In each case, Marre told the companies that he was an investigator for the State of Colorado who urgently needed the data to locate a suicidal individual. He set up a website with a dot-us domain to back up his claims, and he sometimes faxed legitimate-looking documents to the targeted companies. Marre succeeded in obtaining location data from the mobile providers at least sixteen times.
The hoaxes were discovered after a Verizon employee grew suspicious following Marre’s fifth request for data. The employee called Marre’s contact number, and the person who picked up the phone said they weren’t associated with a law enforcement agency. Verizon got the FBI involved, and Marre was charged with eight counts of fraud in April.
The Daily Beast says the case shows how easy it can be to obtain sensitive data through social engineering alone. Marre didn’t use any technical hacking skills to illegally gain access to private information. It’s also worth noting that he was outed as a fraud after a single employee took an extra step to verify the caller’s identity.
New-school security awareness training can enable your employees to be constantly wary of potential scams, so they’ll instinctively work to establish the legitimacy of a claim before taking action.
The Daily Beast has the story: https://www.thedailybeast.com/feds-say-bounty-hunter-matthew-marre-used-suicide-hoax-to-con-verizon-t-mobile-out-of-customer-data