Hello CHT
This might help you :
Spotting Pretext Calls
There are a number of indicators that what at first appears to be a routine and valid request for customer information may instead be a pretext call. The presence of any one of these indicators or a combination thereof does not always indicate a pretext attempt. Financial institutions receive numerous requests every day for customer information. In many of those requests one or more of the following indicators may be present and be perfectly innocent. However, financial institution employees should be aware of these potential indicators and review them on a regular basis in order to be prepared to spot a potential pretext.
• Missing Information--Any call or request for customer information where the institution defined requirements for gaining access (PIN, password, last date of deposit and amount, etc.) is not met.
• Non-customer Calls--Any call where the requestor of information is not the customer.
• Calls Placed From Numbers Others Than Those Listed On The Customer’s Account—If an institution has caller identification capabilities, employees should note whether the phone number displayed matches the phone number(s) associated with the customer account. Particular attention should be given to calls placed from outside the local calling area of the customer and calls that have been placed blocking the caller identification feature.
• Callers That Are Hesitant Or Refuse To Give A Callback Number—Any caller that refuses or hesitates in providing the number they are calling from may be concerned about the call being traced back to them. Many pretext callers will immediately hang-up if confronted with a courteous request for the number they are calling from.
• Out Of The Ordinary Request--Any call that is out of the ordinary in the type of request made. This includes requests for faxes of account information or statements to numbers outside the local calling area of the customer and requests to mail duplicates of account information to an address other than that on the customer account.
• Overly Aggressive Callers—Any caller that becomes belligerent or aggressive when asked routine account identifying information. A favorite demeanor of pretext is to bully the employee into releasing information by threats to speak to a supervisor; close an account; or, make a complaint about the employee.
• Overly Talkative Callers—Callers that appear to be laying out a story concerning why they need to bypass the access rules of the institution or who appear to be attempting to distract the employee with excessive chit-chat while posing more account related questions may be constructing a pretext. The best pretexts have the employee offering information not even requested in an attempt to assist the "confused caller".
• Overly Absent Minded Callers—Callers that appear to be overly confused or absent minded and are unable to provide even basic biographical information may be placing a pretext call. Many pretexts rely on placing many calls to the institution and picking up one piece of information at a time until enough data is developed to convince the institution that the caller is the legitimate account holder.
Most importantly, remember the pretext caller is a confidence artist. The basis of the confidence game for the pretext caller is to take advantage of the financial services industries reputation as a customer service oriented profession. By appealing to the emphasis placed on customer service within the industry the pretext caller attempts to obtain information they are not legally entitled to. If it feels like a con – it probably is.
Handling A Possible Pretext Call
All financial services industry institutions should develop policies and guidelines for employees to follow when a pretext call is suspected. It must be stressed that the policies and guidelines are to be followed without exception by all employees of the institution. Considerations for policies and guidelines should include:
• No Variation From Customer Information Access Procedures—Whatever customer information access procedures are determined to be appropriate for the individual institution should be strictly enforced. No frontline employee should have the authority to deviate from the stated procedures. Legitimate customers will appreciate security procedures when it is explained that the procedures are in force to protect their valuable information. Frontline employees should be instructed that they could be dismissed from their job for deviating from the institution’s customer information security procedures.
• Routing Suspected Pretext Calls To A Supervisor Or Security Official--Any suspected pretext call should be brought to the immediate attention of a supervisor or security official within the institution and if feasible the call should be routed to that official. Many pretext attempts will end with a hang-up by the pretext caller as soon as a transfer to another official begins. Many pretext callers would prefer to end the call and try again at a later point than deal with a supervisory or security official.
• Recording Suspected Pretext Calls—Where applicable state and federal laws permit, consideration should be given to recording any suspected pretext calls. Several successful prosecutions of pretext callers have been based upon recorded attempts at gaining access to customer information.
• Notation Of Suspected Pretext Calls—At all times employees should make note of any suspected pretext call. If possible, notation should be on the individual account so if further attempts to gain access occur other institution employees will be aware of the history of pretext attempts on the account. The notes should include the method of the suspected pretext. Pretext callers will repeatedly call an institution and speak with different employees until they gain access. Notes on the account of attempted access can serve to notify other employees to give the account special attention.
