Threats, Cybercrime

Social engineering, Part 1: No school like old school: Crushing your pretext calling risks

Getting all the dirt on someone used to be easy for any savvy investigator. Using a pretext call to obtain a subject's cell phone records or bank account debit card / credit card transactions provided compelling background data for divorces, established “whodunit” in corporate counter-intelligence and helped me sort out SODDI stories when it mattered in high-end fraud and burglary cases.

Pretexting = Sun Tzu mindset = Lying with style

At the time I was living off of case referrals such as burglaries and runaway recovery. Cases the older retired guys were gracious enough to send my way because they didn't want to run down teenage suspects.

In the mid ‘90s one of my license requirements demanded continuing education. The legendary white collar crime investigator named “Fast Eddie” Pankau not only fulfilled my state requirement but provided a young mind with many ‘theoretical' pretexting methods. Jackpot!

Sun Tzu's Art of War principle applied: all warfare is based on deception. Obtaining a complete grasp of my subject's social network meant a lot less foot chases and the element of surprise reduced my chances of getting hit with baseball bats – yes, plural.

This was years before the FTC started cracking skulls in a different way. Pretexting is one way I kept my success ratio high, my rates low and my work-related ‘sports injuries' minimized. I used pretexts like kids use sugar on cereal. I finessed utility workers and charmed hotel concierges to locate grifters and served subpoenas.

All good things must end. Gramm-Leach-Bliley (GLBA) put real teeth into privacy and provided everyone with Federal pretexting protection, reinforcing the 1998 FTC rulings which most investigators barely noticed.

From the OCC's National Banks Advisory letter 2001-4:           

“Pretext calling is a fraudulent means of obtaining an individual's personal information. Pretext callers may contact financial institution employees, posing as their customers, in order to access customers' personal account information. Information obtained from pretext calling may be sold to debt collection services, attorneys, and private investigators for use in court proceedings. Identity thieves may also engage in pretext calling to obtain personal information for use in creating fraudulent accounts.”

Ouch. ‘Fraudulent' seems so nasty. After the GLBA was passed I bid adieu to phone records faxed in from a sweet sounding Southern Belle who would purr her way into the hearts and minds of many a telco or bank official's confidence for a flat rate $250, leaving me free for field work until a beep on my cell signaled an incoming line.

GLBA is one reason investigators really don't like identity thieves – white collar crimes eventually changed the game for honest investigators to successfully background a suspect in the private sector. It is three times harder to sweat someone when you don't have a wicked stack of paper records to wave at the guy or girl in the hot seat.

(end part one)

prestitial ad