The FBI has issued a public warning about a growing cybersecurity threat where hackers are targeting government and police email accounts to make fraudulent “emergency data requests” that steal sensitive information.
These requests are designed to bypass normal procedures for accessing confidential data by appearing as urgent, often claiming lives are at risk or alleging serious threats like human trafficking. While such scams have existed for some time, there has been a notable uptick in these attacks since August 2024, as hackers exploit government email systems to bypass traditional security measures.
Hackers have been selling stolen government email addresses and related data on online forums, where they offer high-quality email addresses and detailed instructions for using this information to commit espionage or fraud.
In one instance, a hacker sold government emails along with real subpoena documents, enabling them to create legitimate-looking requests for sensitive data. This enables criminals to pose as government officials and demand data from companies without the typical legal paperwork, such as court orders or subpoenas, which are usually required.
The process of making emergency data requests typically involves scenarios where lives are at risk, such as in cases of missing persons or imminent threats to safety. The urgency of these requests means companies are less likely to scrutinize them fully, creating an opportunity for hackers to exploit the system.
Hackers have fabricated various emergencies, including fabricated claims of child trafficking, to pressure companies into sharing user data without proper verification. While some companies, like PayPal, have successfully detected and rejected these fake requests, many others have fallen victim to the scam.
The consequences of these fraudulent requests are far-reaching, as they can lead to significant data breaches. Stolen information is often used for phishing scams, financial fraud, and identity theft.
The scale of the risk is magnified by the involvement of major tech companies like Meta, Google, Apple, and Snap, which collectively handle vast amounts of data and are frequent targets of such attacks. The FBI is concerned about the vulnerability of these companies and the potential for widespread harm to individuals whose personal information may be exposed.
To mitigate the risk, the FBI has recommended two key actions for companies. First, they must enhance their cybersecurity measures to prevent unauthorized access to sensitive information.
Second, companies should exercise caution and apply critical thinking when processing emergency data requests, particularly those that lack sufficient verification. This advice comes amid a backdrop of increasing sophistication in cybercriminal tactics, and the FBI urges companies to stay vigilant to protect user data from exploitation.