"FBI" called our IT Service Desk Hotline
Posted by caffeinated_disaster@reddit | sysadmin | View on Reddit | 404 comments
I work as a Service Desk employee at a financial company and received a strange call from someone claiming to be from the FBI. He stated that he needed to contact our legal team to report a "computer network intrusion" because someone is trying to hack the company's network.
He provided his name, contact number, and an email address ending in "@fbi.gov" (I forgot to ask for his badge number, but I doubt he would have been willing to provide it). My colleagues are convinced it's a scam, but I still passed the details to my manager. I only got a simple "OK" reply—he probably thinks it's a scam too.
Should I let it go or forward the details directly to our legal team's email, just to be sure? I tried looking this agent up, and he has a LinkedIn profile claiming he works for the FBI. I know it's easy to create a LinkedIn profile and say you work for the FBI. Lol!
PercentagePrize5900@reddit
1.Ask what office he is calling from.
2.Call the office and ask if so and so is working on such and such case.
Optional: Place them on hold in between.
calisai@reddit
Worked for an ISP a decade ago and had some dealings with a few agents. They are generally pretty understanding and you can normally call your local field office (not using the number they provide, but looking it up on your own) and have them route the call to the agent.
That said, probably should go through legal anyway, especially in a larger organization.
Creative-Dust5701@reddit
They will show up with a warrant and if you are really unlucky a ‘National Security Letter’ don’t ask about that one. You are never allowed to discuss having seen one. if you do the penalties are severe.
wild-hectare@reddit
you'll know it's the actual FBI when they show up with warrants...been there, done that
SilentSamurai@reddit
I haven't considered how the FBI would legitimately get in contact with your business if they needed besides a phone call or physically showing up.
I'd just reach out to your local bureau with a phone call and just confirm it was a scam for peace of mind. They'll probably appreciate knowing if someone is trying to masquerade as a legitimate officer anyways.
https://www.fbi.gov/contact-us
doooglasss@reddit
I’ve had gov agencies call my cell phone when I am not an officer of the company.
Pretty sure they have the means to find contact info of any person they want.
OP, I usually would request an email from the person contacting me to verify who they are. Check the header to confirm it’s not spoofed. If they aren’t asking for access to systems or any other information, the call is likely something you want to take seriously.
BloodFeastMan@reddit
When I was being interviewed for a security clearance decades ago, I was stunned at the speed at which they knew many things about my life
Darkling5499@reddit
Same. When I did my TS/SCI paperwork, I gave them a NAME (this was years ago, PEAK cellphone tech was a Motorola Razr) and they found him in the middle of a packed mall during Christmas. They can and will find out EVERYTHING they possibly can about you.
It's also why every military recruiter says you can lie to MEPS, but do not lie to the marshals doing your clearance paperwork.
BlackSixDelta@reddit
When I was going for my DOE clearance I was told. Do not even try to lie. If they ask you a question they most likely know the answer already and are waiting to see if you will lie.
lanboy0@reddit
Also, almost anything can be worked around if you admit it to the investigators... Anything but a pattern of deception.
LisaQuinnYT@reddit
I was interviewed for a coworkers security clearance once. If I didn’t know what it was for, you’d think they suspected he was a spy/terrorist.
Ssakaa@reddit
It's easier to work from that side of the assumptions. If they approach it with that lean to it, and it makes someone suddenly shifty in their answers...
rednehb@reddit
Same lol. Coworker at least told us that we would all be getting a visit from the feds, and why, so it wasn't as crazy as it could have been when they showed up. MIB showing up out of nowhere like "Hi, you're First Last, correct? Do you know one First Last? Care to tell us about them?" is pretty unsettling haha.
crackle_and_hum@reddit
Seriously. I was really blown-away myself with just how much they had. Like, they actually KNEW who my 9th grade Algebra teacher was.
doooglasss@reddit
Oh yeah scary right? I had a TS-SCI for years. That company had very frequent trainings from our local FBI office as well. Taught me many security fundamentals early on in my career.
ms6615@reddit
Yeah I was gonna say if they are calling you on the phone it’s probably for something minor or at least very preliminary. If they really want to talk to someone they will send certified mail or a serve a subpoena, and if they REALLY REALLY wanna talk they show up with warrants in their hands.
doooglasss@reddit
This is not the case. Time is of the essence.
Gov contractor that’s local- yes they will show up.
I’ve also been contacted by the FBI while working for a privately owned business. They still call.
ForeignAwareness7040@reddit
Yes. This exact same thing happened last October to us in one of out offices because we had gotten hit by ransomware. Spent 2 weeks reimaging PCs. Veeam copies in the cloud save out servers. Everything on our local servers had gotten encrypted. They first called and then someone came out to explain what they had seen happen the morning of the attack.
ms6615@reddit
I was agreeing with you lol
doooglasss@reddit
Didn’t mean to come off like that. I’ve been contacted for urgent matters that needed to be handled that moment. Not days later via USPS
Eli_eve@reddit
After the OPM breach a while back, it’s not just the FBI who know these things, unfortunately.
aeroverra@reddit
The best part about these is often they know more than me. I have to dig through emails and photos to figure out dates I moved, addresses I lived at, people I know in those areas. It's an all day project just to get the basics figured out.
Maybe that's just me though because I have moved every other year to different states and Territories for the last 10 years.
lanboy0@reddit
I look through my old investigation paperwork to get details of my life.
airforcematt@reddit
And that info isn't just something the government can access. Was interviewing a company to assist with brand protection a few years ago, big part of their job would have been to take a store name from Amazon or eBay and find the person behind it.
Asked him to run my store name by one of his analysts without providing him my name, within a couple hours I had a PDF emailed to me that my full name, social, every phone number I'd ever had, had every address I'd ever lived at worldwide, co-workers and acquaintances I had long since forgotten about and their phone number and address and a ton of other information. Even if he "cheated" and have him my name it was a staggering amount of information.
CNYMetalHead@reddit
I said what back on MySpace? Are you sure it was me? And who said I was an ahole? I vaguely remember that name from elementary school
stackjr@reddit
Man, they asked me about a roommate that I had lived with before I joined the Navy and I still have no idea how they knew about that. I never changed my address, never had food delivered, we didn't have a computer (this was in 2002), and I only lived there for about 10 months.
MorpH2k@reddit
One thing to keep in mind is that you're the one who is applying for the clearance though, so they will have looked into you to find any issues before they even reach out. But yeah, they will probably know just about anything about you...
duane11583@reddit
yea i have gotten calls from Kazakhstan about random shit…
and other places about a package they could not deliver
identicalBadger@reddit
Forget asking for email and checking headers.
Ask them for a switchboard number that you can call and be routed to them, and verify that that phone number is on the FBIs website
Although really, if they’re providing an fbi.gov email address, that sounds pretty legit. Email them and continue the conversation there. If a threat actor has hacked the FBIs email server they’re not going to waste the opportunity to scam small businesses
Dry_Structure641@reddit
Just use the email. There is no way in hell that the domain name fbi.gov has been spoofed.
skilriki@reddit
You don’t ask the person on the phone for a number to call.
You look it up yourself, always.
identicalBadger@reddit
I said to verify it on the FBI's website.
I'm assuming that between HQ, branch offices, and everything else, there are plenty of numbers you could call that may eventually get to the agent, but some will likely take a lot longer to get there. Switchboards, menu prompts (press 1 for X), voice prompts ("I'm sorry I didn't understand you, did you if Bee Eye?" )
Easier to ask for their branch office number and verify that that number is on their site.
Ok-Hunt3000@reddit
“We’re in! ... We’re going to leverage this access to contact other people’s legal departments.” “But boss, that’s...” “Stupid? like a fox”
Jealous_Piece1215@reddit
For the love of god, JUST CALL THEM THROUGH A PUBLIC AVAILABLE NUMBER.
juwisan@reddit
Personal info, yes, work info is a different beast. Your mobile phone number is assigned to you as a person. They’ll simply look this up in the carriers database to which they have access as a law enforcement agency. Your work phone is typically just one suffix in an entire number range assigned to the company and the company decides who to assign this to. There’s no way for an external entity to know which suffix is assigned to which person or role, potentially not even which location.
robreddity@reddit
It's bullshit.
thisguy_right_here@reddit
I would take an OK as confirmation he read the email and is probably time poor. What more needs to be in the reply. OP has taken a message and relayed it.
OmNomCakes@reddit
Better yet, just so there's no second guessing, I'd personal and him an email and all him to reply.
dodexahedron@reddit
I... I think you lost some words or letters there. 🤔
derfy2@reddit
More like they 'OmNom'd the words ~~sorry~~
OmNomCakes@reddit
Jesus true. XD
dodexahedron@reddit
Your phone be like "It's EoB Friday. I'm OUT."
MorpH2k@reddit
Yes, but that would still require the people they are calling to actually answer the phone and believe that they are really from the FBI and not a scam. So, considering your colleagues reactions to it, it might not be as easy for them as you think.
caffeinated_disaster@reddit (OP)
Our department number is all over the place because we're the first line of support especially when it comes to login issues of employees.
He claimed that he tried to reach out the main number of our company but no luck so he tried our department's number
I might do this for my peace of mind. Thanks!
MorpH2k@reddit
Well, if it's IT related, that would be my second number to call too if I had no luck at the main contact number. Honestly, if I found it, it would probably be my second number to call for contact info. They do probably manage the global address book after all...
rednehb@reddit
Imagine being the poor help desk soul that causes a company wide security training for giving out personal info to the feds.
FBI- gets in touch with whoever they were looking for, has convo, "btw, how do I get in touch with your CISO?"
"Hi CISO, about your security practices... poor help desk soul fucked up. Might want to up your game."
MorpH2k@reddit
Fair point, though I'd not consider a work number or email as personal information.
Ssakaa@reddit
Just because IT manages the GAL doesn't mean they're just handing out the contact info from it. It does hopefully mean they know it exists and how to use it though, so...
"I'll pass along your info and the number I dug up for your branch office's main line."
ChicagoSunroofParty@reddit
Potentially related to the recent plugx malware removal?
jam-and-Tea@reddit
thats what i was thinking but i thought that was for service providers to inform
HardestButt0n@reddit
That's the first thing that crossed my mind. I was a cyber security engineer and worked directly with the FBI for several years.
loguntiago@reddit
The FBI would call the company's owners or directors directly, wouldn't it? Did they cut their budget that much? 🤣
do_IT_withme@reddit
We had a homeland security agent show up at a medical facility we provided security for to let them know they had been hacked1. The company asked him to wait in a conference room and left someone there to keep him company. They then called us and the police non emergency number. The police confirmed the agents identity. We met with the agent, and he let us know that a computer on the network had pinged a malicious server they were monitoring. We checked our tickets, and sure enough, we had a machine hit that site. Our end point security software had stopped the malicious processes, isolated the virus, and made sure it was clean.
