cross-posted from: https://midwest.social/post/6303502
The FBI investigated a man who allegedly posed as a police officer in emails and phone calls to trick Verizon to hand over phone data belonging to a specific person
Despite the relatively unconvincing cover story concocted by the suspect … Verizon handed over the victim’s data to the alleged stalker, including their address and phone logs. The stalker then went on to threaten the victim and ended up driving to where he believed the victim lived while armed with a knife
Version Security Assistance Team–Court Order Compliance Team (or VSAT CCT) received an email from steven1966c@proton.me.“Here is the pdf file for search warrant,” Glauner, allegedly pretending to be a police detective, wrote in the email. “We are in need if the this [sic] cell phone data as soon as possible to locate and apprehend this suspect. We also need the full name of this Verizon subscriber and the new phone number that has been assigned to her. Thank you.”
Verizon is not the only telecom that has failed to properly verify requests like this. In a somewhat similar case, I spoke to a victim who was stalked after someone posing as a U.S. Marshal tricked T-Mobile into handing over her phone’s location data.
Yes, of course I will trust a police officer contacting me through their official domain (.gov or otherwise) of … @proton.me
Not sure if this is just a failure of judgement, common sense, or training; or all three.
I’d like to say some kind of .gov should be required if person is claiming to be a government officer of some kind, but many cities use .org, and some police departments may have a separate domain from the city, but… it’s a freaking @proton.me domain.
I deal with doctors offices all the time, and I always give a little extra scrutiny to any professional that is using a gmail, hotmail, yahoo, aol, proton mail, etc. email address. It doesn’t make things official, but it does seem shady if you don’t put in the small amount money/effort to use a custom domain.