Phishing emails are one of the most common tricks scammers use, but they’re usually easy to catch if you pay attention. Awkward grammar, random details and, most importantly, an unofficial email address are dead giveaways. For example, you might get an email saying your Apple ID’s been disabled, but the sender’s email won’t actually be from Apple. Now, though, scammers are finding ways to get around this.
According to the FBI, there’s been a recent rise in cybercriminal services using hacked police and government email accounts to send fake subpoenas and data requests to U.S.-based tech companies.
I’M GIVING AWAY A $500 GIFT CARD FOR THE HOLIDAYS
Enter by signing up for my free newsletter!
What you need to know
The FBI has seen a spike in criminal forum posts about emergency data requests and stolen email credentials from police departments and government agencies. Cybercriminals are getting into compromised U.S. and foreign government email accounts and using them to send fake emergency data requests to U.S.-based companies, which exposes customer data for further misuse in other crimes.
In August 2024, a popular cybercriminal on an online forum advertised "high-quality .gov emails" for sale, meant for espionage, social engineering, data extortion, emergency data requests and more. The listing even included U.S. credentials, and the seller claimed they could guide buyers on making emergency data requests and even sell real stolen subpoena documents to help them pose as law enforcement.
Another cybercriminal boasted about owning government emails from over 25 countries. They claimed anyone can use these emails to send a subpoena to a tech company and get access to usernames, emails, phone numbers and other personal client info. Some con artists are even hosting a "masterclass" on how to create and submit their own emergency data requests to pull data on any social media account, charging $100 for the full rundown.
WINDOWS FLAW LETS HACKERS SNEAK INTO YOUR PC OVER WI-FI
How this phishing scam works
When law enforcement, whether federal, state or local, wants information about someone’s account at a tech company, like their email address or other account details, they typically need a warrant, subpoena or court order. When a tech company receives one of these requests from an official email address, they’re required to comply. So, if a scammer gets access to a government email, they can fake a subpoena and get information on just about anyone.
To bypass verification, scammers often send emergency data requests, claiming that someone’s life is at risk and that the data is needed urgently. Because companies don’t want to delay in case of an actual emergency, they may hand over the information, even if the request turns out to be fake. By portraying it as a life-or-death situation, scammers make it harder for companies to take time to verify the request.
For example, the FBI reported that earlier this year, a known cybercriminal posted pictures on an online forum of a fake emergency data request they’d sent to PayPal. The scammer tried to make it look legitimate by using a fraudulent mutual legal assistance treaty, claiming it was part of a local investigation into child trafficking, complete with a case number and legal code for verification. However, PayPal recognized that it wasn’t a real law enforcement request and denied it.
CYBERSCAMMERS USE AI TO MANIPULATE GOOGLE SEARCH RESULTS
What can companies do to avoid falling for these phishing scams?
1) Verify all data requests: Before sharing sensitive information, companies should verify every data request, even those that look legitimate. Establish a protocol for confirming requests directly with the agency or organization that supposedly sent them.
2) Strengthen email security: Use email authentication protocols like DMARC, SPF and DKIM to block emails from unauthorized sources. Implement anti-phishing filters to detect suspicious content in messages.
3) Train employees on phishing awareness: Regular training sessions on phishing scams can help employees recognize red flags, such as urgent language, unusual requests or emails from unknown addresses. Employees should be encouraged to report suspicious emails.
4) Limit access to sensitive data: Restrict who can view or share sensitive customer data. Fewer people with access means fewer chances for accidental or intentional data leaks.
5) Implement emergency verification procedures: Have a clear verification process in place for "emergency" data requests, including steps for double-checking with higher management or legal teams before responding to any urgent request for customer information.
Is there something you need to do?
This particular phishing scam mostly targets big tech companies, so there’s not much you can do directly. However, it’s a reminder that you shouldn’t automatically trust an email, even if it comes from a .gov address. Here are some steps you can take to stay safe.
1) Double-check email addresses and links: Even if an email looks official, take a moment to check the sender’s email address and hover over any links to see where they actually lead. Be cautious if anything looks off. The best way to safeguard yourself from malicious links is to have antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android and iOS devices.
2) Enable two-factor authentication (2FA): Use 2FA for all sensitive accounts. This extra layer of security helps protect you even if your login credentials are compromised.
3) Stay updated on phishing scams: Keep an eye on the latest phishing tactics, so you know what to look out for. Regular updates help you spot new types of scams before they affect you.
4) Verify suspicious requests: If you get an unexpected email asking for sensitive info, contact the sender directly through an official channel to confirm the request.
DON’T LET SNOOPS NEARBY LISTEN TO YOUR VOICEMAIL WITH THIS QUICK TIP
Kurt’s key takeaway
Scammers are taking phishing emails to a whole new level. I often recommend checking the email carefully when you receive anything suspicious to see if it’s legit. But now, since scammers can even access government emails, you need to be extra cautious. This phishing scam seems to target mostly big tech companies, so it’s on them to strengthen their security and verify every request thoroughly before sharing any user information. It's also up to governments worldwide to protect their digital assets from being compromised.
What’s your stance on how governments are handling cybersecurity? Are they doing enough to protect sensitive data? Let us know by writing us at Cyberguy.com/Contact.
For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter.
Ask Kurt a question or let us know what stories you'd like us to cover.
Follow Kurt on his social channels:
- YouTube
Answers to the most asked CyberGuy questions:
- What is the best way to protect your Mac, Windows, iPhone and Android devices from getting hacked?
- What is the best way to stay private, secure and anonymous while browsing the web?
- How can I get rid of robocalls with apps and data removal services?
- How do I remove my private data from the internet?
New from Kurt:
- Try CyberGuy's new games (crosswords, word searches, trivia and more!)
- Enter Cyberguy's $500 holiday gift card sweepstakes
Copyright 2024 CyberGuy.com. All rights reserved.