No-Algae-7437@reddit
We recently had a similar contact and the person went to great lengths to explain how we could validate their credentials. Unfortunately, the nature of the hack required that we not use email on our domain to communicate back to them until we had that validation. It was real, but an ordeal to find out it was real!.
do_IT_withme@reddit
Validating someone's credentials can be difficult and time-consuming sometimes. But the agents usually understand and are patient. Having an agent show up can be stressful at first. We fealt pretty good at the end of encounter. The agent said he was impressed, and he said he hadn't seen anyone have a PC ping that server without being infected and our security was in the top 1%. It made the bosses happy but not happy enough for a bonus.
rednehb@reddit
That's the best case Ontario right there. Props to the sec team.
isntwatchingthegame@reddit
What's the best case Saskatchewan though?
elevenfooteight@reddit
hairy, but friendly
iamadapperbastard@reddit
Checking in. I resemble that remark.
djacob205@reddit
Username checks out
Wildfire983@reddit
Albetcha it's New Bretter than Novthing Scatall.
ozzie286@reddit
Princely work
ITguydoingITthings@reddit
And everyone just forgets Alberta exists.
jovenitto@reddit
talesfromautocorrect
MEXRFW@reddit
Ugghh Ontario. Always smells like cow poop
Ok-Pickleing@reddit
Its Not rocket appliances
crazyjatt@reddit
At this point. It's all water under the fridge.
DEATHToboggan@reddit
Where there’s smoke there’s wire.
Teknikal_Domain@reddit
As compared to the best case Manitoba?
feelinggoodfeeling@reddit
this is the correct answer. i was in an airbnb and came home to find a note from an fbi agent on the door (there was a violent robbery in the neighborhood and they were asking to see the security camera footage on the house). i called the local office, asked if this dude was really FBI and they put me through to his phone and I ended up talking to him. its a very common thing and they were really normal about it.
Ssakaa@reddit
I suspect they prefer people checking. It a) alleviates a lot of the "should I take this persion seriously" and b) means people helpfully call and let them know when someone's fraudulently claiming to be an agent (which they probably take very seriously).
tudorapo@reddit
When they came to my workplace they were with a local police officer, but I am not an US jurisdiction.
Ssakaa@reddit
Ah, well, yeah, that'd change the situation drastically. Definitely a sign of a fun day lining up, with that, though...
random420x2@reddit
Worried for a company that had their phone switch hacked in the early 90s. 2 agents showed up on premises with badges and a ton of printed documentation and I believe a warrant, not sure why the warrant was needed. We had to leave the hacks in place for several months while they tried to run everything down. Then one day we got the go ahead to purge every password in the system
Ssakaa@reddit
If they're just passing along info it's not.
Ah. They were requesting data or access on some level to continue that investigation. Warrant is effectively necessary for that. While you can just voluntarily hand them data, if they ask for it, it can be construed as a search. To avoid any risk of that technicality, they want to walk into that situation with a warrant ready to go.
tauisgod@reddit
Several years ago our in house security department (physical security) forwarded me a call. The caller said he was FBI agent so and so from our local branch. He asked me to look up the local branch number and call the main line and ask for him.
It turned out to be legit. Due to a few years of rapid turnover and crap documentation an old and very unpatched CentOS VM was left in the DMZ and was being used as a botnet C&C server. After some quick asking around internally nobody knew what this VM was used for. I called back and asked if they needed any forensic data before we nuked it and closed up the DMZ. Nope, he already had all they needed.
Ssakaa@reddit
He probably wanted to send you cookies for thinking to ask that.
gpctexas@reddit
Our local FBI team shows up. We maintain a cooperative relationship and have periodic regional meetings with them.
bloodmoonslo@reddit
Same thing happened to me before and I did this. Local office was able to transfer me to the guy and it was totally legit.
Gunnilinux@reddit
I have dealt with the fbi and they come in person. Granted, I worked in government so they weren't far away, but it was always in person.
jrd2me@reddit
I have never had them show up in person, always call and then follow up with an email from their fbi.gov email
Gunnilinux@reddit
I worked in a state Capitol so capitol police probably coordinated the call/email for me. It was usually the same guys too, so we knew their faces and usually had a good idea when they would show up based on what was happening. Mostly bomb threats for us.
Commercial-Fun2767@reddit
Like this I heard
AnIrregularRegular@reddit
I work for a managed security company and can vouch that we have had multiple customers that got phone calls(normally the CISO) from FBI or CISA that they were compromised and needed to trigger incident response.
Beam_Me_Up77@reddit
I manage datacenters and have worked with the FBI a lot. I’ve never had them call or email first as they usually keep everything a secret until they’re there getting the evidence.
The FBI just shows up at your door with a warrant. Then you call legal and they come over and work with them and you do exactly as they say
Only-Dot2278@reddit
They showed up our door and requested information for a job we worked. Turns out the job was paid for by a company that was fraudulently charging medicare.
Alpizzle@reddit
100%. To verify someone's identity, it is best to go "out of band" and contact them through a known good method. Numbers, emails, all of that can be spoofed. The FBI field office phone number on the website is legit.
elgato123@reddit
The problem is the FBI does not answer field office phone numbers. Every number for the FBI goes to a call center and literally all they do is fill out a form.
Legitimate_Meet4038@reddit
When you call them, claim to be from the CIA so they take you seriously.
DGC_David@reddit
Yeah I was going to say, the very few times I dealt with the feds, they didn't call, they tend to just show up at your door.
Confirming it is definitely a good idea, either A you'll be the Phishing hero or B your company has got to deal with some feds.
rednehb@reddit
I used to answer the business line and got these calls like ~5 times a year at an old job. I'd just take down their info and email it to the CLO. They always felt legit to me, but it's not my place to deal with it so I had no idea what the outcomes were.
This was at one of the big vendors, though, so investigations involving our products/customers (including gov) were to be somewhat expected. Getting those calls still rattled my cage every time though, lol. "Hi this is Agent xxxx with the FBI, can you transfer me to your legal department?" "Actually I can't but I'll take down your info and send it over ASAP."
As for your advice, I'd advise OP to let their legal department handle it instead of trying to verify who the caller was out of curiosity. If the legal team does the same and finds out OP already sent over an email it could get them fired.
Additional-Coffee-86@reddit
DHS emails you, asking for a callback, they then give all their information and tell you to call their main line which you can find on google for verification.
LisaQuinnYT@reddit
I assume through the company’s legal department.
Jawshee_pdx@reddit
They literally knocked on our door to tell us.
fuzzylogic_y2k@reddit
Happened twice now, they showed up at my office.
joeygladst0ne@reddit
My last job was at a small ISP, and once we got a call from the FBI requesting records from one of our customers. I wasn't sure if it was legit but I passed it off to the owner of the company.
Later found out somebody at the customer location was accessing child porn and it was a totally legitimate request. Our lawyers got involved and obviously they complied with turning over the info.
All this to say, being a small company (~35 employees) the best way to get in contact with anybody was through our 800 number. They didn't have a legal department or much other public facing contact info.
TU4AR@reddit
Having to deal with them twice the best way to verify it's someone , ask for their name, badge and office.
Call the office and say you got a call from so and so and need to verify that they work there , just asked to be transferred to their extension.
jaank80@reddit
They would do a who is lookup and contact your admin(s) of record that way.
Tex-Rob@reddit
Odd, post this at r/msp and I bet you get a much different story, because I've known this to happen half a dozen times from working at an MSP. I would say it sounds legit, but obviously continue down the path you are.
DocDerry@reddit
They've shown up in pairs when I've dealt with them during an investigation. Otherwise if it's noninvestigatory they call my cell.
AuPo_2@reddit
they emailed me once. and i also talked to them in the phone. I told them if you are going to show up you better bring your credentials. Sure enough they did. I sat down with a special agent and they explained everything, and I gave them what was needed.
Thanks_Its_new@reddit
I had a voicemail from someone purporting to be FBI leave a message for me unprompted and yeah called the nearest field office and eventually tracked down the person but they will know if the agent exists at least.
Weekendmedic@reddit
If you're based in the US, the FBI has a habit of walking through the front door. Badge, gun, photo ID and business cards. Our local field office is 50 miles away, and the agent drive down to check out a fraud claim that was reported about an item sold in our memorabilia store.
FBI agents do not look like TV though, this guy was 50, a little frumpy and wearing a plaid shirt.
chinesiumjunk@reddit
I’d just call the field office or resident agency which he claims to work out of and ask to speak with him. Then once you have him in the phone you’ll know if it was real or not.
bageloid@reddit
Hey, if you are working for a financial company, join Infragard! They do information sharing and you get to actually know your local FBI cyber guys.
ngdsinc@reddit
This is normal. We operate colocation data centers and have some federal customers along with some other extracurricular activities we consult on. The FBI pokes around a lot as something is always going on, even to the point where we have some regular agents on speed dial. Some of our staff are cleared and can easily call up a number and validate someone so its just business as usual for us. The reasoning for this from the DoD point of view is the US gov is taking a more serious approach to "the China threat" along with Russian and other state actors. They mainly want to reach out in person or via an out of band channel to make them aware of a possible issue because the company they are trying to reach has been identified in some way as possibly compromised with something serious enough to get their attention which they may or may not be able to fully disclose.
I'm not heavily involved in DoD stuff these days but from what I'm hearing there is a lot of scrambling going on since every time they turn around some other big company is hacked with data stolen and backdoors installed. Also that big telecom infiltration freaked out A LOT of people in the government ranks. From years of activity like that we are seeing a huge surge in the deployment of cross-domain devices for unclass to unclass traffic rather than their usual classified use case. Mainly in critical systems like power and water, so this goes hand in hand with the FBI showing face and also trying to get control of the situation.
The FBI trying to be more proactive these days is just a sign of the times. Obviously you should never just disclose stuff to someone who randomly calls and asks about sensitive things. I texted the agent we normally hear from and he said it is perfectly ok to ask the name and badge number, then call the local field office they claim to be from by looking up the number on their website then asking to validate an agent whom you are in contact with for X reason. As long as it doesn't involve you being on the receiving end of things like a records perseveration request, security letter, warrant, etc they should be willing to disclose things because they are trying to help you.
SeaVolume3325@reddit
Typically this would fall under homeland security DHS not the FBI.
daddyphat808@reddit
I have been in that scenario. And it was real. Our call was from homeland. But 24 hours after contact I was on a video call with all of the 3 letter agencies.
dnstcpip@reddit
Mostly, FBI would only reach out through the emails for reporting intrusions, attacks, or for being targeted.
rvarichado@reddit
Alert mgmt ASAP. This does happen. A lawyer friend of mine got a call like this and it was 100% legit. An employee’s computer had been compromised and was beaconing out to C2 infrastructure that had been seized by law enforcement. Could be a scam, or could be real. Either way, it’s not your call to make. It is, however, your responsibility to report it to those who are tasked with deciding what to do.
Bagsen@reddit
and he reported it to his manager, like he was supposed to do. Like you said, it is not his call to make. Going above his manager is uncalled for. He reported it to his manager, it is on the manager if it is legit and nothing is done
rvarichado@reddit
Yep. I missed that OP reported it to their manager. Thanks for pointing it out because I totally glossed over it. I don’t, however, agree this is an “I did my thing, my hands are clean” kind of moment. OP could definitely poke his manager a few times if nothing is being done, and should escalate to security if that’s the case.
