Understanding pretexting and six recommendations to protect yourself from pretexters: Internet ScamBusters #197
Today we'll answer the question: What's New With Identity Theft? We'll focus on pretexting, and also include some info on a new identity theft standards group.
Let's get going with today's info on identity theft and pretexting...
What's New With Identity Theft? Pretexting.
Imagine getting a phone call from someone from a reputable sounding research firm asking you to participate in a survey. The questions they ask seem harmless, including the name of your phone company, investment firm, and even your pet's name.
In reality, you may have just been a victim of pretexting.
Pretexting is the practice of getting your personal information, such as your Social Security number (SSN), telephone records, bank or credit card numbers, or any other information, under false pretenses. In other words, a pretexter pretends they are someone else to obtain your personal information.
Pretexters use many different tactics to get your personal information. One of the most common forms of pretexting is when someone claims they are from a survey firm, and they ask you a few questions, as in the example above.
Pretexters claim to be representatives from many different types of organizations -- not just survey firms. For example, pretexters may also claim to represent banks, government agencies, local law enforcement agencies, Internet Service Provides (ISPs), and many others.
The pretexter's goal is to obtain personal information about you, such as your SSN, your bank or credit card account numbers, mother's maiden name, information contained in your credit report, or the existence and size of your savings and investment portfolios.
After getting your answers, the pretexter may call your financial institution pretending to be you or someone with authorized access to your account. The pretexter may, for example, claim that he's forgotten his checkbook and needs information about his account.
The concept of pretexting has become much more widely known in the past couple of weeks in conjunction with the boardroom scandal at Hewlett-Packard. HP has admitted that it hired a private investigator who was able to get phone records of HP board members by using a contractor who pretended to be the board members to obtain the detailed phone logs.
It has been widely reported that the contractor also used pretexting to get the phone records of nine reporters.
Pretexters often sell the data they've collected to "data brokers," who may sell it to private investigators, or to scammers who want to commit identity theft.
Often, once they know which bank or brokerage firm you use along with your SSN, they can often access your account just by figuring out your password -- which unfortunately is often the victim's pet or child's name.
The concept of pretexting is certainly not new. For example, in 1992, ComputerWorld magazine reported that scammers used pretexting to obtain individual data from the Social Security Administration by calling when the computers were down.
Pretexters are using increasingly sophisticated methods, including using electronic devices that show false phone numbers on caller ID systems, and paying companies to make calls for them to disguise the true origin of the pretexting call.
In fact, scammers today also use pretexting to get info from call centers at banks, phone companies, and other financial institutions to gain access to personal sensitive info.
You might be wondering: isn't pretexting illegal? There is a law in the US, the Gramm-Leach-Bliley Act. According to the Federal Trade Commission, this act makes it illegal for anyone to:
- "use false, fictitious or fraudulent statements or documents to get customer information from a financial institution or directly from a customer of a financial institution.
- "use forged, counterfeit, lost, or stolen documents to get customer information from a financial institution or directly from a customer of a financial institution.
- "ask another person to get someone else's customer information using false, fictitious or fraudulent statements or using false, fictitious or fraudulent documents or forged, counterfeit, lost, or stolen documents."
In addition, the Federal Trade Commission Act also basically prohibits pretexting for sensitive consumer information.
Unfortunately though, the boundaries of these laws are ambiguous. Although the Gramm-Leach-Bliley Act is limited to financial data, it's unclear whether it also applies to pretexters who obtain non-financial data. Further, some pretexters claim that if the info isn't used illegally, then the law does not apply.
Although there may be legal questions, there is no dispute about how easy it is to obtain sensitive personal financial and non-financial information.
How is pretexting related to identity theft? Pretexters can either use the information themselves or sell your info to scammers who then open new accounts, order products, borrow money, etc. For example, they may open new bank accounts, order a new cell phone, obtain a new credit card, or get a loan in your name.
Six Recommendations to Protect Yourself from Pretexting
- Don't give out your personal information on the phone, via email or snail mail unless you've initiated the contact or unless you're sure it's safe. Pretexters are especially interested in information such as your SSN, mother's maiden name, pet or child's name, bank, brokerage and credit card account numbers, and phone company.
- Never use your pet's name (or children's name) as a password.
- Ask your financial companies about their policies for preventing pretexting.
- Be VERY careful if you answer surveys -- and certainly don't give out any personal information to anyone who calls on the phone or asks via email. If you do answer survey questions, use common sense and don't give out any information that could be sold or used by pretexters.
- Tell your family and friends about the dangers of pretexting. You may want to share this ScamBusters issue on pretexting with them.
- Finally, follow all the other advice we've shared with you on identity theft. You can find out more about identity theft here.
What's New With Identity Theft? New Standards.
Last week, the American National Standards Institute, along with AT&T, the Better Business Bureau, Citi, ChoicePoint, Dell, Intersections Inc., Microsoft, Staples Inc., TransUnion and Visa U.S.A. teamed up to create the Identity Theft Prevention and Identity Management Standards Panel (IDSP).
The IDSP is a resource where organizations can get standards and guidelines to help them prevent and respond to identity theft.
The IDSP has two main functions:
1) "it will endeavor to identify and catalogue in one place any existing, broadly-applicable identity theft and fraud prevention standards and guidelines;" and
2) "it will identify areas where updated or new standards are needed."
It is certainly a step forward that this kind of resource has been created. The downside is that they estimate it will take 12 to 18 months to have their own set of requirements and best practices available. For more info, visit ANSI.
That's all for today -- we'll see you next week.