The FBI warns that hackers are making fake police information requests to steal people’s private information
- The FBI issues a private sector notice on emergency data requests
- Hackers use stolen .gov email addresses to impersonate authorities
- Mitigation measures recommended by the FBI should be taken
Cybercriminals are using stolen government email addresses to submit fraudulent emergency data requests to U.S. companies to steal customers’ personally identifiable information (PII), which can be used for nefarious purposes such as phishing and identity theft, experts warn.
This attack vector has increased in popularity since August 2023, prompting the issuance of a Private sector notice from the FBI.
The Bureau has also developed a list of mitigation measures that companies can take to keep personal data safe and ensure that only authentic data requests are processed.
The number of fraudulent requests is increasing
Over the past year, the FBI has recorded a significant increase in forum posts from cybercriminals regarding fraudulent data requests. The trend stemmed from one user claiming that for $100 they could teach people to use data requests to obtain information on any social media account. Soon after, another user discovered that by using a “.gov” email address, he could impersonate the authority and obtain much more detailed information that he could use for phishing.
Fraudulent data requests gradually became more sophisticated and threatening, with one user reporting in December 2023 that they included the threat of harm or death to an individual if the data request was not processed and approved.
Shortly afterwards, in March 2024, another known cybercriminal filed a Mutual Legal Assistance Treaty (MLAT) with PayPal. The MLAT used data from a child trafficking investigation, including the case number and legal code, to appear legitimate, but PayPal denied the MLAT.
In August 2024, a cybercriminal posted “High-end .gov emails for espionage/social engineering/data extortion/Dada solicitations, etc.” for sale that could be used to make fraudulent data access requests to obtain private customer information, including names, email addresses, phone numbers. numbers and other personal information.
The FBI recommends that companies double-check the security of all connections between third parties they communicate with and their own systems, as well as external or remote connections.
Companies should also be wary of emergency data requests that emphasize the urgency of the requests, and check all details in the request for inconsistencies or adjustments. You can find the full list of solutions here.
