Business Email Compromise (BEC) is a financially motivated crime targeting businesses for financial gain. Attackers often use phishing, domain spoofing, and email account compromise to trick employees into transferring money or revealing sensitive information. For example, an attacker might spoof or hack into a CEO's email account to email employees with instructions to make a large purchase or send money. 

The primary risk of BEC for companies is typically financial loss and operational disruptions. However, a new threat has emerged that demands attention: Law Enforcement Email Compromise (LEEC).

Law enforcement email accounts are compromised every day. One reason is the vast amount of personal information available about individual investigators from social media platforms, law enforcement agency websites, online services, and other miscellaneous websites. Some of this information is publicly available, but if even one of these sites experiences a data breach, additional data about individuals in law enforcement can be exposed. 

For example, if a law enforcement officer's work email address appears in a data breach, an attacker can search for this individual on Google, Facebook, or LinkedIn to gather additional details such as name, appearance, interests, and social connections. This information helps the attacker build a convincing persona for social engineering attacks.

They might send phishing links to the individual’s family members hoping they share passwords, or they might use old passwords found in other data breaches to attempt a credential-stuffing login. If the officer does not have multi-factor authentication (MFA) enabled on their work email or other professional accounts, chances are significantly higher that an attacker could gain access. Once inside, they impersonate the officer to send legal requests to companies like Meta or Google, aiming to victimize, threaten, intimidate, compromise, or otherwise harm people who use these services.

Our Global Threat Intelligence Team is uniquely positioned to monitor and track LEEC’s, notifying and protecting every company on the Kodex platform from fraudulent requests. We recently published a white paper on the growing threat of fake Emergency Data Requests (EDRs), the threat actors behind them, and how we detect them. You can download it here.

We also share select threat intelligence and trends in a monthly newsletter, which you can subscribe to here. 

New Threat, New Terminology

Similar to the kinds of attacks that target companies, attackers target law enforcement looking for credentials, sensitive information in case files, and other data for their own purposes or to sell it to someone else. Like with BEC attacks, stolen law enforcement email addresses can be used in credential-stuffing attacks to gain access to individual email accounts.

However, LEEC differs from BEC in two key ways. First, LEEC exploits public trust in law enforcement. Compromised email accounts can be used to impersonate police officers and law enforcement investigators to obtain a perception of authenticity that helps them social engineer businesses through weaknesses in historical law enforcement data request processes and tools. This allows attackers to steal the same information that they would get from a corporate breach to attack members of the public with swatting, extortion, harassment, and intimidation. 

Kodex customers benefit from herd immunity due to advanced warnings from our global signals intelligence (SIGINT) network and information shared by other companies on our platform. When we detect a compromised law enforcement domain every Kodex customer is notified, and all law enforcement accounts associated with that domain are suspended until they complete a multi-phase re-verification process with our team.  

Another difference is that LEEC directly impacts public safety. When law enforcement email accounts are compromised it causes disruptions in law enforcement operations, records management, and data handling. This can distract and divert attention and resources from other priorities. For example, once communication channels are compromised, it’s much harder for law enforcement to coordinate critical activities that protect the surrounding community.   

Tips for Spotting Law Enforcement Email Compromise 

Cybersecurity and IT personnel at law enforcement agencies should watch for the following red flags:

• Suspiciously Deleted Emails: Monitor for unusual deletion patterns.
• Unauthorized Password Changes: Confirm password changes with the account owner.
• Unrecognized Devices: Track logins to the agency’s email and network from unknown devices. Consider limiting access to systems, data, or functionality until new devices are verified with the account owner.
• Phishing Training: Educate personnel on the risks and common tactics used in social engineering, including shared or reused passwords. Create an easy way for them to report suspicious communications with your IT or cybersecurity experts, and then train them on that process.
• IP Mismatch: Monitor for (and limit) logins from unusual IP addresses.

Tips for Preventing Law Enforcement Email Compromise  

By taking the following precautions, law enforcement agencies can strengthen their email security and defend against LEEC attacks: 

• Password Security: The most important characteristic of a strong password is its uniqueness, meaning it’s not used for multiple accounts or services. Password managers are a helpful tool for creating and storing strong, unique passwords for all your online accounts. Additionally, password changes for law enforcement systems and email accounts should require approvals from IT to ensure they’re only made by authorized personnel.  
• Multi-Factor Authentication (MFA): It’s standard best practice to enforce MFA for all accounts, avoiding email, text, or call-based signals that can be spoofed or intercepted. Authentication apps like Duo Security or Google Authenticator are recommended. Hardware keys like Yubikey or Apple’s embedded Touch ID add additional security.
• Account Management: Unused or expired accounts aren’t monitored by the original owners, making them vulnerable entry points for threat actors. These accounts should be deleted regularly.
• Data Retention: Maintaining logs for account logins, systems access, and database changes can provide critical signals for detecting a potential compromise and assisting the incident response team with subsequent investigations. 

Ultimately, the most significant consequence of LEEC isn’t only the disruption of law enforcement operations: it’s also a serious risk for businesses. The dual obligation of companies to assist with public safety by complying with lawful data requests while preserving individual privacy and meeting data protection regulations is no easy task. It often requires trade-offs based on legal requirements and company values, with the underlying need to ensure that the person requesting any personal data is truly who they say they are – because if you’re not using trusted verification procedures like Kodex, it’s hard to be sure.