Phishing emails are one of the most common tricks scammers use, but they’re usually easy to catch if you pay attention. Awkward grammar, random details, and —most importantly— an unofficial email address are dead giveaways. For example, you might get an email saying your Apple ID’s been disabled, but the sender’s email won’t actually be from Apple. Now, though, scammers are finding ways to get around this.
According to the FBI, there’s been a recent rise in cybercriminal services using hacked police and government email accounts to send fake subpoenas and data requests to US-based tech companies.
GET SECURITY ALERTS, EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER – THE CYBERGUY REPORT HERE
What you need to know
The FBI has seen a spike in criminal forum posts about emergency data requests (EDRs) and stolen email credentials from police departments and government agencies. Cybercriminals are getting into compromised US and foreign government email accounts and using them to send fake emergency data requests to US-based companies, which exposes customer data for further misuse in other crimes.
In August 2024, a popular cybercriminal on an online forum advertised “high-quality .gov emails” for sale, meant for espionage, social engineering, data extortion, emergency data requests, and more. The listing even included US credentials, and the seller claimed they could guide buyers on making emergency data requests and even sell real stolen subpoena documents to help them pose as law enforcement.
Another cybercriminal boasted about owning government emails from over 25 countries. They claimed anyone can use these emails to send a subpoena to a tech company and get access to usernames, emails, phone numbers, and other personal client info. Some con artists are even hosting a ‘masterclass’ on how to create and submit their own emergency data requests to pull data on any social media account, charging $100 for the full rundown.
WINDOWS FLAW LETS HACKERS SNEAK INTO YOUR PC OVER WI-FI
How this phishing scam works?
When law enforcement—whether federal, state, or local—wants information about someone’s account at a tech company, like their email address or other account details, they typically need a warrant, subpoena, or court order. When a tech company receives one of these requests from an official email address, they’re required to comply. So, if a scammer gets access to a government email, they can fake a subpoena and get information on just about anyone.
To bypass verification, scammers often send emergency data requests, claiming that someone’s life is at risk and that the data is needed urgently. Because companies don’t want to delay in case of an actual emergency, they may hand over the information, even if the request turns out to be fake. By portraying it as a life-or-death situation, scammers make it harder for companies to take time to verify the request.
For example, the FBI reported that earlier this year, a known cybercriminal posted pictures on an online forum of a fake emergency data request they’d sent to PayPal. The scammer tried to make it look legitimate by using a fraudulent Mutual Legal Assistance Treaty (MLAT), claiming it was part of a local investigation into child trafficking, complete with a case number and legal code for verification. However, PayPal recognized that it wasn’t a real law enforcement request and denied it.
CYBER SCAMMERS USE AI TO MANIPULATE GOOGLE SEARCH RESULTS
What can companies do to avoid falling for these phishing scams?
1) Verify all data requests: Before sharing sensitive information, companies should verify every data request—even those that look legitimate. Establish a protocol for confirming requests directly with the agency or organization that supposedly sent them.
2) Strengthen email security: Use email authentication protocols like DMARC, SPF, and DKIM to block emails from unauthorized sources. Implement anti-phishing filters to detect suspicious content in messages.
3) Train employees on phishing awareness: Regular training sessions on phishing scams can help employees recognize red flags, such as urgent language, unusual requests, or emails from unknown addresses. Employees should be encouraged to report suspicious emails.
4) Limit access to sensitive data: Restrict who can view or share sensitive customer data. Fewer people with access means fewer chances for accidental or intentional data leaks.
5) Implement emergency verification procedures: Have a clear verification process in place for “emergency” data requests, including steps for double-checking with higher management or legal teams before responding to any urgent request for customer information.
Is there something you need to do?
This particular phishing scam mostly targets big tech companies, so there’s not much you can do directly. However, it’s a reminder that you shouldn’t automatically trust an email, even if it comes from a .gov address. Here are some steps you can take to stay safe:
1) Double-check email addresses and links
Even if an email looks official, take a moment to check the sender’s email address and hover over any links to see where they actually lead. Be cautious if anything looks off. The best way to safeguard yourself from malicious links is to have antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.
My top pick is TotalAV, and you can get a limited-time deal for CyberGuy readers: $19 your first year (80% off) for the TotalAV Antivirus Pro package.
2) Enable two-factor authentication (2FA): Use 2FA for all sensitive accounts. This extra layer of security helps protect you even if your login credentials are compromised.
3) Stay updated on phishing scams: Keep an eye on the latest phishing tactics, so you know what to look out for. Regular updates help you spot new types of scams before they affect you.
4) Verify suspicious requests: If you get an unexpected email asking for sensitive info, contact the sender directly through an official channel to confirm the request.
DON’T LET SNOOPS NEARBY LISTEN TO YOUR VOICEMAIL WITH THIS QUICK TIP
Kurt’s key takeaway
Scammers are taking phishing emails to a whole new level. I often recommend checking the email carefully when you receive anything suspicious to see if it’s legit. But now, since scammers can even access government emails, you need to be extra cautious. This phishing scam seems to target mostly big tech companies, so it’s on them to strengthen their security and verify every request thoroughly before sharing any user information. It’s also up to governments worldwide to protect their digital assets from being compromised.
What’s your stance on how governments are handling cybersecurity—are they doing enough to protect sensitive data? Let us know in the comments below.
FOR MORE OF MY SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE