IT researchers at Avast have come across a new scam.
Cyber criminals are sending emails to individual recipients in companies **claiming** (!) to have committed a cyber intrusion and captured large amounts of data. Among this data would be HR data such as employee files and personal and medical records.
The attackers threaten to sell the data if they do not receive a response. They also mention relevant laws and regulations that threaten severe penalties for a company in case of data leaks if they are not handled in accordance with the law.
The scammers ask recipients to inform their superiors about the incident, probably to build pressure within the company and provoke a hasty response.
According to what we know so far, the allegations in the emails are not true and no successful attack has taken place. The scammers are merely borrowing from the scam used by ransomware attackers.
Affected parties should remain calm and inform the IT security department responsible in the company or the IT security officer and leave the further reaction to them. Under no circumstances should they react on their own.
Even though there does not seem to be any real danger to the company's data here, it shows how important a reliable data backup strategy is to be sure that all important data is effectively protected.
Further information here:
https://blog.avast.com/data-extortion-email-campaign
