The Biweekly Newspaper of
the American Bankers Association
Volume 9, Issue 12 – June
12, 2001
By John Ginovsky
What would your most
inexperienced customer service representative do if he or she fielded a call
from a seemingly irate customer?
How would your employee react to a customer who shouted: “Password? I can’t remember my password! I need this information right away or I’m going to start bouncing checks! Either give me my account information now or I am closing this account!”
Hopefully, said Robert
Douglas, a top security expert, that customer service representative is
thoroughly indoctrinated in the bank’s security practices and procedures. “The
employee must know: ‘I may not deviate from the protocol. I can refer the
customer to a supervisor but I may not deviate,’” Douglas said.
If the employee gives in and
bends the rules, he or she would expose the bank to a possible pretext caller.
“Pretext calling is a method of impersonation used to obtain biographical and
account-related information,” said Douglas, CEO of American Privacy
Consultants, Alexandria, Va. “Once the identity thieves have that information,
they can take over the account, open accounts at other institutions and
certainly can move funds out of the account.”
All banks are vulnerable.
Pretext calling is associated with many of the 750,000 reported cases of
identity theft each year, Douglas said, “It’s happening to all banks, large and
small. It is occurring hundreds if not thousands of times each day across the
country.” Put in monetary perspective, pretext calling certainly is associated
with a significant portion of the $17 billion lost from check fraud alone last
year.
Pretext callers use different
ploys to extract information. Callers can pretend to be customers, higher-level
employees in the same bank, officials at other banks, government regulators or
law enforcement officers. Their approaches can exude intimidation, helplessness
and breathless emergency. They can appeal to bank employees’ natural
inclination to assist others or browbeat bank officials into complying with
supposed official government business. Often, they call employee after employee
at a bank until they find one they can manipulate.
Pretext calling was made
illegal by the Gramm-Leach-Bliley Act, which requires bank regulators to make
sure all financial institutions have policies and procedures in place to
prevent the unauthorized disclosure of customer financial information and to
deter and detect fraudulent access to such information. The federal banking
agencies recently issued advisories that direct banks to:
·
Limit the circumstances under which employees may
disclose customer information over the telephone.
·
Train employees to recognize and report fraudulent
attempts to obtain customer information.
·
Test to determine the effectiveness of controls
designed to thwart pretext callers.
Suppose a legitimate bank
customer did forget his password and needed his account information and would
close his account if he didn’t get it right away?
“That’s the
rock-and-a-hard-place question,” said Douglas. “How do you provide the customer
service that customers demand and at the same time provide the security that
customers also demand?”
The answer lies in customer
education.
“Customers need to know what the procedures are, and they need to
understand they are for the protection of the customers and the customers’
assets,” Douglas said. With the increase in identity theft, he said, “customers
are aware of the issue. This is really an issue that banks can use as a selling
point. They can differentiate themselves from the next bank down the street by
informing their customers that privacy and security is the No. 1 concern of the
institution.”
Banks should “teach customers
and teach employees that [customer service and privacy protection] are one and
the same. They can say, ‘One of the ways we excel at customer service is by
protecting your information from unscrupulous and illegal activities,’” Douglas
said.
In this approach, bank
employees are crucial.
“Get them involved in the
team aspect of the security effort. Let them know that they are the front-line
defense to protect the customers,” Douglas said.
Also, make it clear to all
employees that the bank will conduct internal auditing of the policies and
procedures to protect against pretext calling. “Tell them that if they give out
information without following the security protocol, they are threats to the
well-being of the bank, and they will be terminated. It would be no different
from many other security procedures,” he said.
“Bank CEOs have the
responsibility to put in a strong common-sense information security program,
train employees in it, and test its effectiveness,” Douglas said.
Douglas wrote the
pretext-calling portion of ABA’s Financial Privacy Toolbox, available free to
ABA members at www.aba.com. His company also compiled the new ABA Identity
Theft Prevention Training Program. For more information, call 1-800-BANKERS.
ABA also offers statement
stuffers that provide customers 10 Tips to Prevent Identity Theft. For
information and a free sample of the stuffer, call 1-800-886-3346.
(Reprinted with permission of
the American Bankers Association)