Phishing emails are one of the most common tricks scammers use, but they’re usually easy to detect if you pay attention. Clumsy grammar, random details, and most importantly, an unofficial email address are deadly clues. For example, you might receive an email saying that your Apple ID has been deactivated, but the sender’s email won’t actually come from Apple. But today, scammers are finding ways around this problem.

According to the FBI, there has recently been an increase in the number of cybercriminal services using hacked police and government email accounts to send fake subpoenas and data requests to U.S.-based technology companies.

I’M OFFERING A $500 GIFT CARD FOR THE HOLIDAYS
Enter through signature for my free newsletter!

Illustration of a scammer at work (Kurt “CyberGuy” Knutsson)

What you need to know

THE FBI has seen an increase in posts on criminal forums regarding requests for emergency data and stolen email credentials from police departments and government agencies. Cybercriminals break into compromised U.S. and foreign government email accounts and use them to send fake emergency data requests to U.S.-based companies, exposing customer data to other uses abusive in other crimes.

In August 2024, a popular cybercriminal announced the sale on an online forum of “high-quality .gov emails”, intended for espionage, social engineering, data extortion, requests for data… emergency, etc. The listing even included US credentials, and the seller claimed it could guide buyers through their emergency data requests and even sell real stolen subpoena documents to help them get through for law enforcement.

Another cybercriminal boasted of having government emails from more than 25 countries. They claimed that anyone could use these emails to send a subpoena to a technology company and gain access to customers’ usernames, emails, phone numbers and other personal information. Some scammers even hold a “masterclass” on how to create and submit their own emergency data requests to extract data on any social media account, charging $100 for the full rundown.

Illustration of a scammer at work (Kurt “CyberGuy” Knutsson)

Windows flaw allows hackers to sneak into your PC via Wi-Fi

How this phishing scam works

When law enforcement, whether federal, state, or local, wants to obtain information about a person’s account at a technology company, such as their email address or other account details, they have usually need a warrant, subpoena or court order. When a tech company receives one of these requests from an official email address, they are required to comply. So if a scammer has access to a government email, they can fake a subpoena and obtain information on anyone.

To bypass verification, fraudsters often send emergency data requests, claiming that a person’s life is in danger and the data is urgently needed. Because companies don’t want to delay in a real emergency, they can pass on the information, even if the request turns out to be false. By portraying the situation as a life or death situation, scammers prevent businesses from taking the time to verify the request.

For example, the FBI reported that earlier this year, a known cybercriminal posted photos on an online forum of a fake emergency data request he had sent to PayPal. The scammer attempted to make the case appear legitimate by using a fraudulent mutual legal assistance treaty, claiming it was part of a local child trafficking investigation, complete with a case number and a legal code for verification. However, PayPal acknowledged that this was not a genuine law enforcement request and rejected it.

Illustration of a person receiving a phishing email (Kurt “CyberGuy” Knutsson)

CYBERCAMMERS USE AI TO MANIPULATE GOOGLE SEARCH RESULTS

What can businesses do to avoid falling for these phishing scams?

1) Check all data requests: Before sharing sensitive information, companies should verify every data request, even those that appear legitimate. Establish a protocol for confirming requests directly with the agency or organization that supposedly sent them.

2) Strengthen email security: Use email authentication protocols such as DMARC, SPF, and DKIM to block emails from unauthorized sources. Implement anti-phishing filters to detect suspicious content in messages.

3) Train employees on phishing awareness: Regular phishing scam training sessions can help employees recognize red flags, such as urgent language, unusual requests, or emails from unfamiliar addresses. Employees should be encouraged to report suspicious emails.

4) Limit access to sensitive data: Limit who can view or share sensitive customer data. Fewer people with access means less risk of accidental or intentional data leaks.

5) Implement emergency verification procedures: Have a clear verification process in place for “urgent” data requests, including double-checking steps with senior management or legal teams before responding to any urgent requests for customer information.

Illustration of a scammer at work (Kurt “CyberGuy” Knutsson)

Is there anything you need to do?

This particular phishing scam primarily targets large tech companies, so there’s not much you can do directly. However, this is a reminder that you shouldn’t automatically trust an email, even if it comes from a .gov address. Here are some steps you can take to stay safe.

1) Check email addresses and links: Even if an email looks official, take a moment to check the sender’s email address and hover over the links to see where they actually lead. Be careful if something goes wrong. The best way to protect yourself from malicious links is to install antivirus software on all your devices. This protection can also alert you to phishing emails and ransomware scams, protecting your personal information and digital assets. Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android, and iOS devices.

2) Enable two-factor authentication (2FA): To use 2FA for all sensitive accounts. This added layer of security helps protect you even if your login information is compromised.

3) Stay informed about phishing scams: Keep an eye on the latest phishing tactics to know what to watch out for. Regular updates help you detect new types of scams before they affect you.

4) Check suspicious requests: If you receive an unexpected email requesting sensitive information, contact the sender directly through an official channel to confirm the request.

Illustration of a scammer at work (Kurt “CyberGuy” Knutsson)

DON’T LET NEARBY SNOOPS LISTEN TO YOUR VOICE MESSAGE WITH THIS QUICK TIP

Kurt’s key point

Scammers are taking phishing emails to a whole new level. I often recommend checking the email carefully when you receive something suspicious to see if it is legitimate. But now, since scammers can even access government emails, you need to be extra careful. This phishing scam appears to primarily target large technology companies. It is therefore up to them to strengthen their security and thoroughly verify each request before sharing user information. It is also up to governments around the world to protect their digital assets from compromise.

What is your position on how governments manage cybersecurity? Are they doing enough to protect sensitive data? Let us know by writing to us at Cyberguy.com/Contact.

CLICK HERE TO GET THE FOX NEWS APP

For more of my tech tips and security alerts, subscribe to my free CyberGuy Report newsletter by visiting Cyberguy.com/Newsletter.

Ask Kurt a question or tell us what stories you’d like us to cover.

Follow Kurt on his social networks:

Answers to the most asked CyberGuy questions:

New from Kurt:

Copyright 2024 CyberGuy.com. All rights reserved.