Pretexting is generally defined as obtaining sensitive or personal information through impersonation or other deception. It is considered an illegal act under most circumstances, but the laws against the practice vary from state to state and aren't always clearly written. It is illegal, under the Gramm-Leach-Bliley Act, to use pretexting in order to gain access to bank accounts or other sensitive financial information. It is not necessarily illegal, however, to use it in order to obtain phone records or expose an unfaithful spouse. Lying about your identity is not always a crime, but benefiting financially from it is actionable.
Many people are familiar with the idea of illegal computer hacking and identity theft, but very few people are familiar with the practice of pretexting. Hacking into computer servers or using sophisticated programs to uncover passwords is only one aspect of cyberhacking. Practices such as pretexting and phishing are examples of social engineering, the human element behind hacking. This works best when the pretexter gives a convincing performance, complete with the proper technical jargon or other insider information.
A typical pretexting incident might involve a criminal trying to access a victim's personal bank account. The criminal calls the victim at home, claiming to be conducting a survey. The questions may sound relatively harmless, but the fake surveyor is really trying to glean personal information, such as a mother's maiden name, a birthdate, a family pet's name or even a portion of the victim's Social Security number. Once the perpetrator has this information, the process continues at the victim's bank.
The caller uses the victim's name when identifying himself to the bank's representative. A pretexter might create a story about losing a checkbook or forgetting her new password. The bank may have strict security measures in place, but the criminal's pretexting can provide many of the answers they seek. Once the criminal has full access to the victim's banking information, he can clear out the account in minutes. Another criminal may use personal information to create a new credit card account or take over an existing one.
In 2006, the chief executive officer (CEO) of the computer giant Hewlett-Packard became embroiled in a pretexting scheme and eventually resigned. In an effort to discover the source of internal information leaks, the former CEO hired an outside investigator. Several Hewlett-Packard executives discovered that their personal and professional phone records had been collected without their permission. Following an investigation, it was determined that the outside investigators had used pretexting in order to obtain those phone records. The phone company's representatives believed they were communicating with the real Hewlett-Packard employees.