Him: “What purchases have you made lately? Just the last one would be fine.”
Me: “Umm, let’s see. I think I spent around (US)$100 at a cosmetics store last weekend.”
Him: “Could you be more specific please. How much exactly did you spend and what was the name of the store. One hundred dollars doesn’t seem quite right.”
Me, after some rummaging for a receipt: “It was $171.97 at Sephora.”
No, this was not a nosey significant other grilling me on my spending habits — for the record, though, these were Christmas gifts — but rather a conversation I recently had with a customer service rep for a major credit card when I called to change the mailing address on my account.
Before I could accomplish this seemingly simple task there were a few other questions I had to answer, one of which I flubbed. When I couldn’t produce a list of the last two mailing addresses I have had for this fifteen plus year account, it was all over.
“I am sorry but you will have to call in from the number we have for you on file if you want to complete this transaction.” My file, unfortunately did not include my cell phone.
I didn’t mind the inconvenience as the process was designed to protect me, the legitimate card holder. I was, however, surprised at the rep’s intransigence. Perhaps I shouldn’t have been though, post the HP incident.
Stacking Up Against Enron
As most people know now, the practice of pretexting was publicly highlighted earlier this year when it was revealed that HP had hired private detectives to spy on reporters whose reporting appeared to be based on leaks from members of its Board. The PIs has used pretexting ruses to gain access to the reporters’ telephone information.
That event seriously damaged HP’s reputation, not to mention the Congressional inquiry and arrest of its most senior executive. It also made a deep impression on other firms that are guardians of customer information, according to anecdotal evidence.
Indeed, much like the way Enron’s implosion inspired changes in retirement savings practices — financial advisors now routinely raise the company as a boogeyman when confronted with clients that wish to hold their employers’ stock in a 401(k) plan — HP’s experiences may well prove to be a turning point in corporate security practices.
“It’s not your imagination — a lot has changed in just the past few months due the scandal,” Ken Springer, president and founder of Corporate Resolutions and former FBI agent, said. “Compliance departments have read people the riot act and insisted that changes have been made,” he told CRM Buyer.
A Fine Line
That fraudsters, private investigators or even ill-intentioned acquaintances and family members would use ruses to trick a credit card company, utility provider, or bank into handing over personal financial information is not news to these companies.
They have been forced to walk a fine line when protecting customer information — one that can be easily breached, unfortunately. On one hand, they want to safeguard data; indeed, in the financial industry there are several requirements on the books about this. On the other hand, they don’t want to be so closed that the legitimate customer cannot complete a transaction.
Until HP, many companies had erred on the side of openness. Now, though, at some firms at least, it appears that a shift is underway.
For instance, Ernie Brod, director of Forensice and Dispute Services for Deloitte Financial Advisory Services, reported that the company has been receiving a higher volume of calls from clients seeking advice on training and other business practices for their employees to ward against pretexters.
These calls have mainly been from businesses concerned that employees might be duped into handing over competitive information — not necessarily contact center customer service reps that might divulge information about the customers. Still, though, “the business world has taken note,” he told CRM Buyer.
Conversely, from the other side of the issue, Scott Moritz, executive director of Daylight Forensic & Advisory, a risk management firm, said his clients have been far more likely to ask him about his investigative methods, post HP.
“As much as I hate to acknowledge this because it doesn’t do my industry any justice, there is an underside to the investigative industry that is not particularly ethical,” he told CRM Buyer. “Now, when we meet with clients they almost always ask about pretexting. They don’t want to find themselves in a position similar to HP’s.”
His firm is more of a consulting operation and has never engaged in such practices, Moritz pointed out.
He doesn’t mind when clients ask him about his investigative methods. “It is a smart practice. Always know what people are doing in your name because ultimately you are the one who will answer for it, if not before a government agency then in the court of public opinion,” he warned.
Best practices for companies in this area are still very much evolving; in fact, it is difficult to pinpoint with much accuracy how seriously companies are taking the threat of pretexting. That is because the subject is so sensitive that most firms contacted for this article declined to speak on the record or at all.
That said, it is clear that many firms are trying to implement new levels of data security. Deloitte’s Brod, for instance, pointed out that more firms are realizing that there can be a wealth of competitive information that can be gleaned from a few phone calls.
“Let’s say you want to know if a competitor is interested in making an investment overseas. By calling the company you can track the movements of the executives who would have to be involved in such a deal, like the CFO or development officer,” he explained. “In most cases, all you have to do is ask for him or her in order to learn if he is in China or India at the moment.”
Preventative training for administrative assistants and other front line employees that answer the phone is becoming a growing area of interest by larger firms, Brod added.
Training of customer reps at contact center firms is also increasing, although Brod and Springer both report that these companies are relying more on automated systems configured to spot unusual patterns and new processes designed to prevent an inadvertent release of data.
Credit card companies are placing more emphasis on the personality of the customer — as opposed to information that anybody can find, such as a mother’s maiden name — when designing security questions, Brod said. “The kinds of processes I am seeing now are based on such questions as what is your favorite sport’s team or what is the name of your best friend,” he concluded.
There is also more discretion given to reps who are being urged to pay attention to requests that may be fraudulent, Springer noted. “I think as these issues continue to percolate, more consumers will find that their purchases or other requests have been denied not so much because they didn’t pay a bill but for ‘administrative reasons.'”