Pretexting in the 21st Century

According to the Federal Trade Commission (FTC), pretexting is the practice of obtaining personal information under false pretenses. The pretexter often establishes a rapport with an unsuspecting victim by pretending to be someone from a trusted entity with which the victim has a relationship.

With the Hewlett-Packard (HP) pretexting case still fresh in our memories, we’ll describe its circumstances and results, review legislation, and discuss if it’s permissible to use the onerous method to obtain information in fraud examinations.

MEDIA INFLUENCE 

The media often drive legislation. The overwhelming press coverage of the Enron debacle appeared to lead to the eventual passage of the U.S. Sarbanes-Oxley Act of 2002. And the HP pretexting scandal probably precipitated the passage of the 2007 Telephone Records and Privacy Protection Act (TRPPA).

On Sept. 5, 2006, Newsweek unleashed the fall-from-grace story of former HP board Chair Patricia Dunn. Dunn wanted to find out who was leaking confidential information about the company’s long-term strategy. In January 2006, she secretly authorized electronic-security investigators to look for records of private phone communications – both personal cell and home phone calls – of the other directors. Five months later, Dunn told the board members about her clandestine project, which was dubbed the “Kona 2 investigation,” and she revealed the name of the director who leaked the information. After Newsweek published its article, the U.S. House Committee on Energy and Commerce requested a laundry list of information about the leak investigation.

In October 2006, California Attorney General William Locklear filed charges against five individuals involved in Kona 2 including Dunn; former HP senior counsel Kevin Hunsaker; and private investigators Ronald DeLia, Matthew Depante, and Bryan Wagner. The five were charged with (1) conspiracy; (2) fraudulent use of wire, radio, or television transmissions; (3) taking, copying, and using computer data; and (4) using personal identifying information without authorization.

On Dec. 7, 2006, HP settled state civil charges brought against the company for more than $14.5 million. Wagner pleaded guilty in federal court on Jan. 11 of this year to identity theft and conspiracy in federal court, after admitting that he engaged in pretexting and illegally acquired Social Security numbers and phone records of two former HP board members and a couple of journalists. He’s scheduled to be sentenced on Oct. 3.

On March 14, California Superior Judge Ray Cunningham dropped the misdemeanor charges against Dunn. On June 29, Cunningham dismissed misdemeanor charges against Hunsaker, DeLia, and Depante after the men completed 96 hours each of court-ordered community service. (In March, Cunningham had refused to accept no-contest pleas from the three men as long as they completed the community service.¹)

The federal investigation into Kona 2 is ongoing. It’s not implausible that federal prosecutors will use Wagner’s plea and assistance in the case to gather additional evidence before charging other persons involved in Kona 2.

LEGISLATION 

The 2007 TRPPA makes it an offense to obtain confidential phone records information by pretending to be someone else or by otherwise employing fraudulent tactics from a telecommunications carrier or IP-enabled voice service provider via interstate or foreign commerce.² Specifically, the act imposes a fine and/or imprisonment of up to 10 years upon individuals for (1) making false or fraudulent statements to an employee of a covered entity or to a customer of a covered entity; (2) providing false or fraudulent documents to a covered entity; or (3) accessing customer accounts of a covered entity through the Internet or by fraudulent computer-related activities without prior authorization.³ 

For many years, four pieces of legislation have traditionally shaped the rules on pretexting: the Fair Credit Reporting Act (FCRA) the Fair Debt Collection Practices Act (FDCPA), the Computer Fraud and Abuse Act (CFAA), and the Gramm-Leach-Bliley Act (GLBA). (This list isn’t inclusive but contains the prominent pieces of legislation affecting pretexting.)

Fair Credit Reporting Act Enacted in 1968, the FCRA sets forth guidelines to protect the privacy of consumers’ private financial information. Generally, the FCRA regulates the acquisition, distribution, and use of consumer credit information.⁴ However, Section 619 of the FCRA specifically prohibits individuals from knowingly and willfully obtaining information of a consumer from a consumer-reporting agency under false pretenses.⁵  

Fair Debt Collection Practices Act Also enacted in 1968, the FDCPA attempts to further alleviate fraudulent activity in collecting consumer debts. The FDCPA prohibits debt collectors from using false or deceptive methods in obtaining consumer debt information, and collecting, or attempting to collect any debt.⁶ Although further removed from the scheme of pretexting, it might conjoin with the FCRA in suits involving pretexting.

Computer Fraud and Abuse Act Enacted in 1984, the CFAA was designed to lessen the frequency of computer hacking. Particularly, the CFAA prohibits one from knowingly accessing a computer without authorization, or by exceeding his or her authorization and subsequently gaining access to: (1) information in a financial institution’s financial records; (2) a consumer reporting agency’s file on a consumer; and (3) information from any “protected computer.”⁷ 

Gramm-Leach-Bliley Act Enacted in 1999, the GLBA strictly prohibits the use of false or fraudulent statements or documents, as well as lost or stolen documents, to gather customer information from a financial institution or directly from the customer. The prohibition is upon individuals who directly contact the financial institution or customer, as well as individuals whom direct another to undertake such activity.⁸ 

As you can see, the FTC has traditionally focused on enforcing actions against individuals who falsely represent themselves as customers to gain access to financial information about the customers. Because impersonators are now prohibited from obtaining more than just financial information (for example, obtaining phone records of individuals by false pretenses is also now illegal), it’s important to distinguish the 2007 TRPPA from the GLBA and other notable statutes. Also, keep in mind that most states have adopted state laws to protect individuals from becoming victims of pretexting among other illegal practice. For example, in September 2006, California passed a law prohibiting individuals from procuring, obtaining, or attempting to procure or obtain, telephone calling pattern records or lists, via fraud or deceit.⁹ Therefore, fraud examiners must be sure they understand applicable federal and state laws pertaining to pretexting before beginning an investigation.

