Because of this, almost all companies have something that hackers would like to get their hands on. Whether it’s for resale, harassment, or simply entertainment, all businesses are now potential targets for data theft.

Fake emergency data requests are often used for this purpose. So, what are emergency data requests, and how are hackers using them?

What Are Emergency Data Requests?

An emergency data request is what the government uses when they want to retrieve information from a private company. These requests are legitimate legal notices sent out by police departments around the country.

Most businesses have received them and are legally obliged to respond to them. While privacy laws prevent personal information from being released in other circumstances, companies have no choice when served with a warrant, making this an attractive technique for hackers to use.

How Are Hackers Using Fake “Emergency Data Requests”?

The problem with emergency data requests is that they aren’t necessarily difficult to fake. Most businesses are also not staffed by legal experts.

The recipient will simply look at where the request came from. If it appears to be from a police department, they will often provide the requested information.

Because of this, hackers are now sending fake emergency data requests to any business they want to steal information from.

Email addresses can be spoofed, but this method is so effective that many hackers are going further. They are hacking into police departments and then using the police servers to send out data requests. These requests look legitimate because they are legitimate.

The problem escalates because police department networks aren’t always as secure as people would like. Hackers can send data requests from any police department, including small departments with limited IT resources.

Why Are Fake Emergency Data Requests So Effective?

Fake emergency data requests are highly effective. It’s also easy to understand why a business would comply with one. There are serious legal repercussions to ignoring a valid request. Most companies also aren’t aware of the scam, so they have no reason to suspect that they are talking to anybody except the police.

Like many scams, fake emergency data requests also rely on the victim feeling a sense of urgency. The requests often include a note which states that the person being investigated is a serious threat and may cause harm to others. This encourages the victim to comply with the request even if they are suspicious of its origins.

What Are the Consequences of These Scams?

Usually, businesses that fall for these scams aren’t prosecuted, as they didn’t release confidential information voluntarily and were instead obeying what they believed to be a lawful request.

However, the primary victims of this scam are the owners of the personal information that has been released. Depending on the type of data released, they can suffer identity theft, online harassment, and possible account hijacking.

The reputation of a business can also suffer if a successful attack is made public. The person whose data got stolen is unlikely to care how it happened.

What Is the Government Doing to Prevent Fake EDRs?

This type of attack is becoming so common that the government is attempting to pass a bill that would require all emergency data requests to be digitally signed. The scam is possible because these notices are easy to replicate. This would potentially make any request easier to verify.

Apart from the fact that it hasn’t been implemented yet, the problem with this approach is that businesses would still need to be aware of the new law. Digital signatures aren’t beneficial if nobody is looking for them.

Another potential solution is to require all emergency data requests to be sent from a single governing body. By keeping everything in one department, it would be much easier to enforce strong security standards and prevent unauthorized access.

The problem with this approach is that it would cause a significant delay whenever a police officer wants to send such a request for a legitimate purpose. Given the importance of these notices and the fact that urgency is often genuinely present, this may not be an acceptable solution either.

How to Protect Against Fake Emergency Data Requests

Rather than relying on legislation that hasn’t been passed yet, businesses should be doing their best to protect themselves. They can stay safe by following these two preventive measures:

Read All Requests Carefully

Fake emergency data requests vary widely in terms of quality. If you receive an EDR, always look for errors. The email address is the obvious place. Check for minor spelling variations which would indicate email spoofing.

If you’ve received genuine emergency data requests in the past, compare them. Look for strange phrasing which may indicate that a non-native speaker wrote the email. Also, check for formatting errors or a poor-quality logo that may be a result of Photoshop.

Contact the Relevant Department

Anyone sending an EDR has to include their name and their place of work. Contact their department directly and make sure that somebody there actually made the request. This stops the scam immediately.

The problem is that many businesses automatically assume that the request is valid and see no reason to do so. It’s important to note that attackers are aware of this possibility and will include their own contact details. Therefore, you need to search online and find the contact details yourself.

Businesses Should Take This Threat Seriously

Many online scams don’t attract government attention. The fact that government officials are now discussing fake EDRs is a strong indication of their ability to cause harm.

Any business in possession of private information, which is now almost all businesses, should therefore be aware of the problem and act accordingly when an EDR is received. Doing so requires patience and may seem unnecessary, but it’s the only way to avoid falling for this scam.