Pretexting Is Alive and Well in Corporate America

Hewlett-Packard's admission that it spied on its own board of directors and journalists has cast a spotlight on the underground market for personal information. But HP is not alone: There is a thriving network of creative con artists who gather phone records and other private data. Some of their clients are major banks and insurance companies.

Copyright © 2006 NPR. For personal, noncommercial use only. See Terms of Use. For other uses, prior permission required.

MELISSA BLOCK, host:

From NPR News, this is ALL THINGS CONSIDERED. I'm Melissa Block.

ROBERT SIEGEL, host:

And I'm Robert Siegel.

Here's the latest twist in the tale of Hewlett Packard and its attempt to prevent news leaks by spying on its board of directors and reporters. Newspaper reports today suggest that HP's chief executive, Mark Hurd, played a more active role in the leak investigation than was previously known. Hurd has scheduled a news conference tomorrow. HP has admitted using private detectives who obtained the telephone records of board members and reporters.

As NPR's Scott Horsley reports, that's a trick that's long been used to track deadbeat borrowers and cheating spouses.

SCOTT HORSLEY: Hewlett Packard used a variety of private detectives in its search for the source of boardroom news leaks. The company hasn't said publicly who actually obtained the personal phone records, but security consultant Robert Douglas says HP and its helpers wouldn't have had to look very far.

Mr. ROBERT DOUGLAS (Security Consultant): There are 40,000 private investigators in this country. I would venture to say 95 percent of them know somebody who can get banking and phone records and far too often are willing to put clients in touch with someone who's willing to steal information.

HORSLEY: New Jersey investigator Jimmie Mesis says phone records can be extremely useful in locating debtors who disappear or parents in custody battles who run off with their children. Mesis, who also publishes PI Magazine, once tracked down a woman who'd kidnapped her child in less than 12 hours, after obtaining telephone records from the woman's father.

Mr. JIMMIE MESIS (Private investigator): Now why couldn't law enforcement have done that? They said the woman's father had nothing to do with the case and they wouldn't be able to get a subpoena or warrant for those toll records. We were able to get the phone records by using a subcontractor that is able to get toll records and got them.

HORSLEY: And do you know how the subcontractor got the records?

Mr. MESIS: No idea. We put in the request and we got them. That's all we know.

HORSLEY: That kind of response is typical in the underground information business, where personal data passes from hand to hand and no one asks too many questions about where it came from.

At the center of this industry are a relatively small number of professional con artists who actually gather the information. For two decades James Rapp was one of the best. Before he plead guilty to racketeering charges in Colorado in 1999, Rapp says his company was grossing about a million dollars a year. By pretexting, or pretending to be someone else, Rapp could get phone records, bank records, even medical records. All it took was a telephone and a willingness to end the truth.

Mr. JAMES RAPP (Private investigator): Of course, you had to impersonate, you had to lie. There's just no way around that lie. A lot of my former employees are still working throughout the country and nothing's really changed.

HORSLEY: Phone companies take precautions to protect their customers' information, but even the best trained customer service representative can be fooled by a wily con artist posing as a legitimate customer. It takes charm and improvisation, Rapp says. Not everyone can do it.

Mr. RAPP: I want to equate it in that respect to the NFL. Everybody wants to try out, very few can make it.

HORSLEY: Successful pretexters are persistent. Congressional investigators have obtained emails in which con artists write about trying four times, eight times, even 10 times to obtain a piece of information. Rapp says eventually he usually got what he wanted.

Mr. RAPP: My first contact may be let's go over the last bill, did you get a payment for it. Oh really? What date did you get that payment? And if the person's real friendly I may push and if they're not I'm going to stop. And then I'm going to go in the next call and I'm going to say wait a minute, now I've got a question about my last payment on this date.

And why would they not believe me? Because now I'm telling them exactly when the bill was mailed, when they got the payment and exactly how much. So now I've got a better foot in. They're going to want to help me. Oh, what do you want to know.

HORSLEY: Pretexting for financial information as expressly outlawed seven years ago. But until recently, pretexters who go after other kinds of information were rarely prosecuted, even though they may be breaking antifraud statutes or laws against identity theft. Rapp freely admits he sometimes broke the law to get the records he wanted. And he didn't hide that fact from the people he worked for.

Mr. RAPP: Some clients even said now I don't want you to break any laws. I said ok, well, then find somebody else. And they didn't like that, but most clients, truthfully, they understood maybe not the techniques that you were going to use, but they understood that if this was what they wanted to know, this was what you were going to do to achieve it.

HORSLEY: Others selling personal records are less candid. One data broker told Congress his company relied on public databases or Internet searches to get personal information. Even though he'd promised a client in an e-mail, quote, "no database information, just real-time info obtained directly from the telephone carrier."

Security consultant Douglas says other vendors have claimed to have legal proprietary methods for obtaining personal records. But those proprietary methods turn out to be the same old con.

Mr. DOUGLAS: What I always warn people is these are professional liars. They lie for a living. They lie to steal the information. And they lie to the client to try to convince them that what they're doing is perfectly lawful.

HORSLEY: And Douglas says Hewlett Packard is not the first big company to play along, either wittingly or unwittingly. Pretext information's been used to track debtors and suspected insurance cheats. Data brokers questioned by the House Energy and Commerce Committee this summer said their clients include Chase Bank, Wells Fargo, and Progressive Insurance.

Mr. DOUGLAS: This is the dirty little secret in the underground information business. The money that fuels these businesses is coming from major corporations.

HORSLEY: Chase Bank declined to comment. Wells Fargo says it stopped using the data broker last year. And Progressive Insurance says it expects all of its vendors to obey the law. The law may soon get tougher. A bill before the house would expressly outlaw pretexting for telephone records and also make it illegal to buy and sell such information. Still veteran pretexter Rapp doubts any new law will completely stop the practice, so long as someone, like HP, has a need for the information.

Mr. RAPP: Did they have a legitimate gripe or a concern? Absolutely. I'm sure it's done all over. They just got caught.

HORSLEY: Scott Horsley, NPR News.

Copyright © 2006 NPR. All rights reserved. No quotes from the materials contained herein may be used in any media without attribution to NPR. This transcript is provided for personal, noncommercial use only, pursuant to our Terms of Use. Any other use requires NPR's prior permission. Visit our permissions page for further information.

NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.

Comments

 

Please keep your community civil. All comments must follow the NPR.org Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.