Refund scam (10/12/15)

The following scam attempts to trick its recipients into clicking on an infected attachment, which can then be used by the attacker to remotely access the victims’ computer. Notice the unknown party and confusing message about refund; all of which are signs of a scam. If you received this message, please delete it.


From: Nancy Brown <>
Date: Wed, Oct 7, 2015 at 11:47 AM
Subject: Re: xxxxxxg refund

Following our phone conversation I am forwarding you the payment
confirmation invoice.
Please refund the total amount or be xxxxxd in a Court of Justice.
What kind of company is

Nancy Brown
500 XXXXXXXXXXX, Suite 900
XXX-XXX-6121 office
XXX-XXX-6631 fax


We know many people have questions concerning this incident. We try to answer some of the most common questions below. First, Mark Willis, Chief Information Officer, and Dan Han, Information Security Officer, talk about the server intrusion incident in the video below:


Q. I received the notification via e-mail/letter from VCU about the incident. Does that mean someone stole my personal information and is using it in some way?

A. Based on the forensic evidence, we believe the likelihood of this identity data being accessed or copied by the intruders is very low. Unfortunately, our extensive investigation was unable to determine with 100 percent certainty whether any sensitive information was accessed. As a result, we are informing these individuals of this event. See the links on the home page for more information on protecting yourself from identity theft.

Q. Exactly what personal information may have been exposed?

A. Personal information stored on the server varied based on the individual’s role:

1. If a student in Summer 2011 or Fall 2011, or a current University employee or affiliate (42,438 Individuals) – data included SSN, name, date of birth, eID, email (, VCUCard number, home address, student academic program, job department & title

2. If a current VCU Health System or MCVAP employee, or Health System affiliate (16,857 Individuals) – data included SSN, name, date of birth, eID, Health System eeid, email (, VCUCard number, job department & title

3. If a former University employee employed during or after November 2005 (19,172 Individuals) – data included SSN, name, date of birth, email (, home address, job title

4. If a University student accepted for Fall 2011 who did not enroll at VCU (2,328 Individuals) – data included SSN, name, date of birth, eID, email (, personal email, VCUCard number

5. If a former University student who did not attend after Spring 2011, or a former University affiliate, or a former VCU Health System or MCVAP employee, or a former Health System affiliate, any of whom was issued a VCUCard  (95,772 Individuals) – data included SSN, eID, VCUCard number

Q. Why would data for VCUHS employees be in the University server?

A. VCUHS provides this type of data to the University for many administrative purposes such as issuing ID badges and parking passes, establishing RamBucks accounts, and verifying Service Awards.

Q. What is being done to protect these servers and systems in the future?

A. The first server has been moved behind the University firewall, and the vulnerabilities that were present on both servers have been patched. Additional monitoring has also been put in place for these servers. Both the University and VCUHS had already planned to engage external consulting firms to perform extensive security assessments to determine if any systems are at risk for unauthorized access. This testing will be expedited, and the results used to determine additional appropriate actions.

Q. Will VCU contact me to ask for private information because of this event?

A. VCU WILL NOT contact you and ask for your private information. In similar cases at other institutions, people have reportedly been contacted by individuals claiming to represent the University who then proceed to ask for personal information, including Social Security Numbers. Please be aware that VCU will only contact you with information regarding steps you should take to prevent possible fraud or identity theft; or if you ask us, by e-mail or telephone, for information. We will not ask for your Social Security Number, password, or any other personal information. We recommend that you do not release personal information in response to any contacts of this nature that you have not initiated.

Q. Why isn’t VCU automatically offering identity theft protection services to all individuals as with previous incidents?

A. VCU was able to track the activities of the intruders on the two servers and found no evidence that personal data was accessed or copied. We believe that there is a very low likelihood that personal data was exposed or that there is a risk of identity theft. Therefore, we are not automatically offering identity protection services to all 176,000 individuals in this incident.  However, for the peace of mind of concerned students, employees and affiliates, the University will honor individual requests for these services. Individuals who wish to make a request should call the Security Incident Information Center at (Toll Free) 1 (855) 886-2931 for more information.

Q. My identity theft protection letter I received mentions monitor and fraud alert services, whats the difference?

A. The monitoring service provides daily review of your credit histories with all three major credit reporting agencies (Equifax, Experian and TransUnion), monthly email notifications of no activity, immediate notification of key changes to any of the three agency reports, and one 3-in-1 credit report (all three agency reports in one file) and unlimited access/copies of your credit report.  In the event you are the victim of identity theft, you have up to $1 million in identity theft insurance with no deductible and 24/7 access to service provider staff to assist and investigate.

