By admin 
Phishing emails are one of the most common tricks scammers use, but if you pay close attention they are usually easy to intercept. Clumsy grammar, random details, and most importantly, an unofficial email address are dead giveaways. For example, you may receive an email stating that your Apple ID has been disabled, but the sender email is not actually from Apple. However, now scammers are finding ways to get around this.
According to the FBI, there has been a recent increase in cybercrime services using hacked police and government email accounts to send fake subpoenas and data requests to US technology companies.
I’m giving away a gift voucher worth €500 for the holidays
Come in by to register for my free newsletter!
Illustration of a scammer at work (Kurt “CyberGuy” Knutsson)
What you need to know
The FBI has seen a spike in posts on criminal forums about requests for emergency data and stolen email data from law enforcement and government agencies. Cybercriminals are breaching compromised U.S. and foreign government email accounts and using them to send fake emergency data requests to U.S.-based companies, exposing customer data for further misuse in other crimes.
In August 2024, a popular cybercriminal advertised on an online forum “high-quality .gov emails” for sale, intended for espionage, social engineering, data extortion, emergency data requests, and more. The list even included US credentials, and the seller claimed they could guide buyers through emergency data requests and even sell real stolen subpoena documents to help them pose as law enforcement.
Another cybercriminal boasted of possessing government emails from more than 25 countries. They claimed that anyone can use these emails to send a subpoena to a tech company and gain access to usernames, emails, phone numbers and other personal customer information. Some scammers are even hosting a “masterclass” on how to create and submit their own emergency data requests to retrieve data from any social media account, charging $100 for the full overview.
Illustration of a scammer at work (Kurt “CyberGuy” Knutsson)
WINDOWS FLAW ALLOWS HACKERS TO CUT YOUR PC VIA WI-FI
How this phishing scam works
When law enforcement officials, whether federal, state or local, want information about someone’s account with a technology company, such as their email address or other account information, they typically need a warrant, subpoena or court order. When a tech company receives one of these requests from an official email address, it is obligated to comply. So if a scammer gains access to a government email, he can forge a subpoena and obtain information on virtually anyone.
To bypass verification, scammers often send emergency requests for data, claiming that someone’s life is in danger and that the data is urgently needed. Because companies do not want to delay in the event of an actual emergency, they are allowed to hand over the information even if the request turns out to be false. By portraying it as a life or death situation, scammers make it harder for companies to take the time to verify the request.
For example, the FBI reported that earlier this year a known cybercriminal posted photos to an online forum of a fake emergency data request he had sent to PayPal. The scammer tried to make it look legitimate by using a fraudulent mutual legal assistance treaty, claiming it was part of a local child trafficking investigation, complete with a case number and legal code for verification. However, PayPal acknowledged that it was not a real law enforcement request and denied it.
Illustration of a person receiving a phishing email (Kurt “CyberGuy” Knutsson)
CYBERSCAMMERS USE AI TO MANIPULATE GOOGLE SEARCH RESULTS
What can companies do to avoid falling for this phishing scam?
1) Check all data requests: Before sharing sensitive information, companies must verify every data request, even if it looks legitimate. Establish a protocol for acknowledging requests directly with the agency or organization that supposedly sent them.
2) Improve email security: Use email authentication protocols such as DMARC, SPF, and DKIM to block emails from unauthorized sources. Implement anti-phishing filters to detect suspicious content in messages.
3) Train employees on phishing awareness: Regular phishing training sessions can help employees recognize warning signs, such as urgent language, unusual requests, or emails from unknown addresses. Employees should be encouraged to report suspicious emails.
4) Limit access to sensitive data: Limit who can view or share sensitive customer data. Fewer people with access means fewer chances of accidental or intentional data breaches.
5) Implement emergency verification procedures: Ensure a clear verification process for ’emergency’ data requests, including double-checking steps with senior management or legal teams before responding to an urgent request for customer information.
Illustration of a scammer at work (Kurt “CyberGuy” Knutsson)
Do you have to do something?
This particular phishing scam mainly targets big tech companies, so there’s not much you can do directly. However, it’s a reminder that you shouldn’t automatically trust an email, even if it comes from a .gov address. Here are some steps you can take to stay safe.
1) Double-check email addresses and links: Even if an email looks official, take a moment to check the sender’s email address and hover over the links to see where they actually lead. Be careful if something is wrong. The best way to protect yourself from malicious links is to install antivirus software on all your devices. This protection can also alert you to phishing emails and ransomware attacks, keeping your personal data and digital assets safe. Discover my picks for the best antivirus protection winners of 2024 for your Windows, Mac, Android, and iOS devices.
2) Enable two-factor authentication (2FA): Usage 2FA for all sensitive accounts. This extra layer of security helps protect you even if your credentials are compromised.
3) Stay informed about phishing attacks: Keep an eye on the latest phishing tactics so you know what to look out for. Regular updates help you spot new types of scams before they affect you.
4) Verify suspicious requests: If you receive an unexpected email requesting sensitive information, please contact the sender directly through an official channel to confirm the request.
Illustration of a scammer at work (Kurt “CyberGuy” Knutsson)
DON’T LET NEARBY SNOOPS LISTEN TO YOUR VOICEMAIL WITH THIS QUICK TIP
Kurt’s most important takeaway
Scammers are taking phishing emails to a whole new level. I often recommend checking the email carefully when you receive something suspicious to see if it is legitimate. But now that scammers have access to even government emails, you need to be extra careful. This phishing scam seems to mainly target big tech companies, so it’s up to them to strengthen their security and thoroughly verify each request before sharing user information. It is also up to governments around the world to protect their digital assets from compromise.
What is your position on the way governments handle cybersecurity? Are they doing enough to protect sensitive data? Let us know by writing to us at Cyberguy.com/Contact.
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
For more of my tech tips and security alerts, subscribe to my free CyberGuy Report newsletter by visiting Cyberguy.com/Newsletter.
Ask Kurt a question or let us know which stories you would like us to cover.
Follow Kurt on his social channels:
Answers to the most frequently asked CyberGuy questions:
New from Kurt:
Copyright 2024 CyberGuy.com. All rights reserved.
Kurt “CyberGuy” Knutsson is an award-winning technology journalist with a deep love for technology, gear and gadgets that make lives better through his contributions to Fox News and FOX Business from mornings on “FOX & Friends.” Do you have a technical question? Get Kurt’s free CyberGuy newsletter, share your vote, a story idea or comment CyberGuy.com.