This page considers pretexting (aka blagging): illicitly
obtaining personal/confidential information by claiming
authority to access that information, typically by masquerading
as a customer who is entitled to view his/her account
It covers -
supplements discussion elsewhere on this site regarding
identity theft, privacy, data losses and information security.
Pretexting is not new. Over at least the past century
people have been using 'social engineering' to improperly
obtain information from data custodians such as banks,
insurance companies, real estate agencies, medical practitioners,
education institutions and government agencies.
Sometimes that information has been sought as building
blocks for identify theft.
It has also been sought by stalkers,
terrorists and journalists, whether to harass an individual,
breach commercial security or fuel a scandal in the popular
Pretexting is one form of social engineering. It is distinguishable
(eliciting a consumer's password and other details through
email and websites that purport to be those of the consumer's
financial institution). It involves a private
investigator, law enforcement officer or data broker
obtaining customer information from a data custodian -
such as telephone company or airline - by masquerading
as the particular customer.
It is not necessarily aimed at looting the customer's
account or creating a new account (or financial obligations)
in the guise of that customer. It may instead be used
to identify -
source of leaks to
to a regulator
a competitor is engaged in particular negotiations
a spouse is being unfaithful
location of a debtor.
Most people would agree that assuming another's identity/authority
to improperly access information is unethical. However,
in some jurisdictions it is not a criminal offence. Civil
penalties for those obtaining the information, trafficking
in it (notably operating as 'data brokers') and purchasing
it may be weak.
Just as importantly, government agencies may not give
a high priority to enforcement of that legislation and
it may be difficult for individuals to gain satisfaction,
consistent with uneven perceptions of privacy
rights and the challenge of proving economic damage in
regimes where privacy has little recognition as a tort.
In the US attention has centred on pretexting as a mechanism
for access to caller records, ie to identify an individual's
telephone calls. That identification concerns numbers
rather than what was said (or transmitted) during a call.
In 2006 for example it was revealed that private investigators
working for Hewlett-Packard used pretexting to obtain
call records of that company's board members and journalists
as part of an effort to stop leaks. The investigators
contacted the telephone companies used by the HP directors
and journalists, using information about those individuals
(including credit card numbers, addresses, birth dates
and social security numbers) to support the pretence that
they were the customer and could thus legitimately query
a particular call or receive a full report.
EPIC had earlier noted
that pretexting was widespread, providing the US Senate
with a list of 40 websites that offered to sell phone
records to anyone online. One car repossession specialist
explained that obtaining mobile phone records is "easy"
you need is the last four digits of a Social Security
number and a correct ZIP code. You go to the wireless
company's Web site, you sign up like you are that person,
you can view the bill.
Pretexting is not restricted to identification of calls.
The US Federal Trade Commission for example notes
Pretexters use a variety of tactics to get your personal
information. For example, a pretexter may call, claim
he's from a survey firm, and ask you a few questions.
When the pretexter has the information he wants, he
uses it to call your financial institution. He pretends
to be you or someone with authorized access to your
account. He might claim that he's forgotten his checkbook
and needs information about his account. In this way,
the pretexter may be able to obtain personal information
about you such as your SSN, bank and credit card account
numbers, information in your credit report, and the
existence and size of your savings and investment portfolios.
similarly indicated that
many other types of private records are being bought
and sold in the public market. Alongside many advertisements
for cell phone records, wireline records and the records
associated with calling cards are advertised. As individuals
shift to VOIP telephones, it is safe to assume that
those records will be offered for sale as well ...
the problem of record sales is not limited to the many
methods of voice communication that we can use. Sites
commonly advertise the ability to obtain the home addresses
of those using P.O. Boxes. Some websites, such as Abika.com,
advertise their ability to obtain the real identities
of people who participate in online dating websites.
A page on Abika.com advertises the company's ability
to perform "Reverse Search AOL ScreenName"
services, a search that finds the "Name of person
associated with the AOL ScreenName" and the "option
for address and phone number associated with the AOL
ScreenName." The same page offers name, address,
and phone number information for individuals on Match.com,
Kiss.com, Lavalife, and Friendfinder.com. These are
all dating websites that offer individuals the opportunity
to meet others without immediately revealing who they
The availability of these services presents serious
risks to victims of domestic violence and stalking.
There is no reason why one should be able to obtain
these records through pretexting, or outside of existing
lists include provision of a class schedule for US$80,
an address for US$60 and job data for US$100.
In the US pretexting sometimes sometimes forms the basis
of skiptracing, ie locating someone who doesn't want to
be found. It can involve contacting family, friends and
associates and using a 'busy-back number' routine. Investigators
for example contact the relative, advise that the person
has won a lottery or some other benefit and request that
the person rings a toll-free number to claim the goodies.
That provides an opportunity to identify the caller's
With access to a number through pretexting or through
information supplied to a financial institution or other
entity (and shared with a third party such as a credit
reference service) an investigator may use a reverse directory
of published numbers or a directory of unpublished numbers
- illicitly or otherwise - to link the number to addresses
and/or people. Caller-ID spoofing - in which a call appears
to come from the phone of a friend, relative or employer
- is also used by some investigators.
the pretexting industry
There has been no comprehensive study of the 'pretexting
industry', ie data brokerages based on information that
is obtained through pretexting.
In the US it is clear that operators of such brokerages
obtain substantial revenue. In the UK the Information
Commissioner noted conviction in 2006 of a husband and
wife team that made £140,000 a year selling private
financial information obtained by blagging. The industry
is accordingly expanding, with a proliferation of sites
that offer individuals and businesses - including major
corporations rather than merely self-employed flatfeet
- a range of consumer information.
have ostentatiously disclaimed collection of information
through pretexting or use of such information, with one
trade group spokesperson stating that pretexting "is
at a minimum unethical and at a maximum unlawful. It is
a real smear on our profession". As with the credit
reference industry, which on occasion uses pretexted
data and supplies data that is used by pretexters, such
disavowals are somewhat disingenuous.
During June 2006 US Congressional hearings testimony demonstrated
that customers of data brokers included "automobile
finance companies and repossession companies and major
banks and major corporations" in addition to tabloids,
private investigators and lawyers. PDJ Investigative Services
described its customers as
offices, repossession companies, financial institutions,
collection agencies, bail enforcement agencies, law
enforcement agencies and various private investigation
and research companies.
broker James Rapp reported that he used pretexting to
gather addresses linked to a specific phone number from
the telephone company, Social Security numbers from credit
reporting agencies, and address and phone number details
from a utility company.
His clients "requested anything and everything"
... and apparently received much of what they requested.
you're an employee on disability and you're not supposed
to be working, I would" persuade the person to
reveal their workplace. "I'd tell them there's
a gas leak, and I need to reach them during the day.
Whatever it takes".
The lawyer for one broker boldly explained that pretexting
isn't "a lie" or fraud -
a pretext call and it's very commonly done in the PI
industry. That's how they do almost everything that
they do. It's been going on for a long time.
Regulation of pretexting is complicated by -
from corporate buyers of pretexted information (and
from individuals who have engaged in pretexting for
about the legality of particular activity (in the US
for example there have been misconceptions that pretexting
is illegal only if it involves financial information)
in identifying abuses
penalties under statute and common law when abuses are
identified (often greatly outweighed by the cost of
priority given by regulators to enforcement action.
next page (pretexting
in the US)