A fraud alert is a flag to potential and existing creditors that there may be fraudulent activity within your credit history report.  It also requests creditors contact you prior to opening new accounts in your name.  Activating an alert on your account, however, does restrict your own access to your report.

The monitoring service is best used when there is a possibility your information may have been compromised (example: data breaches).  The fraud alert is best used when you are 100% certain your information has been compromised (example: stolen wallet/purse that contains ID, credit cards, etc.).

Q. Can I continue the identity theft protection service after the VCU provided one year of free service expires?

A. VCU is covering the cost for one year of the identity theft protection service if you choose to enroll using the promotional code offered. If you choose to continue with the service at the end of the VCU paid period, you will be eligible to continue enrollment at the discounted price of $60 per year for as long as you remain in the program. If you discontinue the service and then elect to enroll at a later date, the regular service price would apply. The service provider will notify you approximately one month prior to the end of the service period and give you the opportunity to re-enroll. If you choose not to enroll, the service will simply end. Continuing enrollment is strictly your option; you are under no obligation to do so.

Q. Who should I contact if I have any additional questions concerning this incident?

A. Please contact the special Technology Services Security Incident Information Center at (Toll Free) 1 (855) 886-2931 or at should you have any questions not covered here concerning this incident.

What Should I Do?

Since there is a remote possibility for identity theft to occur from this incident, the University is taking steps to notify individuals. You may choose to adopt an increased level of identity theft protection by placing a fraud alert on your credit file at the national credit reporting agencies. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. You may call any one of the three major credit reporting agencies listed below. As soon as one credit reporting agency confirms your fraud alert, the others are notified to place fraud alerts. All three credit reports will be sent to you, free of charge, for your review.

  • Equifax – 800/525-6285 P.O. Box 740241, Atlanta, GA 30374-0241
  • Experian – 888/397-3742 P.O. Box 9532, Allen, TX 75013
  • TransUnionCorp – 800/680-7289 Fraud Victim Assistance Division P.O. Box 6790, Fullerton, CA 92834-6790

You should review your credit reports periodically. U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit or call toll-free (877) 322-8228.  If you find suspicious activity on your credit reports or have reason to believe your information is being misused, please contact the VCU Police at (804) 828-1196 to file a report.

If you find suspicious activity on your credit reports or have reason to believe your information is being misused, you should file a complaint with the FTC at or at 1-877-ID-THEFT (438-4338). Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcement agencies for their investigations. The FTC also will advise you on further steps to take in the event your information is being used illegally.

Server Security Incident Notification

On October 24, 2011 routine monitoring of servers supporting a VCU system uncovered suspicious files and activity on one of the servers. The server was taken offline and a forensic investigation was launched to identify what unauthorized activities had taken place and the vulnerabilities that led to the compromise. The investigation determined that an Internet worm had infected the server on October 18, 2011, which subsequently allowed an intruder to access the server on October 19, 2011 for 56 minutes and prepare to use it as a platform for attempting to compromise other servers within and outside of the VCU network. The vulnerabilities have been corrected, and it has been determined that this server contained no personal data.

On October 29, 2011 VCU investigative staff discovered two unauthorized accounts had been created on a second server. This server was also immediately removed from the University network for forensic investigation. Subsequent analysis indicated that the intruders had compromised the second server through the first server, allowing the intruder to access the second server on October 19, 2011 for 16 minutes. The intruders were on the second server a short period of time and appeared to do nothing other than create the two accounts. We were unable to determine the purpose and intent of the intrusion into the second server.

The second server, which is behind the VCU firewall, is used to transfer identity data between various University systems such as Banner/eServices (students and employees), the VCUCard, and the VCU Health System. Ten files on this second server contained information on 176,567 individuals that included University employees and students, and VCU Health System employees. Data items included social security number and either individual names or eID user names; and, in some cases, date of birth, contact information and various programmatic or departmental information.

Our investigation was unable to determine with 100 percent certainty that the intruders did not access or copy the files in question. We believe the likelihood that they did is very low. However, because this data was potentially exposed, we are proactively informing the individuals of this event and subsequent actions they may wish to take to monitor their personal information.