Bagsen@reddit
Maybe check back with them once as a "Hey did anything ever come of that FBI call?" Anything beyond that is only going to annoy your manager and most likely put you on their bad side. And going above them to security definitely will. Nobody is going to treat you like a hero dying on the weird FBI call hill. Just make sure you have solid documentation that you reported it up the correct chain of command and then back to work.
rvarichado@reddit
I get where you’re coming from. But I’ve been the security manager in an not dissimilar scenario and I would definitely want the tier 1 tech to come to me if their supervisor got information like this and sat on it. Not saying you’re wrong, but my philosophy is just different.
Ssakaa@reddit
Should be fairly standard practice to always hit up both one's own manager and infosec for anything resembling a security incident, or potentially legitimate concern (whether that's "something is wrong enough that the FBI is calling our helpdesk" or "someone claiming to be FBI called, if they weren't legit, there may be a more broad phishing attack going on than just the helpdesk").
And the manager's in there as a courtesy and a head's up in case it's actually fake, so they can make sure the rest of the people that might pick up the next repeat of that call are prepped for how to handle it.
amgeiger@reddit
100% and the lawyer first is actually smart. The direct contact for cybersecurity insurance is almost always legal. The CS insurance will then coordinate the incident response and forensics. So hope you don't have plans for the next few days.
hxcjosh23@reddit
This. I work in cybersecurity and have done plenty of IRs. A good amount of them are because the fbi has contacted our client and I've followed up with them to make sure it's a legit fbi agent. Please reach out as they do reach out quite a bit.
burkis@reddit
Happened to me too
LousyDevil@reddit
Same. The agent's name was even really generic.
After I took the information, I called the field office and they laughed and confirmed it was legitimate.
Shedding@reddit
I've been doing this for a long time, and yes, this is how it happens.
Phate1989@reddit
I have had the FBI show in person 2 times with written coordpondsnce since electric messages could be compromised.
They didn't want us to enter anything into a computer.
Basically had a government client hosted in our data center that had a compromised device.
Once a government client, once a major healthcare provider, never heard of them calling.
Bloody_1337@reddit
As a fellow lowly IT Service Desk agent, I would have simply gathered all the information and then started the documented Security Incident process. - The rest is up to to the IT Sec folks.
taker223@reddit
Was there a think Indian accent? Did it demand any gift cards?
GoldenHighlander@reddit
Had something happen at a previous place of work. Contact local field office. Follow their next steps.
bad_robot_monkey@reddit
The FBI is the only organization with an FBI.gov email address.
Alternative_Form6271@reddit
Could be legit. We've had this happen where I work.
jdub01010101@reddit
I've been seeing this lately. I work incident response.
FBI got a ton of intelligence in October that they are now informing victims of Chinese hackers being in companies.
It is probably legitimate, but confirm with your local field office.
If confirmed, contact your cyber insurance provider. They'll know who to engage.
oceanave84@reddit
Whenever I dealt with law enforcement I always took down their information, asked what office they worked out of, then ended the call after explaining that I need to call them to verify. I never had anyone complain. If they do complain or say it’s urgent, I simply respond with, I will be reaching back out as soon as possible.
I would then look up the office on the official website of such agency, verify such office exists, then call using that number.
Sometimes I would invite someone from the company I worked for to be on that call with me. Then I would call them up and speak to them after proper verification and routing. Once you get to that person, reverify that they called you, and their contact information again.
Just a reminder, never offer up information without a subpoena. If they want access to your logs, data, whatever, ask them what data they need, the date range and then create a ticket to have it done asap but never deliver it until that document arrives. That document protects your company.
demonslayer901@reddit
There is news of the FBI shutting down tons of malware on peoples PCs. Related?
Marcus_Aurelius_161A@reddit
We had a similar incident in October last year. In this case it was the DHS calling to let us know we had a compromised account. After we verified the agent's identity, we cleaned up the affected account. The gov is going good things to warn businesses of attacks.
SecBen10@reddit
I got a call like that one time it was the local field office saying they saw one of our systems was being used by an active exploit. Don’t expect too much data but they do contact and now days with all the scams going on around all 3 letter agencies it’s hard to believe them. Good luck though call the local field office and get in touch that way. Make sure your info sec team knows.
jaykaboomboom@reddit
I’ve receive a call like this, get to the bottom they may have busted up a hacking group and found your information. Do not sit on it!
HowDidFoodGetInHere@reddit
If the FBI were looking into your company, they wouldn't be calling your helpdesk.
Truskey@reddit
If you want to tell a company about a compromised system why would you not call their IT department?
HowDidFoodGetInHere@reddit
It wouldn't be a phone call from some random FBI agent to the helpdesk. It'd be an in person visit to the executives.
Truskey@reddit
No it wouldn't. How would they know what office to go to and if the exec is even there that day? I'm an incident responder for our state and can confirm the FBI makes these phone calls routinely. They don't have anywhere close to the manpower to make these notifications in person. The only time they go in person is if they have to provide information that can't be shared through electronic communication or if they need to interview the company to understand the financial impact to the victim so they can log it in their case.
HowDidFoodGetInHere@reddit
So if you were working on the helpdesk and got a random call from someone saying they were an FBI agent, you'd just immediately assume they were legitimate because they told you that they were with the FBI?
Truskey@reddit
Nope but I'm glad you think me having a job in cybersecurity is on that level
weeemrcb@reddit
You call FBI and ask if the person is listed as an active agent
randomman87@reddit
Lmao at all the people claiming scam. It very well could be, but the FBI does indeed do this. Most (American) businesses have shit InfoSec, and the FBI monitor threat actors hacking attempts. It makes sense, it's a federal risk if suddenly all the SMBs in America with shit security have orchestrated hacks.
TheGlennDavid@reddit
Worked in DC for most of my career (at very non-exciting places) and the frequency with which various agencies drop in is so high that I'm completely unfazed. I guess if you didn't have it happen often it'd seem suspicious.
We'd get cops, marshals, secret service, FBI.
TEverettReynolds@reddit
As a former IT Manager who had to deal with this, the agencies contact the owners, officers, or legal department directly.
They don't call a help desk number.
newboofgootin@reddit
Yep. I have two clients that have been contacted by the FBI and it was legitimate in both cases. I've since developed a report with our local CISA guy.
He runs into many people, like OP, who think it's a scam when he in fact he really is trying to reach out to organizations to alert them that they've been breached. My organization can reach out to the organizations that are ignoring him and vouch for him and say they should pay attention.
/u/caffeinated_disaster do your due diligence but don't throw it in the trash. It might be legit.
dloseke@reddit
Might be a typo, but I think you mean "rapport".
rednehb@reddit
https://www.reddit.com/r/sysadmin/comments/1i3udqr/fbi_called_our_it_service_desk_hotline/m7rd0mo/
I posted this comment elsewhere in the thread, but I've also had customers that were legitimately breached reach out from personal phones and emails, because they couldn't access work email, which is of course super sketchy. We would require at least one person we knew to join a video call and if they couldn't, have several people on the call that could show us their work badges or other proof before granting access.
Apparently the vast majority of these were very real, but like 5% were account takeover attempts that were pretty easily solved by our sales and/or engineering teams just texting the account holder's personal cell phone and requesting the video call.
martiantonian@reddit
This is accurate. I work in incident response. If your company has been breached by one of the big threat groups and you don’t report it to IC3, the gov will come looking for you. Usually the FBI but sometimes the USSS.
ThatDistantStar@reddit
We've also been contacted by them before for our IPs being found in a sophisticated malware APT they disrupted and we should investigate our systems. Just like OP they called our main line and left an @fbi.gov email address, how else would they contact they contact you? Hack you and leave a note on your file server?
nitroed02@reddit
Had a client get one of these phone calls, and continued via emails. I verified the email headers were legit. They had monitored a dark web site offering the sale of working RDP creds from an RDP port left open on the clients public IP. Including the screenshot of an RDP session open and an IP scan showing other server names discovered.
The client was likely mere hours away from a ransomware event.
Gecko23@reddit
I've been directly contacted by the FBI, was very suspicious, but they gave me their field office info so I could verify for myself who I was talking to. There was offline info too, can't be emailing threat intelligence over email that might already be compromised by that threat, right?
SleepingProcess@reddit
Next time he call, tell him that you know that "The Art of Invisibility" by Kevin Mitnik case is immortal
cd97@reddit
Had a phone message left by someone at CISA years ago. I called the CISA main number and confirmed that the name and extension were real. The call was because some nasty malware had been emailed to us months ago. It sat unread in a spam folder.
lost_send_berries@reddit
This doesn't mean much, you also need to confirm that that person really did try to contact you.
cd97@reddit
I did get connected with them directly. I was intrigued that they asked for an alternate email address so that they could send me details (they were concerned that my organization email might have been compromised).
joeuser0123@reddit
I had a call from CISA a few months ago for something that occurred back in February.
"Do you want me to remediate it and report back?"
NOPE JUST LETTING YOU KNOW.
Extension-Ordinary-6@reddit
Same thing happened at my work. We were also able to confirm it was a real person by calling cisa directly to verify they were legitimate.
C_Lineatus@reddit
Just attended a webinar led by regional CISA agent, they mentioned this. That with all the training about social engineering to make sure staff knows if they beg a call from CISA to take the info, call and confirm but they will also sometimes ask for nondomain email to contact you.
beginnerflipper@reddit
I agree. This might be the case as the FBI agents probably view an @fbi.gov as proof they are FBI agents
unkn0w3n01@reddit
Leave it to your manager, they could see it as your undermining them.
fnordhole@reddit
You passed it to your msnager.
You're done.
(I think it was most likely a scam, as well.)
z0phi3l@reddit
That's an immediate pass on to legal, not your problem beyond that
gahd95@reddit
My countries FBI pendant once called us to let us know own that were on a target list of a Russian hack that would take place later that day. Luckily we are well prepared, so the low effort Ddos attack did not do much. But they were legit.
brainstormer77@reddit
I have experience with this. FBI did visit l my company because of a possible cyber security incident from their field office. They left their business card.
frosty95@reddit
The real email is your ripoff that this is real. The FBI will actually contact companies who have been compromised. I worked for a MSP. I still have the contact card for our local FBI agent. He would let us know when one of our unmanaged customers got hit so we could help them out. Was extra funny when the business decided they didn't want us to fix it and then was surprised when the FBI had their internet disconnected.
exccord@reddit
We had secret service call us ahead of the president going through town. I'd verify with the agency first but it can be legit. They screened some of us as well ahead of the presidents trip.
WesleyTallie@reddit
I had the Department of Homeland Security call my phone, the number you can find for tech support using Google.
Said we've been infiltrated, gave me the PC name that was compromised, the user logged in, and all of the servers and IP addresses.
Everything they called out was ours, and coincidentally, the user was across the hall from me.
I told them nothing. They gave me thier credentials and said "Google us". They seemed legit.
They had been tracking traffic to an IP in the Baltics. That's how they caught it. It only took them about 2.5 hours from the time the PDF was downloaded till the phone call.
They came to our office twice in the following month, two guys from DC then two guys from Denver.
Pretty impressive, really.
SparkStorm@reddit
We got contacted by homeland security once, it's rare but it does happen
andys5010@reddit
If they have info that you are comprimised they will try to initiate out of band contact. Like via an email or phone number not in your domain or systems. In the gov sector its important to have these converaations before an incident happens so that the wrong people cant exploit. This is specifically what I remember from CISA and FBI speech at a conference.
