The answer is pretexting, the practice of contacting a corporation or service provider pretending to be a customer looking for his or her personal information.
"[In most cases] it's not illegal. It's certainly unethical, and it happens all the time," says John Oltsik, Enterprise Strategy Group analyst.
Marcus Sachs, deputy director of the Computer Science Laboratory at SRI International, says a victim's prominent position at a company could inadvertently be an aid to attackers. "We've seen this same technique used by an attacker wanting to gain access to a victim's computer account by calling a help desk and impersonating a senior executive needing to have a password reset," he says.
The procedure gained a measure of prominence recently when Newsweek reported that Hewlett-Packard chairwoman Patricia Dunn had a team of electronic security experts spy on a board member who had leaked details of the company's long-term strategy to a publication.
In most illegal cases, a pretexter calls a company, pretends to be a customer asking for more information and then sells the newly obtained personal details.
Because the practice is so common — and used by law enforcement officials and investigators in many cases — employees or consumers have no real defense against malicious pretexting, according to Oltsik.
"The only thing that businesses can do is to ask for two forms of authentication, because if they ask you for your mother's maiden name or where you were born, they're relatively easy to break," he says. "Until people start asking you for strong authentication, there's really nothing you can do."
Paul Kurtz, executive director of the Cyber Security Industry Alliance, says there is legislation in the works on both the state and federal levels. "There is a bill passed within both houses in California that is now ready for the governor's signature. It basically outlaws the buying and selling of information gained through pretexting," he says.
— Frank Washkuch Jr.