If you have yet to hear about the “pretexting” scandal that has had computer giant HP in the media spotlight for nearly a month, then welcome to Planet Earth and sorry about all the mess. But you’re probably at least a little aware of the allegations that a number of private investigation firms hired by HP to get to the bottom of boardroom business leaks used deceptive and possibly illegal tactics to trick phone companies into providing them with the private phone records of journalists, HP employees, and even other board members.

So what does this have to do with identity theft? Well, besides the fact that some of the tactics use in pretexting are technically considered identity theft under recent California laws, the whole concept of pretexting is based on something called social engineering, which is also the key ingredient in phishing, one of the most potent and effective forms of identity theft.

Social engineering is essentially about using some form of deception or coercion to trick others in believing that you are somebody you’re not, so that these people will do something they shouldn’t – in the case of identity theft it’s to hand over personal information to the wrong people. Famed former hacker Kevin Mitnick is regarded as the king of social engineering and claims that he used charm and deception far more often than his computer in the legion of computer hacks that finally earned him a five-year prison sentence.

Apart from the legal and ethical issues, the HP case demonstrated how easy it can be to trick otherwise wary people – in this case employees of the telephone companies – into handing over private personal information to somebody just because they claim to be the rightful owner.

Identity theft by phishing uses exactly the same principles, using emails or even phone calls pretending to be from a bank, credit card company, or other trusted brand in order to trick you into offering up your most sensitive financial information. The irony is that phishing is one of the few known crimes that requires the willing, albeit unwitting participation of the victim, in order to succeed. If you don’t respond to a phisher’s request for your information, the phish won’t work and the crime can’t occur.

Which reminds us that the best defense against identity theft is our own vigilance, and not just the ability but the urge to simply say no. If the employees at the telephone companies has just said no, or at least asked for greater verification from the private investigator at the other end of the line, then pretexting might still be HP’s dirty little secret.

Maybe the telephone companies need to send their employees to one of Kevin Mitnick’s courses on how to spot and avoid social engineering. But like most of us you probably can’t afford that luxury, so you’ll just have to rely instead on your ability to just say no the next time someone you don’t know asks you for information your instincts say you shouldn’t provide.. That way you won’t make it into the headlines and the next call won’t come from your bank or credit card company wanting to know who spent all your hard-earned money.