Terrible_Chemistry11@reddit
We had the same experience and it was a legit call. Notified us about an exploit with our Cisco ASR router. Called the main regional office and confirmed agent was in fact who they said they were.
duane11583@reddit
simple solution. contact the local fbi office and ask them to confirm the contact.
same idea if somebody from your bank or credit card use a number you know not the one they give you and call to confirm they are real.
Past_Bid2031@reddit
Classic scam.
ncgbulldog1980@reddit
Could be real. Few years ago the school district(very large) I work for got hit with ransomware. I got calls on my cell(no clue how they go my number) for both the FBI and Secret Service offering assistance. CISA was able to figure out what happened but we had to restore everything for backups.
Cold_Sold1eR@reddit
A few years ago we had the UK NCA (national crime agency) call us and said the same thing.
We didn't believe it, the NCA do not normally contact businesses regarding that sort of thing.
Turns out they were monitoring a big Chinese hacker group, and they had indeed breached our network and were in the middle of downloading all our data. We caught it just in time thanks to the NCA
TheDarthSnarf@reddit
Honestly, I've had Homeland Security and FBI call before several times with different issues or questions at different companies I've worked for.
This is pretty much exactly how they've done it every time.
We verify authenticity by calling back to the local field office number, confirming the person's name, and then getting connected to the person by the operator or having them provide us with the direct number for the agent. Usually the numbers are the same as what was provided by the agent.
Just do your due diligence, but assume that this is a legitimate contact.
dloseke@reddit
I (MSP) had a client (trucking company) a few years back that was contacted by the FBI because they had an Exchange Server on premises (before moving to M365) that was known to have vulnerabilities. Said server had already been patched but since this company hauled liquids, may of them flammable, I believe they were flagged by DHS as a likely target of a malicious attack. Calls and emails were legit....really threw everyone. It comes down to what are they wanting you to do. In our case it was just to be notified of possible vulnerability and patches.
harryhov@reddit
I had something similar where a region local police officer sent me a message on LinkedIn claiming that he detected a leak in our site. I just ignored it. LinkedIn page looked legit. But I guess it could have been hacked.
LRS_David@reddit
If legit they will give you enough information to get back to them by calling one of their publicly listed phone numbers. Sounds like they did.
HJForsythe@reddit
You call the switchboard number for whatever office they claim to be with and ask for them.
MacAdminInTraning@reddit
In this situation, remember you are just a helpdesk tech. Log the ticket, don’t give any information, then give your manager the information and move on to your next call. Let your manager decide what to do as this is not your problem in the slightest.
Andromina@reddit
Homeland Security just called out help desk number asking to speak to whoever our record keeper was (ISP). Call was transferred to me. They were conducting a CP investigation on 3 of our subscribers, needed records, and needed to know who to send the search warrant to. They electronically served the search warrant to me and all documentation was provided accordingly.
cool-nerd@reddit
If I remember right- a few years ago, The NSA was patching companies' servers without prior authroization because it was such a big security risk that they had to intervene and it was done without ever on realizing.
WeirdOneTwoThree@reddit
There is ALWAYS someone trying to break in. Any time of the day or night I can watch the logs on the firewall and it won't be any longer than 5 seconds before I see something like someone in Belgrade trying to turn up an IPSEC tunnel into the network. If the FBI were to happen upon some of these folks I suppose they might take a different view of it than I do (I ignore it because such attempts come from perhaps a thousand unique IP addresses daily so there is no hope of being able to effectively chase it down).
techw1z@reddit
are you just trolling or did you mistakenly post here instead of r/ShittySysadmin or did you really just explain that you fell for a scam/phish call and didn't even manage to make sure that the person you were talking to really was from FBI before writing all this? if it's the latter, maybe stop working in IT. if you are a newbie, hurry up and learn a bit about this shit...
please tell me you are just trolling.
Reelix@reddit
Create a new email (Not reply to) to the @fbi.gov email to confirm.
Dry_Structure641@reddit
Use the email address, no way in hell fbi.gov has been spoofed.
In the very rare case that you are so compromised and the attackers do good they are screwing with you and were able to setup a fake fbi.gov domain inside your own network then check the email headers. No way in hell that email leaves your internal IP space. Can't be done. The internet is also watched by ATT, Spectrum, Verizon, etc in conjunction with the FBI and NSA.
My brother, working for a telco, gets orders to shut down IP ranges all the time. Mostly they just shut it down and claim outage. on rare occasion they get asked to do a DOS, very rare though.
zlewis1089@reddit
We've had both CISA and the FBI call our main line over the years. Once the FBI called my direct number. I verified by calling the local field office. Ended up being legit in all instances.
Richard-N-Yuleverby@reddit
The fbi called us to ask if we had been hacked about 2 hours after some of our servers started encrypting themselves. Call the fbi directly (source the number yourself - don’t use one provided in an email) and confirm it’s not a bad actor
_Jimmy2times@reddit
Typically it’d be CISA reaching out, not FBI
hiveminer@reddit
It is strange he would ask for the legal department. He should have asked for the cybersecurity person or the soc or SIEM person in IT. If you get puzzled responses you then ask for legal cause that IT department will need regular cybersec audits and an immediate path to SOC2
mikeone33@reddit
Depending on the size of your company, your legal team probably has contacts in the FBI.
bindermichi@reddit
A law enforcement agent with a LinkedIn profile?
Yeah, that‘s a scam.
Koldcutter@reddit
I agree with this guy. FBI agents don't have LinkedIn pages. If one does he's basically saying hey foreign intelligence services I'm over here. If he is real and this dumb he won't be an agent for very long.
jholden0@reddit
Oh, but they do. Ever been on linked in before? Also, FBI agents aren't covert CIA Agents. Too many movies for you.
Koldcutter@reddit
Not saying they are doing covert stuff just saying your helping the Chinese and Russian social media bots target your feed with propaganda
jholden0@reddit
I know. I was kind of being a smart ass. Lots of FBI agents do have linked in pages. I live in the DMV area and have a few friends from college that became FBI agents in various roles. They all have a linked in account and public pages.
merlyndavis@reddit
Having dealt with the FBI in the past, they can get creative when trying to reach someone. Always ask what office they’re with, and call that office based on the number from FBI.gov website. An FBI agent will happily let you perform that basic security check.
caffeinated_disaster@reddit (OP)
He did told me he's from the New Haven office. Sent them an email, just waiting for the response
Papfox@reddit
I would check the contract number for their office on my personal device which isn't using company connectivity or DNS then call them from that personal device to check the person out.
caffeinated_disaster@reddit (OP)
That's actually not an option for me because the whole service desk team is located in the Philippines 😅
woohhaa@reddit
My previous company enrolled in a program with the local FBI field office in our city where the FBI would hold quarterly debrief meetings with CIOs/ CISOs and the like. They would cover the latest trends in cyber crime and cover modern defense in depth principles, techniques, and best practices. It was great networking for ITL of various large businesses and enterprises in our area and you would be assigned a field agent to liaise with.
One night my boss got a call on his home POTs line which he never used or gave out the phone number. It was an FBI agent warning him that they had credible information that our network had been compromised and we should be segregating our backups immediately as a crypto attack was imminent.
We went into full blown response mode. We identified some very suspicious traffic coming from Ukraine to an exchange server. Same IP, same port, every 30 second. We blocked it, with in 30 seconds it started coming from another Ukrainian IP. We geo blocked the whole country. 30 second later it’s Russia, we blocked Russia, this carried on until we’d geo blocked the entire “axis of evil” then it jumped to India.
After that we went nuclear and started shutting down WAN connectivity and internet access while segmenting our backups severs. This began a two week shit show that eventually lead to the discovery of a VM which had been compromised. They had persistent access and had moved laterally through out our network and established a foothold. They were doing recon with some nefarious tools they’d installed on the VM which we were able to see scanning in real time when we finally found it. They somehow got domain admin credentials from an offshore MSP employee whom we considered to be very trustworthy.
It was a nightmare and caused a few weeks of grief and pain for everyone involved but had the FBI not called it would likely have been much worse. It also lead to some significant investment into security tooling and staff that the business otherwise cut from the budget year after year.
Ermoore32@reddit
For what it’s worth, this has happened to me a few years ago and it was legitimate.
Hyryl@reddit
I’ve dealt with this at multiple companies. The best way to confirm is call the local FBI field office and ask if your organization was contacted. They typically keep records of this type of outreach. I wouldn’t be surprised if legit.
Locupleto@reddit
FBI will contact a company. They will contact the CIO if they know who to contact. Most large companies they know who to contact. Just lookup your local office and call that office to confirm. I wouldn't sleep on it.
bionic80@reddit
Companies, even small ones will set up compliance hotlines for any inquiries like this. If the FBI is calling in the main line or emailing then usually the best action is to forward to that number / email and let them handle it. CC your boss for CYA... but if it's a scam compliance will know how to handle it.
Tommy-Appleseed@reddit
It’s known that the phone systems are hacked so calling the local field office and requesting that proper in-person identification would be required. There is a big infiltration problem going on even where foreign espionage groups are trying to get employed with companies that do business with other big companies or even US government agencies. Even local ISP’s outsourcing support are clueless to the level of espionage going on. China has a Hotmail server setup just waiting to synchronize Americans email accounts once they have the right password and 2FA bypass. America has got to get its security together and start fighting back and putting a stop to all this. I’m waiting for them to shift the entire backbone of the internet GDNS again to China while we sleep.
I luv it when that commercial comes on and Jennifer Coolidge says, how do I know you’re real?
dwrichards@reddit
I have dealt with the New Haven FBI office for an attack in the past. They physically show up in numbers with identification. The number I have for them is (203) 777-6311. Contact them direct. (You can verify the number on their fbi.gov field office webpage.)
Advanced_Vehicle_636@reddit
We've done something similar before. We're not FBI though. Story time!
I work for an MSSP that provides Cyber Security services to several clients ranging from you've-definitely-heard-of to the local-to-our-HQ "mum and pop" shops. This client was international, but relatively large. One of the things we missed in their onboarding is whether they had a 24/7 service desk line (They did...).
We had an incident come through that was quite clearly shit's hit the fan unless this is an unannounced pentest. I called everyone in our emergency contact list (currently 9 people) 3 times over. This included standard IT staff, IT Team Leads, and Executives. None of them answered their phones. Now, these guys are in the hospo (or adjacent) industry.
So I pulled their website up and called their hotline. I get some poor receptionist on the phone.
Receptionist: "You've reach $XYZ, how can I direct your call?"
Me: "Hi, my name is $AV636 calling from $ABC. We provide cyber security services for $XYZ. I've been trying to get ahold of IT but haven't been able. Can you route my call to your IT Helpdesk with respect to the server $SERVER? It's been compromised and I must speak with IT."
Receptionist: "Oh. Uh, what's your name and who do you work for?"
Me: "AV636. I work for $ABC."
Receptionist: "Right. We don't accept cold sales calls. Is there anything else I can help you with?"
Me: "No no. I'm not a sales guy. We're under active contract with you."
Receptionist: "If you're a vendor you should have their contact information." (Well, you're not wrong!)
Me: "We do. *starts listing off names and corporate lines*"
Receptionist: "OK. Give me a moment to speak with a manager."
**A few moments later**
Receptionist: "My manager won't allow the transfer. You'll need to find another way to contact them if you're a vendor. Is there anything else I can help you with today?"
