When it was learned that Hewlett-Packard chairwoman Patricia Dunn hired third-party investigators to gain access to the telephone records of board members and reporters, those unfamiliar with the practice of pretexting gasped. Many in the security industry smiled knowingly.

Pretexting, a form of social engineering, is an investigative technique widely used to obtain personal information under false pretenses, and according to people in the industry I spoke with, can be “very effective.”
“Does it happen? Absolutely,” one seasoned security professional told me.  

Practically speaking, if a pretext call leads to disclosure of information, then that should be fraud, as defined in the Criminal Code. But the reality is, the technique is used in investigations often to verify people are who they say they are and for more innocuous reasons than HP was interested in.

It’s probably not the avenue corporate Canada wants to pursue on its own however, without some advice from those with in-house expertise. In fact, one security official I spoke with suggested the HP example is best described as, “What not to do.”

There are other means to discover the information Dunn was trying to nail down. By not using those options she recklessly put her shareholders and ultimately her position at risk. Tried and true interview techniques could have been used to determine if someone on the board was speaking out of school.

Dunn paid the price for her actions, and the takeaways from the HP experience should be numerous for corporate Canada. The first one is obvious: If you’re going to use pretexting, be prepared to handle the exposure if it does hit the media, as it did with HP.

“Think of the damage to your company if it hit the front page,” one expert suggested to me.

Most non-security executives don’t understand the ramifications of using pretexting. One seasoned investigator said he advises all large corporations he works with to make a plan to manage the message if the investigation gets public attention. If possible, keep human resources and the public relations team in the loop when any internal investigation is taking place to help mitigate any damage that could be done if the news hits the street.

Perhaps the most important lesson the HP case raises is that all organizations are vulnerable to pretexting, therefore those who work in risk management roles need to educate employees about it. Make sure people are trained to validate the identity of the person they are speaking with on the phone prior to disclosing information about themselves or a client, as well as ensuring they can in fact,  disclose such information.

An information classification system within an information security policy is a good start. If that is something you haven’t explored with your executive team, it might be a good time to raise the issue. Most in the security and risk management profession know the time to get the attention of the C-suite is when the iron is hot, or in this case, when the headlines are still burning in the mind’s eye.