Chris Patten called a large investment-management firm to report that he was going through a divorce and was worried that his wife had set up an account under a false name.

And with that story—entirely plausible but in this case a lie—a customer-service representative turned over customer account numbers and other details with a readiness that makes banks and other companies cringe.

Mr. Patten, a 35-year-old cybersecurity expert who was with the U.S. Air Force before he started working for a consulting firm in Kansas City, Mo., didn't actually use or sell the data, which he gathered in running a test for the investment firm of its security arrangements. But the ease with which the employee was persuaded to divulge the information points to a troubling trend, security experts and law enforcement officials say.

As banks and other large companies spend large amounts of money on building firewalls and using complex technology to fortify their systems, it is often their own employees who are letting identity thieves in the door.

The largest banks are expected to spend tens of billions of dollars on cybersecurity this year, an increase of as much as 15% over 2010, as they rush to comply with new rules that require them to strengthen customer-authentication procedures and beef up other fraud detection measures, said Avivah Litan, an analyst with Gartner Research. But the success of low-tech approaches such as Mr. Patten's shows that increased spending alone won't be enough to insulate the banks, which are chock full of valuable data.