Me: "Maybe. I get your policy. Hell, I agree with it. Can you pass on a message to them for me? If they don't recognize the information, no harm no foul."
Receptionist: "*Thinks for a moment* Sure."
Me: "Tell them it's $AV636, Senior Security Analyst calling from $ABC. $SERVER has been compromised through an exploit and has evidence of command and control. We've removed the server from service until they respond. Have them reference their emails for my official contact information. My email is first.last@abc.com or mssp@abc.com."
Receptionist: "Anything else?"
Me: "No. Thank you, I appreciate it."
A couple minutes later my phone rings. It's their IT Director.
Dir: "Hey. I got your voicemail... and a very frantic message from reception to the entire IT team."
Me: "Yeah, apologies if I scared the shit out of her. No one was answering and we don't have a general line."
They later confirmed the attack was an unannounced pentest. Honestly though, props to that receptionist. Declined to pass through a potential threat (she had no idea who I was), but relayed a potentially critical message. Cyber Security training done well.
LetTheJamesBegin@reddit
Is there a reason you should prevent your legal team from becoming aware of the situation?
MyDadsGlassesCase@reddit
We have a company in the UK called FAST - the Federation Against Software Theft.
They're a private company that represent the software industry and will phone random helpdesk saying they believe the company has pirated software and are being investigated. As a helpdesk analyst I shat myself . My boss told me to tell them do one.
0RGASMIK@reddit
Call the FBI and confirm.
Years ago I got a call from someone claiming to be from the local police department stating they had some questions about a crime I witnessed. They gave me a legitimate name, a legitimate number to call and left it pretty open ended. ( I didn’t bother to verify any of it at first but later I did look up all the info provided.)
I hadn’t remembered witnessing any crime nor giving my number out to anyone so I figured it was a scam. Forgot about it and went about my day.
The next day I got another call but this time it was much more dire and the tone was treating. I answered it and was basically told that I hadn’t just witnessed a crime but I had been deeply involved in a crime and that I was a key suspect. I really don’t understand what their goal was but I told them to eat dirt and hung up.
That’s when I started to look up the initial information provided and got scared it wasn’t just a scam or prank. I decided either way the best thing to do would to call the actual police to verify but decided to just ignore it and let them arrest me if they actually had a case on me.
Never heard about it again.
7fw@reddit
You did your job. Took the info down, passed it along to leadership. Let them handle it and let it go.
jholden0@reddit
A quitter never wins and a winner never quits.
dkcyw@reddit
You can't fake an @fbi.gov email inbox.
jholden0@reddit
Can't fake any top level domain. That is unless you have breached the mail system.
Powerful-Two5444@reddit
Does he have Indian accent?
jholden0@reddit
This was what I was going to say. " Hello this is Peter Americanguy. I am from FBI. Federal ....... Bueral.....of......
ZAFJB@reddit
Not in the US, but if my country's equivalent agency contacted me I would immediately very by calling back.
Not waste time on reddit etc. You could have an in progress incident. You must react fast, before the criminals pull the trigger on exhilaration and/or ransomeware.
Electronic-Basis5504@reddit
We had an FBI agent walk into a subsidiary of ours, say we’d been attacked and gave no details. It was a legitimate notification, however, no breach occurred.
DoorCalcium@reddit
I would assume it's social engineering
NGrey119@reddit
New Haven ct? Anyway. We were raided by FBi/secret service once. They came in and took files, few laptops. interestingly some guys had secret service shirts.
Came in with search warrants. One of our guy was carrying. So they had to lock his piece up. They look at every pc and office searching for files. They attempted to take our server data. Here’s where it was interesting. They try to image our server to usb drive. I was like it’s an esx host. If you know what you are looking for. I can have you export the entire vm. They were trying to export 3-4 TB of the esx host in under a day. I was like that usb 2 is gonna take like 2-3 days. And this was their it tech that came. He was carrying also.
He called someone and I explain how long it was going to take and around 3pm it was like 5% done. They gave up and said we’ll come back if we need it
This was in 2010 ish. Yes I do have photos. I’ll have to block a bunch of identifying marks out.
verdamain@reddit
FBI go direct to CISO or equivalent, there is a network comprising many companies for this exact reason, to collaborate during incidents
Jweekstech@reddit
The FBI and CISA do make phone calls to businesses that they find to potentially be compromised. Attend any number of cybersecurity conferences and listen to the stories from the fbi folks about this exact story, including how the people they call are skeptical. You’re doing the right thing… call the local field office and verify.
Good luck!
Key_Kong@reddit
Contact your local FBI field office. Details can be found on the FBI website.
lowNegativeEmotion@reddit
"we received a tip from a highly reliable source"
Means they have eyes on a bot net and are notifying you of the breach, ransomware detonation is imminate. The email sent to legal is probably full of technical info you need to identify the infected machines.
After-Vacation-2146@reddit
Legal should call the nearest field office and ask to be connected to said agent. If they do it, then he is real FBI. Based on what you said, and my past experiences with this situation, this sounds real, treat it as such.
Th30n3_R@reddit
Last year, something similar happened to me. I work for a Finnish company, and the Finnish "FBI" got in contact with our IT to let us know that one of our employees had their home router compromised and giving us instructions on what to do. They obviously didn't give us many details, but they found this based on a larger investigation on foreign hackers attack in Finland. At first, we also thought it was BS, but in the end, it was indeed legit!
metalninja626@reddit
Our offices are closed over the holidays, but a couple years ago I had to pop it for a bit. Inside the front door I found a note that someone slid underneath, hand written, claiming to be FBI trying to reach us about a security issue. No business card or anything.
I also at first assumed it was a scam, but I did look up and called my local FBI office directly. I was at least going to tell them someone is going around impersonating an agent, but lo, it was legitimate. Our company came up as a potential target for a ransomware group.
So as silly as it is, try calling back to the official number, it might actually be legitimate.
MaTOntes@reddit
Easy enough to confirm. Call FBI directly using their own contact details you source yourself. The fact that he gave an email with FBI.gov lends itself to being legit. Best to confirm with alternate contact info you know is correct.
The fact that he claimed that someone is "trying to hack your network" is odd. Not sure how they would have that info or why they would care.
elgato123@reddit
I’ve gotten calls from FBI agents before. Although it sounds stupid, if he has an American accent and not a foreign accent, he’s probably legit. You won’t be able to find them on LinkedIn. You probably won’t be able to find them if you search their name anywhere. Normally, they are just looking for information conducting an investigation, or trying to find information on where they can send a subpoena.
Man-e-questions@reddit
I just attended an FBI event at Microsoft Ignite. They stated its best to go to their website and find your local field office and introduce yourself to your local agent so you can report any suspicious stuff to them easily.
jmk5151@reddit
this is what we do, meet every few years with our local field officer responsible for cyber.
StreetRat0524@reddit
This sounds like something a fed would push people to do 🤔
Geekenstein@reddit
…no thanks.
sir_mrej@reddit
Just FYI, lots of cybersecurity people work with local and federal authorities regarding cyber crimes
Geekenstein@reddit
I’m well aware. I engage when needed and not before.
seattlesparty@reddit
Scam!
1_________________11@reddit
I've only contacted the fbi never the other way
1_________________11@reddit
They showed up to grab any data they needed
klti@reddit
The only thing that would have a harder time to be believed is if Microsoft suddenly started doing active security threat outreach via phone. Also, that would certainly be outsourced to India or somewhere else, so that would really help.
smc0881@reddit
They do reach out and valid e-mails are @fbi.gov or @ic.fbi.gov. You can call Field Office and ask by name. I was a FBI contractor for 10 years and now I do DFIR and have several clients where FBI, HSI, or other agencies reach out.
SugarConspiracyYo@reddit
I had a person call my work claiming he was from the FBI, I asked him how I know he’s really an FBI agent and we both laughed. 6 months later I got a report from the FBI that a lot of places were potentially being breached by nation state actors and their investigation concluded that we had not been breached.
alnarra_1@reddit
Did he actually give you an @fbi.gov address? If so, yeah they probably do need to actually talk to your legal team. Trying to get a hold of help desk is generally how we reach out about Business Partner compromises, I imagine the FBI is in the same boat.
amgeiger@reddit
We had someone from DHS show up at our office when there was a e-skimmer on our site.
Alienkid@reddit
Your company has an official process for dealing with law enforcement requests. It usually always involves a fax
MeatWaterHorizons@reddit
Wouldn't the FBI just send a letter. Like the IRS I don't think they would call you about anything. I think the only method of contact that they would use would be snail mail or just show up in person.
khag24@reddit
We actually worked with the FBI more often than I expected when I was working in a NOC. They would regularly call us and we had a number to get in touch with them. Was very surprising to learn until the security guys started to show heat maps of all the activity we received
perthguppy@reddit
Do you run Fortinet firewalls or Ivanti VPN appliances by any chance?
caffeinated_disaster@reddit (OP)
Ivanti VPN
perthguppy@reddit
For more info, see: https://www.cisa.gov/news-events/alerts/2025/01/08/ivanti-releases-security-updates-connect-secure-policy-secure-and-zta-gateways
And
https://www.cisa.gov/news-events/alerts/2025/01/14/ivanti-releases-security-updates-multiple-products
I can’t comment on much more than that since I’m privy to information I legally can’t disclose.
perthguppy@reddit
Hahahaha. Yep. You need to get in contact internally with whoever manages those appliances ASAP, if the FBI is calling you, then you’ve likely been compromised by one of the many recent critical exploits that have been reported. These exploits have included authentication bypass, and exfiltration of clear text passwords and config files.
Normal-Spell5339@reddit
Why do you think it’s not real if they gave you a valid @fbi.gov email to contact? Why would it not be?
habitsofwaste@reddit
Not really sure how it is a scam when he’s got an fbi.gov email. It’s all easy to verify. Then pass that shit on to legal and be done with it. Do you want to be responsible for not passing that on and more damage being done by an intrusion?
ScreamingVoid14@reddit
Seems like you have taken the reasonable steps and aren't in any immediate danger of letting an attacker in. Good job.
_Cold_Ass_Honkey_@reddit
Alethea Duncan is really trying to save her job.
captkrahs@reddit
I got a call similar. Passed it along to our security guy
Frogtarius@reddit
Federal benchods of India.
Etc48@reddit
I work for the Gov’t and I don’t trust anyone reaching out to me. I always look them up in our system to make sure all information matches them before I respond.
dracotrapnet@reddit
I've never been contacted by FBI but I have sent FBI stuff. I have been contacted by the county Sherriff's office for video for motor vehicle accidents that occurred in the distance from our cameras. Those are always fun.
jadedarchitect@reddit
I once had "Microsoft Support" call me.....while I was onsite at Microsoft working as Tier 3.
The entire team was clustered in to listen to that one.
TommyV8008@reddit
Anyone impersonating the FBI is clearly breaking the law, that’s possibly a federal offense. I don’t know if the call is traceable on the FBI side, but I would think they should be alerted and I’m sure they have some kind of hotline or website or something for these kinds of incidents.
andytagonist@reddit
Why are you even asking if YOU should report anything to legal? You’re already on the hook since you took the call—just document that your reported it to your manager and be done with it. 🤦♂️
Dwman113@reddit
Why is this confusing?
