In a recent advisory, the FBI warned US-based tech companies about a rising cybercriminal tactic involving fraudulent “emergency data requests” (EDRs), aimed at accessing sensitive user data without the typical legal protocols. The advisory, first reported by PCMag, highlights how hackers are exploiting government and law enforcement email accounts to submit fake EDRs, prompting tech companies to unknowingly release user information.

EDRs are normally reserved for urgent situations, allowing law enforcement to bypass a warrant. Cybercriminals have found ways to reliably forge these requests by hijacking official government email accounts, making the requests appear legitimate to targeted companies. Citing recent increases in online discussions about this method, the FBI noted a marked “uptick” in this activity around August, as hackers circulated detailed instructions for creating fake EDRs across online forums.

One known group that had previously exploited this tactic is Lapsus$, a hacking collective that targeted companies like Apple and Meta by submitting phony data requests.

A cybercriminal boasted on an online forum that they could provide access to “High Quality .gov emails” and “guide a buyer through emergency data requests” for a fee. This tactic is cost-effective, with the average service priced as low as $100, allowing individuals to access user data without a sophisticated setup.

Cybercriminals exploit the urgency inherent to EDRs to avoid scrutiny on their requests, often citing grave, fabricated scenarios, such as claims of human trafficking or imminent threats to people’s safety. Such claims pressure companies into responding quickly, resulting in hackers obtaining private data like emails, phone numbers, and IP addresses.

To mitigate these risks, the FBI advises organizations to scrutinize incoming EDRs carefully, checking for telltale signs of forgery, such as tampered logos or signatures and unusual language that may not align with official legal codes. Strengthening email security with multi-factor authentication and complex passwords is also recommended to government employees to prevent cybercriminals from hijacking their accounts.