The FBI has issued an alert to warn US-based companies and law enforcement agencies that threat actors are sending fake emergency data requests with the goal of harvesting personally identifiable information (PII).

An emergency data request enables law enforcement agencies to obtain information from online service providers in emergency situations, when there is no time to get a subpoena.

Emergency data requests have been abused by Lapsus$ and other threat actors, but the FBI has observed a spike in cybercrime forum posts related to the process of emergency data requests.

“Cyber-criminals are likely gaining access to compromised US and foreign government email addresses and using them to conduct fraudulent emergency data requests to US based companies, exposing the personal information of customers to further use for criminal purposes,” the FBI’s alert (PDF) reads.

In August, the agency says, a known cybercriminal put up for sale on an online forum .gov email addresses, including US credentials, claiming they could be used for espionage, social engineering, extortion, and data requests.

The threat actor was also offering guidance on how these addresses could be abused for emergency data requests and offered to sell real stolen subpoena documents, enabling other cybercriminals to pose as law enforcement officers.

According to the FBI, another threat actor announced in a March 2024 forum post that they were in the possession of government email addresses from 25 countries that could be used for fake subpoenas to obtain emails, usernames, phone numbers, and other information.

The same month, another threat actor boasted on an online forum about sending a fraudulent request to PayPal to obtain confidential information. PayPal revealed that it was a fraudulent Mutual Legal Assistance Treaty (MLAT) and eventually denied the request.

Last year, cybercriminals revealed in forum posts how .gov emails could be used in sending fraudulent emergency data requests to obtain information that could be used in other attacks and offered for sale instructions on how to use such requests to obtain information on social media accounts.

Organizations that receive emergency data requests should maintain close relationships with the FBI, update their incident response and communication plans, and implement proactive approaches to mitigate risks.

The FBI also advises organizations to implement security best practices to improve their security stance, including reviewing the security position of third-party vendors, implementing strong password protocols and MFA, performing assessments of user accounts and domain controllers, implementing time-based access for administrator accounts, limiting and monitoring access to internal resources through remote services, segmenting networks, and implementing vulnerability management programs.

“Cybercriminals understand the need for exigency, and use it to their advantage to shortcut the necessary analysis of the emergency data request. FBI recommends reviewers pay close attention to doctored images such as signatures or logos applied to the document. In addition, FBI recommends looking at the legal codes referenced in the emergency data request, as they should match what would be expected from the originating authority,” the FBI notes.

Related: FBI Seeking Information on Chinese Hackers Targeting Sophos Firewalls

Related: FBI Fails to Secure Sensitive Storage Media Destined for Destruction, Audit Reveals

Related: From Cybercrime to Terrorism, FBI Director Says America Faces Many Elevated Threats ‘All at Once’

Related: FBI Investigating Hack Involving Black Students at Gonzaga