FBI Alerts Companies About Fraudulent Emergency Data Requests

The FBI is alerting companies that cybercriminals are using compromised U.S. and foreign government email addresses to send fraudulent emergency data requests.

By sending these fraudulent requests to U.S.-based companies, the hackers are looking to gain access to the companies’ holdings of their customers’ personally identifying information (PII), the FBI said in a Nov. 4 Private Industry Notification.

“As of August 2024, FBI noted an uptick in criminal forum posts regarding conducting fraudulent emergency data requests and is releasing this notification for industry awareness,” the notification said.

It was reported in 2022 that hackers were using email accounts and websites associated with police departments and other government agencies to send unauthorized emergency data requests for healthcare patient data, saying the information couldn’t wait for a court order.

In the U.S., federal, state or local law enforcement agencies that want to obtain information about who owns an account at a social media firm or what internet addresses a specific cellphone account has used in the past must submit an official court-ordered warrant or subpoena.

In cases involving imminent harm or death, an investigating authority may make an emergency data request, which bypasses the official review process and doesn’t require the requestor to supply any court-approved documents.

Regarding another form of fraud, three federal agencies said in 2022 that criminals were using business email compromise (BEC) scams against small businesses to steal hundred-thousand-dollar food shipments.

Criminals are spoofing emails and domains to impersonate employees at real firms and then ordering shipments of food, not paying for them, repackaging them for individual sale and selling them, the FBI, the Food and Drug Administration Office of Criminal Investigations (FDA OCI) and the U.S. Department of Agriculture (USDA) said.

The agencies said that in examples of BEC scams, criminals placed orders using email addresses and websites that closely mimicked legitimate ones, with only an extra letter, a substitute character or a different top-level domain distinguishing them from those of a legitimate company — differences that can easily be overlooked by a supplier’s staff.

The FBI said in April that American consumers and businesses lost a record $12.5 billion last year to online scammers, marking a 22% spike in cybercrime over 2022.