Social Engineering and Pretexting

Despite the vast amount of information that is available for free or for a fee, employers are often most interested in information that is unobtainable by legitimate means or simply too expensive to purchase. When that situation arises, some private detectives will use a technique known as "social engineering" or "pretexting" in order to obtain the desired information. In the frequently asked questions file for the Usenet newsgroup alt.private.investi gator, the term "pretext" is defined as follows:

Pretext equals a nice way of saying a lie. Some PIs use this tool to find information about people. Can be very helpful, but can also land you in hot water. Never try to pass yourself off as a policeman or government agent. Many PIs will tell you that they do not believe in pretexting and have never done it before. That is a good example of a pretext.

Thanks to the success of some hackers in using this technique to obtain passwords and other confidential information, there are some in the hacking community (and among the journalists who follow them) who think that hackers invented social engineering as a means of worming information out of unsuspecting individuals. But long before there were computers to hack, private detectives—including Sir Arthur Conan Doyle's famous fictional detective, Sherlock Holmes—were making ample use of disguise and impersonation to work their cases.

Detectives today have a much easier time of it than Holmes. Successful social engineering and pretexting still require some ability to play a role, but the telephone eliminates the need for a physical disguise (which if nothing else helps to keep costs down). The nearly ubiquitous customer service department has become the private detective's best friend: It is staffed, after all, by people whose primary job description is to be helpful and provide information to anyone who calls.

In an effort to crack down on the practice of pretexting, the Federal Trade Commission filed a civil lawsuit in April 1999 against James J. Rapp, a Colorado investigator who allegedly used pretexting to obtain private information; later that same summer, Rapp and his wife were indicted on federal racketeering charges. (Colorado, where the Rapps were operating, has a state law that makes it illegal to impersonate someone else to obtain information.)

Rapp's company, Touch Tone Information, came under investigation when a raid of a Los Angeles private detective revealed that Touch Tone had provided him with assorted private information about members of the Los Angeles organized crime squad, which he had used to harass the department's detectives and even hijack pager messages in an effort to learn the identity of a confidential informant.

After the Colorado Bureau of Investigation (CBI) raided Touch Tone, company records revealed that Rapp had successfully obtained a wide variety of highly confidential information, including:

• Records on visits by Ally McBeal star Calista Flockhart to a Beverly Hills doctor during intense tabloid speculation that she suffered from an eating disorder

• Information about Diana, Princess of Wales, and her friend Dodi Fayed shortly before their death in Paris

• The phone records of Kathleen E. Wiley, one of the women who accused former President Clinton of inappropriate sexual advances

• Credit card records for John and Patricia Ramsey, the parents of slain six-year-old Jon-Benet Ramsey

• The credit card and phone records of Enis Cosby, the son of actor Bill Cosby, who was shot on the side of a Los Angeles highway in January 1997

• The unpublished phone numbers and phone records of victims of the Columbine High School shootings

The indictments helped shed some much-needed light on the practice of pretexting. At any given time, Rapp employed up to twenty "investigators," many of whom worked from their homes on a commission basis. The callers would do whatever they could to obtain the necessary information, ranging from false accents and fake tears to heartrending tales of domestic betrayal.

The notoriety surrounding the Rapp case helped spur the inclusion of antipretexting language in the Graham-Leach-Bliley Act, also known as the Banking Modernization Act of 1999. It is now a federal felony to obtain or attempt to obtain the private information of a customer of a financial institution "by making a false, fictitious, or fraudulent statement or representation" to the financial institution. It is also a felony to hire someone to obtain such information, knowing that the person will use a pretext to get the information. Violators can be sentenced to up to ten years in federal prison and fined up to $500,000 per offense.

Yet some investigators still strongly defend pretexting. In one impassioned article about the Rapp case, former federal agent Bill E. Branscum put it this way:

The FTC has adopted the position that obtaining information by pretext should be outlawed as an unfair and deceptive trade practice. To this I would say that shooting people is bad too but there is a time and a place for it.

...

The notion that the identity of your bank and your account number is some sort of secret worthy of all this hoopla is nonsense. Your bank sends this information to everyone who writes you a check as evidence that you cashed it. When you pay your property taxes, the tax office copies both sides of your check and that is generally public record. There are many, many examples of ways in which to obtain this sort of information.

Nevertheless, there is no doubt in my mind that the government is going to put the habeas haltus to the act of using pretexts to obtain financial information, the fastest, most dependable, and least expensive way to get it. As a consequence, debts will go uncollected—the big losers will be the big creditors (the number one consumer of this sort of information). Who do you suppose they will pass their losses on to? ^[12]

^[12]Bill E. Branscum, "A Bad Rapp" (1999). Quoted from the website for Oracle International, P.A. and available at www.oracleinternational.com/articles/rapp.htm.