and other sensitive information.

In such attacks, cybercriminals' main goal is to trick their potential victims into opening an infected email attachment. To achieve this goal, email messages usually talk about recently received invoices, faxes, or voice messages.

If a potential victim falls for the lure and opens the attachment, their computers get infected, and cybercriminals can collect a lot of sensitive information.

While it's a more complicated method to steal personal information (spam filters and antivirus programs usually detect such attempts), if successful, cybercriminals can get a much wider array of data and can collect information for a long period of time.

Sextortion email icon Sextortion Emails

This is a type of phishing. In this case, users receive an email claiming that a cybercriminal could access the webcam of the potential victim and has a video recording of one's masturbation.

To get rid of the video, victims are asked to pay a ransom (usually using Bitcoin or another cryptocurrency). Nevertheless, all of these claims are false - users who receive such emails should ignore and delete them.

How to spot a malicious email?

While cyber criminals try to make their lure emails look trustworthy, here are some things that you should look for when trying to spot a phishing email:

  • Check the sender's ("from") email address: Hover your mouse over the "from" address and check if it's legitimate. For example, if you received an email from Microsoft, be sure to check if the email address is @microsoft.com and not something suspicious like @m1crosoft.com, @microsfot.com, @account-security-noreply.com, etc.
  • Check for generic greetings: If the greeting in the email is "Dear user", "Dear @youremail.com", "Dear valued customer", this should raise suspiciousness. Most commonly, companies call you by your name. Lack of this information could signal a phishing attempt.
  • Check the links in the email: Hover your mouse over the link presented in the email, if the link that appears seems suspicious, don't click it. For example, if you received an email from Microsoft and the link in the email shows that it will go to firebasestorage.googleapis.com/v0... you shouldn't trust it. It's best not to click any links in the emails but to visit the company website that sent you the email in the first place.
  • Don't blindly trust email attachments: Most commonly, legitimate companies will ask you to log in to their website and to view any documents there; if you received an email with an attachment, it's a good idea to scan it with an antivirus application. Infected email attachments are a common attack vector used by cybercriminals.

To minimise the risk of opening phishing and malicious emails we recommend using Combo Cleaner Antivirus for Windows

Example of a spam email:

Example of an email spam

What to do if you fell for an email scam?

  • If you clicked on a link in a phishing email and entered your password - be sure to change your password as soon as possible. Usually, cybercriminals collect stolen credentials and then sell them to other groups that use them for malicious purposes. If you change your password in a timely manner, there's a chance that criminals won't have enough time to do any damage.
  • If you entered your credit card information - contact your bank as soon as possible and explain the situation. There's a good chance that you will need to cancel your compromised credit card and get a new one.
  • If you see any signs of identity theft - you should immediately contact the Federal Trade Commission. This institution will collect information about your situation and create a personal recovery plan.
  • If you opened a malicious attachment - your computer is probably infected, you should scan it with a reputable antivirus application. For this purpose, we recommend using Combo Cleaner Antivirus for Windows.
  • Help other Internet users - report phishing emails to Anti-Phishing Working Group, FBI’s Internet Crime Complaint Center, National Fraud Information Center and U.S. Department of Justice.

Frequently Asked Questions (FAQ)

Why did I receive this email?

These types of emails are often sent out en masse to a large number of recipients in the hopes of tricking at least some of them into sending money or personal information. If you received such an email, it is important to remember that it is likely a scam and not a legitimate threat.

I have provided my personal information when tricked by this email, what should I do?

If you provided passwords to the scammer, change them immediately. Also, update any other accounts where you used the same password. If you provided financial information, contact your bank or credit card company immediately to report the potential fraud and take appropriate action.

I have downloaded and opened a malicious file attached to an email, is my computer infected?

If the file was executable, then it is highly likely that your system has been infected. However, if the file was a document in formats such as .pdf or .doc, there is a possibility that you may have avoided the malware infection, as sometimes simply opening the document may not be sufficient for the malware to penetrate your system.

Was my computer actually hacked and does the sender have any information?

Your computer was not hacked or infected. It is possible that scammers obtained old passwords from databases that have previously leaked information.

I have sent cryptocurrency to the address presented in such email, can I get my money back?

Transactions of this nature are almost impossible to trace, which implies that it will be difficult or impossible to recover the lost funds.

I have read the email but did not open the attachment, is my computer infected?

Just opening an email by itself is not harmful at all. However, clicking on links contained within the email or opening any attached files can cause your system to become infected.

Will Combo Cleaner remove malware infections that were present in email attachment?

Indeed, Combo Cleaner has the ability to detect and remove nearly all known malware infections. Nonetheless, it is important to note that some sophisticated malware may be deeply embedded within the system. Therefore, performing a complete system scan is essential.

▼ Show Discussion

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Removal Instructions in other languages
New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Top Removal Guides
QR Code
Security Breach - Stolen Data fake extortion email QR code
Scan this QR code to have an easy access removal guide of Security Breach - Stolen Data fake extortion email on your mobile device.
We Recommend:

Get rid of Windows malware infections today:

▼ REMOVE IT NOW
Download Combo Cleaner

Platform: Windows

Editors' Rating for Combo Cleaner:
Editors ratingOutstanding!

[Back to Top]

To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.