The recent spying scandal at Hewlett-
Packard garnered
plenty of headlines — with
good reason. The episode, essentially a
clandestine operation intended to plug
press leaks, harkened back to the tactics of
the Nixon Administration and its infamous
Plumbers unit.

Despite the dubious morality and
legality of HP’s spying operation, some
observers suggested that the company’s
covert activities might not be all that
unusual. Maybe. But companies are far
more likely to be victims of pretexting
than they are to be perpetrators. The
unsettling lesson from the HP affair is that
its operatives had very little difficulty
extracting sensitive information about the
company’s directors and officers. Says Joel
Gross, principal of security firm Risk
Strategies International: “No matter what
you do, someone is going to get pretexted
in an organization.”

Pretexting, the art formerly known as
social engineering, involves gathering an
individual’s personal information under
false pretenses. A favorite method of
black-hat hackers for pilfering personally
identifiable data, pretexting can take several
forms. In HP’s case, private investigators
pretended to be the very people they
wanted to get information about. In other
instances, pretexters claim to be company
managers in order to get valuable information
about employees.

Sometimes, pretexters pose as low-level
employees like maintenance workers
or repairmen. Jay Foley, executive
director of the not-for-profit Identity
Theft Resource Center, says companies
spend considerable cash on sophisticated
monitoring software and security devices
but ignore obvious weak spots. “They forget
that cleaning people come in and
carry all that hard paper out the door,” he
says. “It’s the simple things that sneak up
and beat you.”

Pretenders’ Greatest Hits

And companies get beaten a lot. According
to the “2006 Computer Security Institute/
FBI Computer Crime and Security
Survey,” unauthorized access to information
was the fourth most common attack
that organizations experienced last year
(viruses, laptop/mobile-device theft, and
insider abuse of Internet access topped the
list). Nearly a third of the survey respondents
said they had experienced a breach
of information in the past 12 months.

Stopping pretexters isn’t easy. Executives
who pay personal or business bills
online can be fooled into going on to
bogus Websites. What’s more, corporate
health insurers and financial-service
providers often use Social Security numbers
as de facto ID numbers. Armed with
somebody else’s SSN, a pretexter generally
has little difficulty obtaining additional
private information on that person.

But as in the HP case, phones or phone
records offer the easiest access to personal
data, and any effort to protect such data
should begin there. For starters, managers
might consider the advantages of prepaid
cell phones. Since prepaid carriers like
Tracfone and Virgin Mobile don’t record
calls to assess monthly charges (the bill is
paid in advance), they don’t generate identifiable
phone logs. Outgoing calls do get
recorded in the accounts of those receiving
the calls, but prepaid providers rarely
include a name to go with the phone number. The downside: Tracfone and other
prepaid cellular providers don’t include E-mail
or Web-browsing in their services yet.

Doug Howard, COO of managed security
firm BT Counterpane, advises managers
to inform phone providers not to
give out records without written authorization.
Howard also advises clients to tell
their phone carriers and credit-card and
utility providers to send records via regular
mail. This ups the ante for would-be
thieves. “If someone goes into my mailbox,”
he explains, “that’s a federal crime.”

In addition, companies need to provide
periodic training for workers, particularly
those who handle outside requests for
information. “[Often], that’s where the
weak links are,” says Risk Strategies’s
Gross. Much of the training should involve
role-playing. That way, a worker will direct
calls to the right department, thereby
reducing a pretexter’s ability to troll for
information. “If you educate every person,
you extend security down to the lowest
common denominator,” Gross notes. “Everyone will know what pretexting is and who to call in the event it happens.”

The same rules apply at home. Surprised?
Don’t be: pretexting is just as likely
to happen at home as at the office. So
it’s important to educate family members
about the dangers of pretexting. One rule
of thumb: never give out any personal
data unless you place the call yourself.
Phone pretexters often mask their true
intent by asking 10 innocuous questions
before slipping in the one they’re actually
interested in.

Esther Shein covers technology from Framingham, Massachusetts.

Training Day

Getting employees to take pretexting
seriously is not always easy.
The job gets more difficult if top-level
managers don’t take it seriously
themselves.

To get the attention of workers,
management must establish a
written policy on the subject. That
policy should detail what information
can and can’t be given out. It
might also include directives on
where to route callers. Incorrectly
routed calls strip a business of one
of its chief weapons in combating
pretexting: knowledge that the guy
on the other end of the line doesn’t
know what he’s talking about.

Like other security regimens,
a pretexting policy must be explained,
monitored, and enforced. “Develop a policy [people] will
adhere to. Make it flexible and
dynamic, because security risks are
flexible and change on a day-to-day
basis,” advises Joel Gross, a principal
at Risk Strategies International.

The best programs tend to
make workers feel like they have
some skin in the game. In essence,
a good pretexting policy fosters the
belief “that this is our information
and it shouldn’t be used for any
other purpose,” notes Jason Corsello,
research director at analyst firm
Yankee Group, in Boston. “Make
employees feel important and that
they can be trusted.” —Esther Shein