Does he actually own the @fbi.gov? Prove it. If so it's legitimate....
Nobody is spoofing @fbi.gov....
craa141@reddit
Ok so someone called.
They didn't ask you for anything.
They gave you an email address with the fbi.gov domain and asked for your LEGAL team to contact them due to a network intrusion and you are hesitating to pass it on to your legal team?
Like he's not emailing in, he is saying here is how you can reach me and gives you their actual domain, you did check it right? He also gave you a contact number to reach him but you are still not sure you should pass it on.
Simply call the FBI field office or main number ask to confirm that this is a valid agent and / or email that email address -- unless the FBI domain is hijacked ... its probably good if it doesn't bounce and if you get a reply from them.
I am pretty sure the last team a hacker is going to reach out to try to social engineer is the legal team.
zombieblackbird@reddit
Mandatory cybersecurity training instructs me to immediately refer them to the cybersecuroty event emergency response task force hotline.
Any "FBI agent" who somehow found the firewall guy's direct number and called it is either a scammer, a pen test engineer, or incompetent. I'll risk my job shutting the public interfaces down before I risk it taking spearfish bait.
thelug_1@reddit
A place I worked at had Homeland security roll (literally) up on us saying they got a tip from the FBI who had found something on our network while doing an investigation into something across the country. The entire IT team was requested to come in along with our physical security department.
That's one house call I would have preferred over the phone lol.
ChildrenotheWatchers@reddit
Definitely a scam, imo. Don't ever request an email from someone like this or you might receive something really bad. When in doubt, phone the nearest FBI Field Office by looking up the public number (they have a switchboard operator who can route your call properly).
I used to work for the IRS, so I know that people try to impersonate federal law enforcement all of the time.
sffunfun@reddit
I had a Postal Inspector call me to tell me that they found my name on a mailbox being used for fraud, and they even knew that someone had obtained an authentic driver’s license with my info and the fraudster’s photo on it, because someone at the DMV was in on it.
I asked the guy how he found my home phone and he said he used 411 (you youngsters won’t have any idea what I’m talking about).
twhiting9275@reddit
I’ve had them call my business before , as a server admin. I obtained the gentleman’s full name and said I would verify authenticity
Within ten minutes, I’d called the main number, explained the situation and who I was. They put me right back through to him
That’s how you verify it
yspud@reddit
I got emails and then a call from someone at CISA about 6 months ago. Right away my fraud detector went off... but ... everything checked out. I even went to the CISA website directly - called their # - gave them the information on the agent that contacted me and they verified it was legitimate... I was beside myself to be honest because it was just so ... odd.. but they had details on a particular personal laptop we had rolled out for a client... and we checked it out..
rotll@reddit
You told your manager. Your obligation is over. If you didn't do it via email, for the paper trail, do it now, and CC: the manager's manager. CYA is the name of the game.
caffeinated_disaster@reddit (OP)
I sent it via chat and took a screenshot of it cause I'm pretty sure he thinks it's a scam. Bit of context the entire SD team is based in the Philippines so we don't know how these things work, so yeah I'm keeping that screenshot in case this is legit
Forumrider4life@reddit
I’d do both, let legal know but also let them know the local branch might have more info and that it’s time sensitive.
OhFarmboy@reddit
I work for an MSP, and I can confirm that the FBI does call companies directly when an active or potential intrusion is detected by their own teams. Frequently, the only contact information for the companies is details they can glean from the company domains and by extension the company website. So, a random phone call comes through from the FBI. But a call directly to the local field office main number can confirm the authenticity of the caller. Then the fun begins implementing threat response plans.
WithAnAitchDammit@reddit
They’ve called me before, for a similar reason. My bet it’s legit.
Hoovomoondoe@reddit
I think the FBI would have not problem showing up at your place of work in person.
DanHassler0@reddit
Sounds like there's a really good chance it's legit to me.
BeanBagKing@reddit
There is a reasonable chance this was not a scam. The FBI is becoming more active in the cybers. There's two ways to look at this.
1) Not your problem. You aren't responsible for vetting the person and chasing down management and convincing them it's real (if it is).
2) May become your problem. If they are calling you because there's an impending rapid unscheduled encryption event, then it's in your best interest to get ahead of that.
Whether you should go around your boss and go directly to legal depends on your company. At the very least, you should probably get something in writing showing you passed the info along.
Someone on your side should be able to call the local field office, who can tell you if that agent was trying to contact your company. I don't see why they wouldn't give you a badge number, but their contact number is probably good enough, local field office should know if that number actually belongs to him.
2clipchris@reddit
I can’t imagine it being a scam and wanting to contact legal team… I would understand if they were like we want to know the business folks etc
robreddity@reddit
Don't be paranoid. It's just bullshit.
Techad33@reddit
Yes, this is normal. I have been through many CISA seminars and they monitor attacks/intrusions for government and private sector. Their biggest complaint is getting the information to the appropriate people in time for them to stop attacks. They recommend going to cisa.gov and updating your contact info so it gets to the right people
InevitableOk5017@reddit
It’s a scam frigging hang up on these idiots and give them zero information. I mean zero not even a yes or no just hang up. If the fbi wanted to contact you, you would know.
zyeborm@reddit
How exactly would you know? Some guy turns up with a fake badge? Agencies do call and email, happened to me multiple times. They will tell you what the issue is, not ask you for info and they will have a way of verifying who they are. Eg I got a call from the local cop shop asking for surveillance camera footage of a crash. Get their name and station. Look up the station number, call back, ask for officer job done. Had similar interactions for major drug trafficking cases.
InevitableOk5017@reddit
You funny, they not getting in the door unless it’s a raid them I’m like, here are the passwords don’t shoot!!!
Safe_Ad1639@reddit
I've had the FBI reach out to clients before for the same reason. Trust but verify. In my clients case it was legit. I think it had something to do with the Exchange vulnerabilities we had a while ago.
PawnF4@reddit
This has happened with me and I work with the DoD. The fbi monitors internet traffic and absolutely can detect this stuff. That said email them and ensure the email is real and go from there.
badaccount99@reddit
I worked for an ISP back in the day. FBI contact was a regular thing, but legal was always involved.
We were involved in some Sept/11 searches where the news was never reported about people watching the planes online from SC and seemed to be these Saudi guys who were taking cigarettes across state lines to sell. 20 years later and I might not get in trouble I hope?
Since then I've gotten invited to a bunch of really good security conferences with the FBI, NSA, and a bunch of other groups. They're not bad people and the conferences have been great.
Demonbarrage@reddit
his domain ends in @fbi.gov lol. Literally it doesn't get anymore blatant than that. We got contracted by the DHS and it wasn't a scam they definitely do that.
ohheyitsjason@reddit
I can’t elaborate much but when I saw this I was like ahhh! I can maybe answer this. Some years ago I worked for a defense contractor. Same scenario. It was legit. I’d advise at least making contact. It will be likely vague till you are invited and they will probably show you proof something on your network or something you maintain that is exposed to the internet is being used nefariously or was attacked. Just my 2 cents.
tjp68@reddit
It's possible this is legit. I had a similar call, but from CISA rather than the FBI. The call came through my company's main switchboard. We were suspicious but called to verify. Turns out an undisclosed "close contact" of the CISA agent had notified them of an attempted breach of our network. That call prevented a breach and they were very helpful. Call your local FBI.
donatom3@reddit
I had a client receive an "FBI Scam email" for something similar. They saw credentials while working on a case and linked to a server of theirs. Avanan proved that email came from FBI's servers. Everything checked out. When the customer called back nice agent told them what they were warning them about, never asked for any information just was informing them of what they found.
chapterhouse27@reddit
Ive had this happen a handful of times and its always been legit. just call your local office and confirm the position and case number
Gawdsed@reddit
I would just call the fbi hotline and ask to talk to the person that allegedly contacted you. But yeah probably a scam.... Just do some digging. I would carefully pass info to legal in this case... Making sure to tell them you can't verify his identity
Rolex_throwaway@reddit
Honestly, based on what he’s shared, it sounds legit. This sounds like it matches the normal victim notification process.
zSprawl@reddit
I’ve had this happen and it was legit. We called our contact at the FDA (we are in healthcare) who then reached out to the FBI to confirm it was legit. Our system was compromised and part of a much larger investigation.
Special_Luck7537@reddit
I had a similar instance where the FBI agent called me for help with an API that I had written to extract historical data from a scada system. I had just had my ass chewed for helping someone without a support contract while another client with support was waiting to talk to me (then screen the calls before they get to me and change my number)... So anyway I tell the guy he needs to talk to my boss to get approval, sorry . Half hour later, my boss calls me and give the guy the help he needs... Don't you live subjectivity?
Special_Luck7537@reddit
Oh, and he was a repeat customer, and valid.
zSprawl@reddit
As long as he's a customer! haha
ditka@reddit
Same. The FBI contacted us. They scheduled a meeting onsite for a debrief. One of our users had clicked on a watering hole a few weeks prior. The FBI had recently taken control of the watering hole and went through the logs, notifying everyone who might have a bigger issue.
danfirst@reddit
I have as well, they had found some hostnames of our systems as part of an investigation.
-ptero-@reddit
Local PD also has a contact at atleast the state FBI office.
betasp@reddit
My experience with the FBI and this topic involved with them showing up, not calling.
vc3ozNzmL7upbSVZ@reddit
Had this happen in a previous life and it was legit.
MaximumGrip@reddit
Microsoft called me and wanted my ip address, so I did the right thing and gave it to him.
Schlitz-Drinker@reddit
Lol I once got a call like that. I think it might have been Homeland security though, not fbi. Turned out to be legit! I guess they somehow detected one of our employees accounts had been compromised.
plethoraofprojects@reddit
A friend had a real call from the FBI regarding a suspected cyber incident. The person basically gave the receptionist his name and told them to look up the closest field office and call their number and ask for him. It was the real deal.
Hrekires@reddit
I used to work for a webhosting company and occasionally we'd have to deal with the FBI... yeah, I'd forward the information on to the legal department, CC your manager for awareness, and let it be their problem to sort out.
Presumably it's not as if you'd do any work or give them any information without the OK from the higherups regardless.
raptorboy@reddit
I've had that happen and was legit
gruntbuggly@reddit
We recently had an FBI agent stroll in the front door of our main office with a similar story. He was a legit, credentialed, FBI agent. Definitely weird, though .
Tduck91@reddit
Years ago I got a call, the guy said "I'm agent so and so from the fbi field office in xxx. Go to the our site and find our number, call the field office and ask for me. So I did, they transferred me to him. He said he was calling to let us know access to our ecom site was being sold on the dark web. We already knew about the breach and resolved it, stupid ass 3rd party dev used by the company hosting the site left a configuration file publicly accessible with credentials. The idiots that were supposed to be "fully managing" it claimed "we are not security experts" as their defense. I had all the logs and found the acesses, the file they left open, and the skimmer they tried to place. Someone from our local field office came and collected a copy and chatted. They thanked me for the info, left their contact info and said to reach out if we needed any help.
