# Why am I getting fake law enforcement emails?

> Fake law enforcement emails are a phishing scam: a July 2026 campaign impersonates Interpol to push ransomware at small businesses. How to spot and stop them.

A fake law enforcement email is a phishing message that impersonates a police or investigative agency to pressure you into opening a malicious attachment or link. If you received one claiming your company is under investigation, it is almost certainly a scam — real agencies do not open investigations by emailing an unsolicited "evidence" file and asking you to review it. A July 2026 campaign is doing exactly this at scale, impersonating Interpol to deliver ransomware to small businesses.

## Quick Takeaways

- Genuine law enforcement agencies do not send unsolicited emails with "evidence" files or links to cloud-hosted archives you must open.
- A campaign detailed by Bitdefender's Antispam Lab in July 2026 impersonates Interpol's "Cybercrime Investigation Unit" to spread ransomware.
- The lure directs victims to a Proton Drive-hosted archive that hides an executable disguised as a video file; opening it installs ransomware.
- Targets are small businesses across the US, Europe, Asia, and the Middle East, in sectors from legal and media to pharmaceuticals and agriculture.
- These emails work by fear and authority, not by breaking your defenses — the malicious payload only runs after you open it.
- [DMARC](/tools/dmarc) stops attackers from spoofing *your* domain, but cannot stop a scam sent from a domain the attacker controls — user awareness closes that gap.

## What is the fake Interpol email campaign?

In early July 2026, [Bitdefender's Antispam Lab reported](https://www.bitdefender.com/en-us/blog/hotforsecurity/fake-interpol-emails-serve-ransomware) a phishing campaign that impersonates law enforcement to distribute ransomware. The emails claim to come from a "Cybercrime Investigation Unit" at Interpol and tell the recipient their company is tied to suspicious activity under investigation.

The message pressures the reader to review the supposed evidence. Instead of an attachment that would be easy to scan, the email points to a file hosted on Proton Drive — a legitimate cloud service the attackers abuse to sidestep link-reputation checks. The downloaded archive appears to hold a video documenting the "investigation," but the file inside is an executable disguised as a video. Running it installs ransomware on the victim's machine.

According to Bitdefender, the campaign has hit small businesses across the United States, Europe, Asia, and the Middle East, spanning sectors including legal services, media, technology, pharmaceuticals, food, and agriculture. Notably, there is no fixed ransom note: victims are told to make contact through a Tox chat channel, and the attackers negotiate a ransom sized to the organization once someone reaches out.

## Why am I getting these emails?

You are getting them because your address landed on a target list, not because anything is actually wrong with your company. This is a mass [phishing](/learning/what-is-phishing) campaign — attackers send the same authority-themed lure to thousands of small businesses and wait for a fraction to panic and open the file.

The impersonation of a law enforcement body is deliberate. A message that appears to come from Interpol or "the police" triggers fear and urgency, which is precisely what social-engineering attacks rely on to short-circuit careful judgment. It is the same psychology behind [business email compromise](/learning/how-does-business-email-compromise-bec-threaten-your-business) and other [impersonation attacks](/learning/what-is-an-impersonation-attack-and-how-can-you-stop-it): borrow a trusted authority, add a deadline or a threat, and many recipients act before they verify.

Small businesses are chosen on purpose. They handle sensitive data and money but rarely have a dedicated security team to sanity-check an alarming email, which makes them a higher-yield target than large enterprises with mature filtering and incident response.

## How can you tell a law enforcement email is fake?

Treat any unsolicited "investigation" or "evidence" email as a scam until proven otherwise. Concrete red flags in this campaign and others like it:

- **It asks you to open a file or link to see "evidence."** Real investigators do not distribute case evidence to a suspect by email. A link to a cloud-hosted archive (Proton Drive, a file locker, a shared drive) is a strong tell.
- **It uses authority plus urgency.** References to a named unit ("Cybercrime Investigation Unit"), a case number, or a threat of legal consequences are designed to make you act fast.
- **The attachment is not what it claims.** An archive that "contains a video" but unpacks to an `.exe`, `.scr`, or other executable is malware. Genuine video files do not need to be run.
- **The contact channel is off.** Being told to negotiate or respond through an anonymous chat tool such as Tox is not how any legitimate agency operates.
- **The sending domain does not match the agency.** Check the actual From address and domain, not just the display name. If it fails authentication or comes from a lookalike domain, distrust it. Our guide on [spotting fake emails](/learning/how-can-you-spot-fake-emails-and-protect-yourself-from-scams) walks through how to read headers.