INVESTIGATION 

“How would a reasonable person act under the circumstances?” “Would a reasonable person consider my actions to be highly offensive in the given situation?” These questions often set the legal standard for determining the culpability of an individual accused of illegality. They’re questions all fraud examiners should ask themselves before commencing each step of an investigation.

Any individual who oversees a fraud examination must be continuously alert to the methods. The following investigatory checklist, by Kramer Levin Naftalis & Frankel LLP., can be a valuable tool for anyone involved in overseeing investigations:¹⁰  

The facts 

• What do I know?
• What do I suspect?
• What more do I need to know?
• What is the best way for getting the information I need?
• Who should do the work?
• Who should supervise the work?
• Are there any internal controls/protocols in place that need to be followed based on what I know?
• Is there anyone at the company implicated in wrongdoing by what I know?
• To what extent, if any, can that person be involved in investigatory and reporting decisions?
• Are there terms of that person’s employment of which decision makers need to be aware?

Statutes, filings, guidance, and contracts 

• Are past filings affected by what I know? If so, which ones?
• Are there about to be filings that could be impacted by what I know or may soon know?
• Has the company issued any guidance that would be viewed in a different light based on what I know?
• Is the company about to issue any guidance that may be impacted by what I know or may soon know?
• Are there any terms of material contracts (for example, debt covenants, employment agreements, and third-party contracts) that may be impacted by what I know or may know soon?
• Are there any statutes or regulations that may have been violated based on what I know?

Possible internal and external reporting 

Who needs to know what I know?
• More senior management?
• Audit committee?
• Full board?
• Outside counsel?
• Auditors?
• Insurance carriers?
• Investors?
• Contractual counterparties?
• Regulators?
• Exchange officials?
• Prosecutors?
• What, if anything, is the company going to tell its employees?
• Which employees?
• When should this happen?
• What form should the communication take?
• What other message, if any, needs to be given?

Sought-after information is often owned by, and in the control of, the individual or entity requesting an investigation. For example, an employer believes an employee has been stealing money from the employer via a lapping scheme. The employer received information that the employee has recently purchased extravagant items that would be unusually expensive for an individual with her salary. The employer believes that the employee might have critical documentation regarding her recent purchases as well as financial documentation relating to the scheme in her desk drawer at the office.

In this case, the fraud examiner is probably able to obtain the documents without running into an invasion of privacy problem. However, when information or documents are in the control of other parties or in uncontrolled locations, legal action is almost certainly required before the fraud examiner can attempt to obtain the evidence. Under no circumstances should the fraud examiner attempt to gain access by alternative means – pretexting, theft, or trespass.

Undoubtedly, financial records are the most valuable source of information available to fraud examiners. However, as statutes show, financial records are usually the most difficult type of records to obtain. Often subpoenas and search warrants are required to access such information. Fraud examiners should understand that bank officials and employees can be questioned and deposed just like potential witnesses. Legal advice in obtaining financial records should always be sought.

Fraud examiners must be cognizant of the TRPPA. As mentioned before, it’s illegal to obtain confidential phone records information from a telephone carrier under false pretenses. To reiterate, this means one may not obtain telephone records by making false or fraudulent statements or representations of any kind.

Obtaining information contained in public records (information that’s developed about the public or open to the public) without revealing your identity as a fraud examiner is generally permissible. When seeking public information, the fraud examiner must be aware of, and understand the guidelines of the Freedom of Information Act (FOIA). Most states have adopted similar versions of the FOIA to cover state and local jurisdictions. Specifically, the FOIA regulates the: (1) type of records that a governmental agency may maintain about a person; (2) conditions under which such information may be disclosed to another government agency; and (3) the circumstances and methods under which an individual may obtain copies of agency records that pertain to that individual.

Government records about individuals are generally prohibited from release to another without consent of the individual. Obtaining such information without consent constitutes a claim of invasion of privacy. The FOIA provides for public access to the following information: (1) tax rolls; (2) voter registration; (3) assumed names; (4) real property records; and (5) divorce and probate suits. The following records aren’t deemed public: (1) bank records; (2) trust records; (3) telephone records; (4) passenger lists; and (5) stock ownership.

Every fraud examiner wants the smoking gun, but you must keep in mind that a dodgy investigation can cause that weapon to backfire. 

Juliana Morehead, J.D., CFE, is a legal writer and editor for the ACFE. 

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.  

1 “Last state charges in HP spying case dismissed.” Reuters. June 29, 2007. www.reuters.com.
2 Telephone Records and Privacy Protection Act of 2006, P.L. 109-476, Sept. 12, 2007, available at http://thomas.loc.gov.
3 Ibid.
4 15 U.S.C. 1681 et seq. (2006).
5 15 U.S.C. 1681(q) (2006).
6 15 U.S.C. 1692(e)(10) (2006).
7 18 U.S.C. 1030(a)(2) (2006). Please note that a “protected computer” is one which is used by a financial institution, the federal government, or used in interstate or foreign commerce.
8 15 U.S.C. 6821 et seq. (2006).
9 Cal. Pen. Code §638 (2006).
10 The inventory checklist was provided, as originally published, by Timothy P. Harkness and Kerri Ann Law of New York’s Kramer Levin Naftalis & Frankel LLP. Harkness and Law are litigation partners and can be reached at tharkness@kramerlevin.com and klaw@kramerlevin.com. All rights reserved.
11 5 U.S.C. 552.