The Dangers of Pretexting

"Phishing" may sound like a strange variation of an outdoor sport, and in many ways the goal is the same: just as a fisherman hooks a fish with a lure and reels it in, a person engaged in phishing attempts to "hook" you into giving up important personal information and reels in another victim of identity theft. This is accomplished through a variety of websites and emails that, for all intents and purposes, looks like it came from the company it purports to have originated. The only problem is, it didn't come from any company at all, but a thief trying to trick you into typing your social security number or financial information for their keylogging program to steal. The most insidious part of phishing is that it doesn't even require a skilled hacker, just someone with a phishing program. Thankfully, when the Internet security community discovered how prevalent the scheme was becoming, a number of methods and techniques to counter the scam were created. However, this has given rise to the next generation of phishing schemes, and not all of them are illegal. In fact, many businesses are hiring people to collect information, all under the claim of protecting the company's interests. This new breed of phishing has a more subtle name: it's called pretexting.

Like phishing, pretexting uses false circumstances to attain personal financial and identifying information. But a pretexter goes further than a phisher, selling it to other thieves who will use the information for a variety of things, ranging from simple bank account theft to getting a credit card in your name, even gathering information with which to sue you. Everything from your checking account to your unlisted phone number is at risk when you're contacted by a pretexter.

A pretexter has a variety of ways to contact you and snatch the information they're after. These days the usual scheme is to call you pretending to be from a survey company (or a lottery winnings committee) and ask you some personal information. Since you believe the information won't be used improperly you go ahead and give them the answers they're seeking. After the phone call, the thief will then contact your bank pretending to be you, telling them "you" lost your card or checkbook and need your account information. While some banks try to prevent this, many of them just don't have the resources to handle such matters. Even worse, the astonishing simplicity of a pretexting scam means there are more thieves popping up every day than the banking industry can keep track of. This means you need to be aware of this scam anytime someone you don't know calls you, so you can head the criminal off at the pass before your bank ever has to deal with them. Unfortunately, because we are still largely a trusting society there will always be those out there willing to take advantage of that. As a result, pretexting is a major contributing factor to bank fraud, identity theft and credit fraud.

Pretexting isn't limited to use by thieves; ironically, your personal information can also be stolen for legitimate purposes. Private investigators (and other dubiously authorized individuals) will take your information and sell it to their clients, such as banks, businesses to which you owe money, and insurance companies. Corporations will frequently use an investigator's pretexting services to gather information they can't find elsewhere. One of the most famous examples recently was within the boardroom of computer giant Hewlett Packard itself: the executives hired legal pretexters to uncover a leak inside the company. These individuals gained access to the phone records of suspected employees. The result was the act of pretexting being thrust into the media spotlight and Hewlett Packard backing sharply away from the practice, stating that advice from outside the company had assured them pretexting was legal.

Even before this incident, the question of pretexting has been raised in the news. Who can forget the candidate running for President whose phone records were exploited by a pretexter to change the political climate? How many more lives will be adversely affected by a practice that walks the thin line between legitimate information retrieval and outright theft?

While corporations defend their usage of pretexting, the fact remains there's little difference when a legally authorized investigator engages in the practice than when a shadowy criminal steals your information. The FTC agrees, and labels pretexting the "practice of getting your personal information under false pretenses". They firmly state that pretexters "sell your information to people" who will then use that information to establish credit falsely, steal money from your bank account, or sue you. Hewlett Packard has been investigated by the state of California, which has taken a special interest in corporate-based pretexting cases.

Whether from a thief or a corporation, it can be assumed pretexting won't be going anywhere anytime soon. As long as the opportunity to steal desired, secret information is present, the practice will tantalize those who would use it; even moreso when it's considered legal. The only ways to combat this practice are to be careful what kind of information you give out over the phone, and bring attention to the "legal" form of pretexting to your local government and media; with enough exposure we may be able to outlaw any form of pretexting, period.