In the ever-evolving landscape of cybercrime, phishing emails have long been a favored tactic among scammers. While these deceptive messages often exhibit telltale signs—such as awkward grammar, irrelevant details, and suspicious email addresses—cybercriminals are now diversifying their strategies to exploit unsuspecting targets.

The Rise of Fraudulent Legal Requests

Recent reports from the FBI indicate a troubling trend: a significant increase in the use of hacked police and government email accounts to send fraudulent subpoenas and data requests to technology companies based in the United States. This alarming development presents serious risks to personal privacy and data security.

According to the FBI, there has been a surge in discussions on criminal forums regarding emergency data requests and the illicit sale of stolen email credentials from law enforcement agencies. Cybercriminals are increasingly infiltrating compromised government email accounts to issue fake emergency requests, thereby putting customer data at risk for further exploitation.

Dark Market for Government Credentials

In a stark demonstration of this growing threat, a prominent cybercriminal recently advertised “high-quality .gov emails” for sale on an online forum. These emails were marketed for various nefarious purposes, including espionage, data extortion, and fraudulent legal requests. The seller even claimed to provide guidance on how to utilize these emails effectively, including offering real stolen subpoena documents to help buyers impersonate law enforcement.

Another individual boasted of possessing government email accounts from over 25 countries, asserting that such credentials could be used to obtain sensitive information from tech companies, including usernames and personal details. Moreover, some con artists have taken this a step further by offering “masterclasses” on how to fabricate and submit emergency data requests, charging participants up to $100 for the knowledge.

Understanding Legal Requests and Compliance

Typically, when law enforcement agencies seek information from tech companies, they must present a valid warrant, subpoena, or court order. Companies are legally obligated to comply when they receive such requests from verified sources. However, if a scammer gains access to a government email account, they can easily fabricate a subpoena and access personal information about individuals.

To complicate matters, scammers often present these requests as urgent, claiming that someone’s life is in jeopardy and immediate access to data is necessary. This tactic exploits the urgency of the situation, making it difficult for companies to verify the legitimacy of the request before providing sensitive information.

A Notable Case of Deception

Earlier this year, the FBI highlighted a case in which a known cybercriminal posted a fake emergency data request sent to PayPal. This request was crafted to appear credible, using a fraudulent mutual legal assistance treaty and a fabricated case number related to a supposed child trafficking investigation. Fortunately, PayPal recognized the scam and rejected the request.

Protecting Against Fake Legal Requests

Given the increasing sophistication of these scams, companies must implement robust security measures to protect against fraudulent data requests. Here are several strategies to consider:

• Verify All Data Requests: Establish a verification protocol to confirm the legitimacy of every data request, even those that appear official.
• Enhance Email Security: Utilize email authentication protocols like DMARC, SPF, and DKIM to prevent unauthorized emails from reaching your inbox.
• Conduct Phishing Awareness Training: Regularly educate employees about phishing tactics and encourage them to report suspicious emails.
• Limit Access to Sensitive Data: Only allow authorized personnel to access sensitive information, reducing the risk of accidental or intentional leaks.
• Implement Emergency Verification Procedures: Develop a clear process for verifying urgent data requests with higher management or legal teams.

Staying Safe as Individuals

While this phishing scam predominantly targets large tech companies, individuals should remain vigilant. Here are steps you can take to safeguard your personal information:

• Double-Check Email Addresses and Links: Always scrutinize sender information and verify links before clicking.
• Enable Two-Factor Authentication (2FA): Add an extra layer of security for sensitive accounts by enabling 2FA.
• Stay Informed on Phishing Scams: Keep updated on the latest phishing tactics to recognize potential threats.
• Verify Suspicious Requests: If you receive an unexpected email requesting sensitive information, confirm its legitimacy through official channels.