• Request A Callback Number—Requesting a callback number will often assist in determining if the call is a pretext. Many pretext callers will immediately hang-up when asked to provide a callback phone number. If the number does not match the phone numbers associated with the account ask the caller where they are and who is the owner of the callback phone number. Most legitimate callers will not mind providing that information and will be impressed with your security efforts on their behalf.
Stopping Pretext Calls
The federal banking agencies are proposing that standards for protecting customer information. Consideration should be given to creating a separate plan or portion of the overall security plan to cover pretext training. The following elements are part of that plan:
• Customer Information Security Plan—All institutions should have a customer information security plan. The plan must recognize and address the threat of pretext calls to the integrity of customer’s personal information and the reputation of the institution. An analysis of the institution’s policies on disclosure of customer information should be performed to determine who currently has authority to release information and under what circumstances the release can be made. Procedures should be taken consistent with restricting who may release information and under what circumstances given the reality of pretext calls.
• Do Not Deviate From Customer Information Security Procedures—Once a comprehensive plan has been developed to maintain customer information security it must be adhered to uniformly. Supervisors should demonstrate to frontline personnel that they take the procedures seriously by both following the procedures and enforcing them uniformly within the institution.
• Use Authorization Codes Or Passwords—Institutions should use authorization codes or passwords for any release of information by phone, fax or other telecommunication device. The code or password should be unique and not consist of other identifying information such as social security number, mother’s maiden name, account numbers or PINs for automated teller transactions.
• Refer Questionable Calls To A Supervisor Or Security Official—A supervisor or security official within the institution should handle all calls that are questionable or suspicious. The act of routing a call to a supervisor or security official will deter most pretext callers for fear of further scrutiny of their actions. Legitimate customers will appreciate the attention being provided to maintaining the integrity of their account.
• Educate Employees—All employees are potential targets of pretext. All employees should receive regular and repeated education and training in order to understand what pretext calls are and how to handle potential pretext calls in conformity with the overall information security procedures of the institution. Employees need to be repeatedly reminded that the integrity of the financial services industry relies upon the ability of the industry to protect customer’s assets including customer information.
• Test Your Customer Information Security Procedures—Internal or third party pretext testing should routinely evaluate any customer information security procedure. This will help to determine weaknesses in either procedures or training that can be addressed in order to maintain the highest security possible.
• Educate Customers—Educate customers about the high degree of emphasis placed on customer information security by the institution. Remind customers that they should never provide their customer information to anyone over the phone unless the customer initiated the phone call and is 100% certain whom they are dealing with. When dealing with a difficult customer who wants access to their information but is unable to provide appropriate identifying access information stress that the procedures of the institution are designed to protect their assets from identity thieves.
• Report Suspicious Advertisements By Information Brokers, Private Investigators, Collection Agencies And Others In Your Area—Be aware of advertisements you see in local publications, trade journals, magazines, yellow pages, and on the Internet referring to the ability to locate "assets". Particularly advertisements claiming to be able to locate bank account, credit card, stocks, bonds, mutual funds and insurance information. Unscrupulous users of pretext are notorious for claiming within their advertisements that they follow all applicable laws and require appropriate documentation before performing "asset investigations". This has been proven to be historically false. With the enactment of the Gramm-Leach-Bliley Act, there are very precise limited exceptions to the prohibition of the use of pretext to gain customer account information. Most advertisements currently reviewed misstate those exceptions in an attempt to mislead the public. Report suspicious advertisements to local and federal law enforcement and regulatory bodies including the Federal Trade Commission.
• Report Pretexting to the Appropriate Authorities—Any cases of suspected pretext should be reported to appropriate legal authorities and the Federal Trade Commission and prosecuted to the fullest extent possible. Most information brokers and private investigators are reusing to accept asset investigations in the State of Massachusetts because of the State’s aggressive prosecution of pretext callers.
source :Testimony of Richard H. Harvey, Jr. September 13, 2000
On Behalf of the American Bankers Association
Before theCommittee on Banking and Financial Services
United States House of Representatives