The FBI warns about the use of fake police data requests by hackers to steal private information from individuals.
Fake data requests are being used to carry out phishing attacks.
Cybercriminals have begun using stolen email addresses from government agencies to impersonate authorities and send fraudulent emergency data requests to U.S. companies. This practice aims to steal personally identifiable information (PII) from customers, which can be used in illicit activities such as phishing and identity theft. Experts have noted that this method has gained popularity since August 2023, prompting the FBI to issue a Notification for the Private Industry.
The FBI has also provided a series of recommended mitigation measures for companies to implement to protect personal information, ensuring that only authentic data requests are processed. Over the past year, the FBI has recorded a significant increase in posts on cybercriminal forums related to fraudulent data requests. This behavior originated when a user claimed to be able to teach others how to use these requests to obtain information about any social media account for a fee of $100.
Shortly after, another user discovered that by using a '.gov' type email address, they could impersonate authorities and obtain more detailed information, which could be used to carry out phishing attacks. The fraudulent requests became more sophisticated and threatening over time, culminating in December 2023, when a user even posted a threat of harm or death towards a person if the data request was not processed and approved.
In March 2024, another cybercriminal submitted a Mutual Legal Assistance Treaty (MLAT) request to PayPal, using details from a human trafficking investigation to appear legitimate. However, PayPal rejected the request. Later, in August 2024, "high-quality .gov emails for espionage/social engineering/data extortion/data requests" were offered for sale, which could be used to obtain private information from customers, including names, email addresses, phone numbers, and other personal data.
The FBI advises companies to carefully verify the security of any connections with third parties they interact with and to remain vigilant for emergency data requests that emphasize urgency. It is recommended to review all details of requests for inconsistencies or manipulation.
