There is a particular kind of impersonation that succeeds not through sophistication but through banality. The party who makes the call presents themselves as a customer in difficulty. They have the customer's name. They have the customer's date of birth. They have, often, a recent piece of correspondence the customer has received. They ask for help with an apparently routine matter.

The procedures the provider's staff follow were designed to help the customer in difficulty. They were not designed to defeat the party who has assembled enough fragments of the customer's identity to mimic that difficulty. The two situations look identical to the person on the other end of the line.

What makes the impersonation work is, in most cases, that the staff member is doing their job correctly. They are following the procedure, asking the questions it tells them to ask, and providing the help it tells them to provide. The failure is not on their side. The failure is that the procedure was built for a problem the world has since outgrown.

The countermeasures are well-established but unevenly deployed. Out-of-band verification, where the provider calls back on a known line rather than the line the request is coming from. Procedures that require the customer to attend in person for certain categories of change. Internal flags on accounts where ordinary procedures should not, by themselves, be sufficient. Each of these makes the impersonation harder; none of them is the default at most providers.

The work in this category is rarely about persuading the provider to change their procedures generally, which is a matter of regulation and slow trade practice. It is about persuading the provider to apply additional safeguards to the particular account the principal cares about. Most providers, asked clearly, will agree to do so; many of them will, with consideration, make the safeguards meaningful rather than nominal.