They also reached out to the hosting company and I'm guessing that wasn't so positive because they called me pissed I gave them their contact info and all the information. Fuck those guys, I hope they went under.
squirrel278@reddit
A small business loan company I did consulting for was called by the secret service to tell them a wire that the company was involved with was intercepted by the secret service. It was legit. The company wouldn’t enable MFA the many times I requested they do. Luckily the secret service was able to get their $300k back.
Needless to say they have MFA everywhere now.
Chineseunicorn@reddit
Congrats! Your organization was breached by the cyber gang called Cl0p
four_hundo@reddit
I know nothing about this…
punkwalrus@reddit
I had a boss who was kind of a psychopath. We hired a guy, and these days, we'd say the guy was definitely on the spectrum. He was a terrible employee because he wasn't motivated, and very awkward. Sales wasn't his thing, but his father was pushing him to have a job. My boss **relentlessly** made fun of him, which just made it worse. And one day, my boss fired him.
The guy's dad, a typical gravy seal, showed up to work, and threatened to beat the shit out of my boss, My boss told him to go to hell, and said he was military trained (he was) and could beat his ass (possible). The guy said he'd come back with a gun. So my boss called the cops, and long story short, the guy had a restraining order placed on him. It became a store joke for a while.
We hired Christmas help, and that year, we got some part time guy who really seemed out of place for retail sales. Really clean-cut, well-groomed, and handsome. Very well spoken. Did amazing sales. We all felt out-classed by this guy, and he and my boss got along really well. We offered him full time work after the season was over, but he declined. "Naw," he said, "I just wanted to work and earn some Christmas fun money. Thanks anyway." Okay. But he left a really good impression.
A few weeks later, he showed up to our store again, and asked if I wanted to go to lunch with him. His treat. Just me. Okay. So while we were eating, he pulled out his wallet, showed me his badge and ID, and said, "I work for the Department of Labor. That's my full time work, and I have a few questions for you regarding your boss." Oh wow, I was put on the spot. We worked with this guy for 2 months, and we didn't even ask what his full time day job was. Turned out he was investigating us because that guy we fired? His dad had connections, and demanded an investigation, and got the DOL involved for all sorts of claims. Well, they were unfounded. The agent couldn't find any evidence of illegal activity. Yes, my boss was kind of an ass, but that's not a DOL issue. This guy was told about Asian slavery and all sorts of ridiculous and illegal goings on that were way off base. He had some questions, but there was really nothing to tell him behind things like "be brags about how he and his buddies tortured cats when he was training at White Sands."
Kind of scary though.
schwarzekatze999@reddit
I worked in a call center once. We had a law enforcement relations group. It's been a long time so my memory is fuzzy but I can't remember if we were allowed to give out the number or if it was an IYKYK situation. That's who I would have referred this guy to, either way. If he was FBI, he'd have that number. If your company doesn't have that, I'd notify your cyber security team. They should call the FBI field office the guy claimed to be from to verify his identity.
BoringLime@reddit
My employer was contacted by the secret service by phone. They refused to send anything over email or go into any specifics over the phone. They sent an Agent to our business, that same day and basically handed us a copy of sensitive information. The information was shared to them from interpol. Which signal we had been breached. They help as much as they could, but ultimately once legal and security container was activated, they took over from them. Could be legit, but if they are doing things electronically, I question it's legitimatacy. Especially if they believe you were breached. Good luck!
turdfurby@reddit
First of all, what would the legal department do for a hacking attempt. I would think they would go straight to the security team if it was legitimate.
Second, if theres risk of compromise, the FBI wouldnt want to correspond over email. They would just show up in person.
My thoughts are they want to social engineer and compromise the legal team. Possibly asking them to open shady looking documents or links which wouldnt be opened otherwise.
Moral of the story, dont give out info or internal contacts to someone over the phone just because they try to frighten you into thinking they are the fbi. Next thing you know you are headed down to walgreens to get a $500 google play gift card.
Positive-Ad-2202@reddit
I would report this to your security manager asap
scottkensai@reddit
100%, cya. We had the FBI show up, in Canada, to our office. Twas excellent and inciteful. They had come to explain that as our software was at some American military bases we really shouldn't sell to companyB as they were ...we'll interesting.
owl_jesus@reddit
Yes, as a security manager I’ve been contacted by the FBI in a similar manner. Usually way too late….
rootofallworlds@reddit
Let it go - or rather, let your manager do their job.
scottkensai@reddit
I dealt with a database that had every driver in British Columbia. I would get calls from police departments looking for information based on key tags found on keys. No problem, what force do you work for, name, will someone at the front desk know how to get you? Look up the pd phone number and call that. Done.
TrainingDefinition82@reddit
Give the info to your legal team and tell them to reach out to the fbi.gov address you were provided. They send an email, they gonna reach someone at the FBI. Wouldn't worry too much about a scam.
Sailass@reddit
They will do what they have to do to get a hold of the business. We "recently" had a pair of agents walk in our front door. We also have a pretty large footprint in the area our HQ is in, so it wasn't hard for them.
Bagsen@reddit
OP reported it to their manager with the details they had. What happens from there is not OP's responsibility. No need to be super detective and determine if it is real, that's the manager or their manager's job. Info was passed along, now back to working tickets.
JustifiedSimplicity@reddit
Simple answer, escalate to Legal. Not your judgment call to make. If you have smart folks on your legal team who are well prepared they’ll call their cyber contact at the FBI (or pull in your security team to do the same) and have them sort it out.
reevesjeremy@reddit
“Ok let me email your fbi.gov email with a confirmation code and you reply to my email and confirm the number over the phone. Give me a moment.” Lol 😂 probably not policy to email outbound though. Although if it’s legit that’ll be a pretty easy way to confirm their legitimacy.
TheElhak@reddit
We had this happen once and some legitimately downloaded a file from a forum that sentinel 1 didn't detect. They told us exactly what it was and how to remove it.
Nnyan@reddit
You reported to your manager why hang in to this?
mlghty@reddit
Seen fbi domain emails for sale a long time ago (10 + years) were rare and expensive but it was possible so probably possible now as well
FloweredWallpaper@reddit
We had an incident at work, and the FBI came directly to see me. No announcement, no emails, just showed up, showed me their badges, and we went to work.
For anyone wondering, it was a financial crime by one of the employees, and federal funds were involved. That was 15 years ago, and I've kept their business cards.
BigBobFro@reddit
If linkedin says he works for the FBI,.. its a scam. There are 1 million and 1 reasons why agents like that do not make public what they do for work.
four_reeds@reddit
You did your job. Let it go. It's now your boss' problem. Your boss will either pass it up the chain or offer it to corporate legal. In either case it is an issue that now lives above your pay grade.
Go home, chill, come back tomorrow.
frellus@reddit
Call your local FBI field office, or whichever one this person said they are based out of, and ask. You have a right if someone from law enforcement interacts with you to ask for their identification and badge number and where they are based to confirm their identity (and SHOULD).
Common_Dealer_7541@reddit
Went through this recently. There is a group actively using US networks for relay and theft of info. The FBI has a couple of groups that are using traffic patterns to recognize the nodes and reaching out to those being exploited. As they told our customer (we are an outsourced IT service company), the bad actors are not kids operating from their parents’ basements, they are sophisticated high-level black hats and it is not expected that we are supposed to have the manpower, expertise or level of sophistication to outmaneuver them.
Use the FBI. For once, “we are from the government and we are here to help” is the only good news to get, here
unethicalposter@reddit
Could be real dealt with FBI at multiple other jobs before and they will call, and if they don't get through they will show up at you hq. If your company does not have easily accessible numbers for legal or c suite they will find them however it takes. Ask what office they are out of and their name and call an official number to verify.
ncc74656m@reddit
One thing for you to keep in mind is that it is not up to you to make that call on their behalf. You can pass along your suspicions, but even if it is a scam, it's better that they know that someone is attempting to target them.
You definitely did the right thing though, because the correct process here is to take their contact info, not give anything out, and ideally cc your manager, supervisor, or team lead when forwarding it. Let them make the call of whether they think it's legit (unless it's a blatantly obvious scam where they just want you to get gift cards to pay Mikeursoft to removal of the viruses and things).
I've worked for a couple companies where calling a "main number" is basically a dead end, and in return I've had to contact help desks because I was trying to flag a possibly compromised account for them or something. It's a quick path to "the inside," and they almost always know how to run things up the flag pole faster.
macgruff@reddit
Agree with those who said you’ve already done enough, or the most, further thing to do is to report it to your internal IT Security department. Any mid to large size company worth a damn has an internal e-mail, website, or contact number for a “Security Incident” response page. But, if you told your manager…, OK 👍 you’re good. It’s on him it’s a problem that it wasn’t acted upon, not you. Keep your notes though.
bkrank@reddit
Happened to us. After calling the field office it was legit. We met with them and provided router logs, voluntarily. Apparently we had some customer devices on our network space that were hijacked. After the fact we realized that us and our customers were under investigation just as much as the bad actors.
proudcanadianeh@reddit
Someone should make a post on the subreddit about craziest phone call you received that was actually legit.
My story was Microsoft Game Studios trying to reach out to model an aircraft we made in Flight Simulator transferred to me because Microsoft.
-PANORAMIX-@reddit
I know a case and they showed up no previous communication
FriendlyITGuy@reddit
My last job I had a client with on-prem Exchange that was vulnerable to an exploit (it may or may not have been exploited, I don't remember). They received correspondence from the FBI noting such and the client reached out to us and we confirmed the contact was legit.
jkdjeff@reddit
In situations like this: ask for identifying information (full name, badge number, whatever is appropriate) and what agency or office they work for.
Then you call back to the public number and ask for them. Not any callback number they may have given you.
zyeborm@reddit
Yeah you can ask them how to navigate back to them through the phone tree. But get/(verify at least) the number to call back on yourself. It really shits me when bank fraud departments don't do this and expect you to give pii to verify yourself when you've got no clue who they are.
Nathan_Explosion___@reddit
You hand this off to the team responsible for security, protection from phishing, etc. usually InfoSec, the SOC, etc
Raalf@reddit
I have had exactly 1 visit from the FBI for work issues (child porn by an engineer). It was in person, and it was very unnerving. They show up, never alone, and always in full suit. No sense of humor, very direct, and all business. They already know the outcome and are just informing you of the steps.
accidentalciso@reddit
You reported it to your manager. It’s their problem, now.
myrianthi@reddit
They're hoping you call the phone number they provided and not through the email. It's a scam and you should report it.
KennyNu@reddit
As a federal IT contractor, yes they were legitimate. I often work with the FBI doing risk management and the @fbi.gov is a real government domain. You did your part by doing research, notify your manager then forward to legal and maybe the CEO or VP for their awareness.
XInsomniacX06@reddit
Email the person and ask if you spoke with him earlier. You can’t fake an fbi.gov email address.
ManyInterests@reddit
Eh. It is possible to receive emails with FROM headers that are not legitimate. Normally, these are blocked automatically, but there are occasionally oversights found in mail server implementations that let them in.
Sending an email to an FBI.gov address should always go to the right place, but you might also consider that an attacker could have compromised the email account of an FBI employee. Credentials/access for various .gov accounts can sometimes be bought on the black market.
Best thing to do is just contact the FBI through a channel that isn't one of the channels the caller directed you through.
coyote_den@reddit
A legitimate email from an @fbi.gov address should have a valid digital signature. Just about all .gov and .mil agencies use PKI and sign their emails.