When in doubt, do not reply and do not open anything. Contact the agency through its official website, never through the details in the email.

## Can DMARC and email authentication stop these emails?

Partly — and it is important to be precise about what authentication does and does not do. [DMARC](/tools/dmarc), together with SPF and DKIM, stops attackers from sending mail that appears to come *from a domain you own and protect*. If the criminals tried to impersonate your own company's domain to reach your staff, an enforced DMARC policy (`p=quarantine` or `p=reject`) would tell receiving servers to refuse or sideline those messages.

What authentication cannot do is block a message the attacker sends from a domain *they* control or from a lookalike domain they registered. Impersonating "Interpol" does not require spoofing your domain — the attacker just needs a plausible-looking sender and a scary subject line. That is why authentication is necessary but not sufficient: it protects your brand from being the vehicle, while user awareness and endpoint controls catch what arrives from elsewhere.

Two things still help materially. First, get your own domain to DMARC enforcement so attackers cannot turn *your* brand into the next lure — a real risk given the same criminals impersonate trusted organizations. Second, monitor for [lookalike domains](/learning/how-can-i-take-down-lookalike-domains) that mimic your company, since [email spoofing and cousin-domain](/learning/what-is-email-spoofing-and-how-can-you-prevent-it) tricks are how impersonation campaigns often reach a target's customers.

## What should you do if you receive or opened one?

If you only received the email: do not open the attachment or click the link, report it to your IT or security contact, and delete it. Reporting matters — one flagged sample warns everyone else on your team.

If someone already opened the file: treat it as a live incident. Disconnect the affected machine from the network to limit ransomware spread, preserve the message and file for investigation, reset credentials that may have been exposed, and engage your incident-response process or provider. Do not pay or negotiate through the attacker's chat channel; contact real law enforcement through official channels instead.

For MSPs and IT teams, Palisade automates the email-authentication layer — getting client domains to DMARC enforcement and keeping them there — so your own brand cannot be weaponized in campaigns like this while you focus attention on the user-training and endpoint defenses that stop what authentication cannot. A free [Email Security Score](/tools/email-security-score) shows which client domains are still spoofable today.

## Frequently asked questions

**Is Interpol actually emailing me?** No. Interpol and national police forces do not open investigations by emailing a company an unsolicited evidence file and asking it to review the contents. Any such email is a scam.

**Why does the link go to Proton Drive or another real service?** Attackers host the payload on a legitimate cloud service so the link passes basic reputation checks. The service being real does not make the file safe.

**The attachment looks like a video — is it safe to open?** No. In this campaign the "video" is an executable in disguise. Opening it installs ransomware. Legitimate videos never need to be run as a program.

**Will my spam filter always catch these?** Not reliably. The lures are sent from domains the attacker controls and abuse trusted file-hosting, so they can slip past filters. Human skepticism is the backstop.

**Does having DMARC mean I am protected from this?** DMARC stops attackers from spoofing your own domain, which protects your brand and customers. It does not stop a scam email sent to you from a domain the attacker owns — that takes awareness and endpoint controls.

## Related reading

- [How can you spot fake emails and protect yourself from scams?](/learning/how-can-you-spot-fake-emails-and-protect-yourself-from-scams)
- [What is an impersonation attack and how can you stop it?](/learning/what-is-an-impersonation-attack-and-how-can-you-stop-it)
- [How does business email compromise (BEC) threaten your business?](/learning/how-does-business-email-compromise-bec-threaten-your-business)