SikhGamer@reddit
Never change /r/sysadmin someone is always wanting to prove themselves.
popeter45@reddit
or DNS is compromised either
its ALWAYS DNS (or BGP)
XInsomniacX06@reddit
Yeah try contacting the fbi should be the first thing. It just doesn’t make sense to use FBI compromise to cold call scam folks.
ManyInterests@reddit
That's true.
muklan@reddit
Pretty sure I could spoof potus.gov if I wanted to. That's...a dangerous statement.
xfilesvault@reddit
It wouldn't pass DMARC/DKIM/SPF.
Hate_Feight@reddit
Yeah, don't give them ideas
Xesyliad@reddit
I’d argue a compromised mail server with a connector/transport rule for fbi.gov to an equally compromised mail server that is authoritative for fbi.gov could very easily be used to trick people into conversing with a threat actor.
PeterJoAl@reddit
Esepcially if "someone is trying to hack the company's network" - maybe they got as far as the mailserver and now need some social engineering help to get further.
XInsomniacX06@reddit
It’s doubtful someone would exploit their FBI infiltration for a scam cold calling people.
Sure anything’s possible but that would be the smartest idiot ever.
NightMgr@reddit
If I had already compromised your system , I might.
I’d call the FBI from a phone not associated with your business.
dean771@reddit
Bit strange people are suggesting how the OP determine its a scam himself as they are on service desk, They already forwarded the details to their manager (hopefully in writing)
Usefull to know how to follow it up, but did they right thing handballing this up the chain
TheDeaconAscended@reddit
Worked at a major MSP and in our early days everyone answered the phones, we were also a hosting company and had others resell our services. Because servers would get compromised and we had a very low bar for who we hosted we got calls free on law enforcement across the country. Our legal team who was just some guy told us to give them the legal@ email and the address where they could send a subpoena. They should know where to send any subpoena anyways but it was to make it seem like we were less dickish.
chrono13@reddit
I've been contacted by the legitimate FBI this way.
As others have mentioned, just make sure you contact them back, in a different band (e.g. @fbi.gov, or by calling that office's number).
networksleuth@reddit
do you due diligence, but forward the details. Hopefully, it is nothing but it could be a victim notification. Don’t sit on it, what if was legit? You could get blamed for inaction.
TheMidlander@reddit
Former security incident response here. Vetting this person is the job of your legal team. What happens next is going to depend on your org's workflow, but if it's legit you will eventually get a work order from your legal department for whatever it is they are asking. Your lawyers' job is to vet their credentials and obtain a copy of the court order. They also determine the scope of the court order and what they have to do to comply with it. For example, if a judge ordered that emails between Person A and Person B be turned over for discovery, that's what you're going to do, as opposed to handing over the entire inbox contents of the two technically fulfills the order.
This is a lot of words to say pass it off to legal, it's their job, do nothing else with this person until legal gives you an official work order, follow it to a T.
patmorgan235@reddit
The FBI, does in fact call people. You (or your management) should call your local field office to try and confirm the legitimacy of the call
DreadStarX@reddit
FBI recently went on a spree of removing malware from devices. They could've been calling about that and I don't think all FBI employees get badge numbers, just the SA's but I could be wrong.
Kinda cool though.
FauxReal@reddit
Why wouldn't you call the local FBI field office to verify these claims?
bedtodesktraveller@reddit
We've received emails from agencies in the past. Have contacted the local office to verify and they are able to ensure it's legit, quick and easy process.
largos7289@reddit
Scam.
RustyRoot8@reddit
The FBI wont call you
leexgx@reddit
It can happen (most people won't believe the call thought)
unseenspecter@reddit
While I'm not saying it is legit, it definitely could be legit. The FBI does call businesses that have been confirmed as targets of nation-state threat actors. You can confirm identity by calling an official FBI number easily found via Google, provide the agent's name that called you, and they'll verify legitimacy, give you a case number if relevant, and give you the official contact information for that agent's field office, etc.
error_accessing_user@reddit
I was a sysadmin for a major university in the late 90s, and this was precisely how they operated.
I remember getting a call from the San Diego office on a couple of occasions, and they'd explain who they were, and give me a list of IPs that were compromised. They didn't ask me for any information, they just asked me to wipe the machines.
They can't give you information about an ongoing investigation or how they know these things.
You *STILL* need to verify their identity somehow, and I have no doubt that the FBI officer in question would prefer that you did.
MrSanford@reddit
I’ve have CISA call companies like that and it was legit.
it4brown@reddit
Got a clear scam call - FBI isn't stupid, they'd call your company's main or PR line to be routed, not an internal help desk.
Do you forward spam emails? Then no, you should not hand off scam contact details to what is arguably the most phishing prone department in any business.
Your manager should handle this if he's even slightly competent.
nickerbocker79@reddit
I once called a company because our users received a phishing email and the link led to a fake OWA log buried a dozen directories deep on their website. They were like ..uh okay.
6Saint6Cyber6@reddit
You passed it to your manager which is the right move, but yes, the FBI does reach out to companies like this sometimes. They usually have a contact, but you can call the local field office directly to reach the agent. In this case I would leave it alone. If it’s legit it’s possible they won’t tell you, but in case it’s a scam, you didn’t provide any info, just got the contact info and sent it up
dlama@reddit
Scam
Truskey@reddit
Most likely not a scam, that's usually how the FBI makes notification. Also good luck spoofing FBI.gov email.
NabrenX@reddit
Spoofing e-mail is easy. Legitimately spoofing e-mail and getting past e-mail validation that should exist in any enterprise would be a lot harder. However, if it were a scam (I don't think in this case it was), they would only be looking for victims without that kind of protection anyway.
bojack1437@reddit
Likely but not impossible.
Borsaid@reddit
I'm currently in the car, but this very well could be legit as we've had this happen while having the same scepticism as you. I'm driving now, but would be happy to share details of our experience if you message direct
Note: intrusions like this are incredibly common preceding a holiday weekend.
xXNorthXx@reddit
Lookup the callback number, if it’s affiliated with an FBi field office it’s probably legit. If you can’t, look up the office for where the agent is supposedly stationed and try calling their main number to confirm.
lukeh990@reddit
I once went to a cyber security conference at a nearby university and they had an FBI agent come give a keynote. He went on a bit of an anecdote about how for one case he had to go around and call up companies to give breach notifications and how people would rightly not believe him. On its face it’s not impossible but you can always verify by calling back or emailing.
wamred@reddit
I believe you can contact the FBI directly to make sure it is legit. If it is not they may even want details.
hihcadore@reddit
FBI will call you post breach. The Seattle field office called us when we got ransomwared and our info was on the dark web.
Just call the field office and ask to be transferred to the person who called.
mcmatt93117@reddit
Sysadmin for local county government. There's county IT, which is responsible for much of the county, but a lot of different sections are their own smaller organization almost and are separate, relying on county largely just for things like M365 licensing and such.
Had Dept of Homeland Security call the main county lhelpdesk number last year and asked to be transferred to the CISO. Not sure how they verified but they did transfer/get a hold of county CISO to get back to him - completely forget at this point. Had information about talk about a planned attack. They have people at county with security clearance, they were able to get a report directly from homeland security (who actually came in to brief them).
They then passed the information along to us (what they were allowed to). Was 100% legit. Was dept of homeland security, intel was spot on. Had already spotted it and stopped it, but they weren't very far behind, I was actually incredibly impressed. Once we'd shut it down, we actually had already reached out to the FBI (part of the county plan we followed for these type of incidents) before getting the report from homeland. First time I got to ever call the FBI. Very hard not to ask to be assigned Agent Dana Scully.
After it was all said and done, ended up resulting in a couple of calls between all IT in the county, a cybercrime person from the FBI and a few homeland people going over it.
So...not sure the FBI reaches out, but if they're like dept of homeland security, they definitely do.
virtikle_two@reddit
Lame scam, I wouldn't have given them the time of day. They won't call the helpdesk lol, they'll show up in person or get ahold of leadership directly.
crccci@reddit
This is how it happens y'all...
Truskey@reddit
Not true at all. They usually look up the organization associated with IP and/or Domain and then call public facing phone numbers. They will then arrange time to go on site or deliver the information to an out of band email.
RCG73@reddit
They sometimes call the info registered on the domain name. Source: had it happen. They were calling over a cnc server on a former client who had never changed the domain contact info after non payment and contract terminated
Helpjuice@reddit
You do know you can validate the legitamacy of the issue by just emailing back to the @fbi.gov email address right?
Also note not everyone that would contact you has a badge (e.g., some contractors). Always trust, but validate issues like this. Using linked in will not be of much help as all that work with the FBI are not publicly listed and the people that do contact you will not always be special agents.
You can also reach out to your local field office about the issue. Someone there can look it up, or you can call the main HQ for the FBI to validate, but field offices local to you would be better since everyone does not have full access to everything which is standard across government agencies and sometimes done internally for security reasons. - https://www.fbi.gov/contact-us/field-offices/@@castle.cms.querylisting/6bd7cedb14f545e3a984775195ea3d30
Also what department did they say they were from? - https://www.fbi.gov/investigate/cyber
xctrack07@reddit
We had this happen to us except they were following up on a hack that had happened a few months earlier. I thought it was a scam too at first but it turned out to be legit.
willwork4pii@reddit
I don’t know if your case is legit but we’ve had the FBI and DHS show up. Also the Canadian government.
They do outreach if warranted.
CesarioRose@reddit
I've worked call center IT service desk for a large east coast university. I can't say i've ever gotten a call from someone claiming to be from the FBI or from LE in general. My 2 cents is document the call, cover your butt, and report it to the chain. It may or may not be your job responsibility to verify the facts. Let your manager do the verify the facts, let your house council handle it.
With that being said, there is a strong strong argument to be made that any LE agency, especially the FBI, would have a documented process to get in touch with the right people and bypass the 1st tier call center IT. But you never know, it may be a rookie agent or some other thing.
HoggleSnarf@reddit
Is there anything similar to this for the FBI? I'm not in the US, but when I was in the UK and had similar calls from NCSC, they have this identity validation service on their website to confirm that you're speaking with an actual representative. I'd assume an organisation as big as the FBI has something similar.
https://www.ncsc.gov.uk/section/about-this-website/verify-ncsc-contact
mystateofconfusion@reddit
Has happened to me a couple of times. Worked for a company in support that sold storage and they wanted to know how to get into a NAS. We resold them and had no special access so gave the vendors contact info. You let your manager know, you're good.
notta_3d@reddit
How is that any different than an email? You never respond. You call them yourself.
wraith8015@reddit
Much like love, sometimes you have to let these things go. If it's real, it will come back to you.
MountainDadwBeard@reddit
You can verify him buy emailing the .gov he gave you. FBI does victim notifications based on malicious command and control servers they take encounter.
He most likely called you because they get the IP addresses but not the full victim name.
At a minimum you should be checking your logs ror IOCs, especially the admin accounts or users with unauthorized admin rights.
notherbielove@reddit
Send all the details that you can! ALL OF THEM!!!
ordinatoous@reddit
You should send a mail with a subject test_18_01_2025 and content test_18_01_2025 . If it's easy to create a profil on linkedin, it's not so easy to create a mailbox on fbi[.]gov