How a Phishing Scam Took $1.2 Million from a Vegas Casino

Seems hard to believe, but the scammer got cash from an employee!

Ocean’s 11 have some competition. Turns out you don’t need a team of 11 guys, each with a distinct talent, to steal money from a Las Vegas Casino.

All it takes is a guy with a phone and a lot of confidence in his real crazy scam and boldness. Also, someone on the other side of the call (the “victim”) who seems clueless about cybersecurity. Therefore, they’re very likely to follow orders and perhaps, very gullible.

How a Crafty Scammer talked the Circa Casino into handing over cash.

In the Summer of 2023, the Circa Hotel in Downtown Las Vegas was on the short end of a $1.2 million imposter scam. The con artist actually talked an employee (who handles money in what’s called the cage) into hand-delivering over $1 million in CASH, over several trips.

And the trickery worked.

Simple scam. Significant haul.

This wasn’t at all complicated, unlike the fantastical one from the 2001 movie “Ocean’s 11,” a remake of the one starring Frank Sinatra and “The Rat Pack.” This scam that struck the Circa this year, one that has grown in popularity, is a “phishing scam.”

In this case, as with all business phishing scams, the real victim isn’t the fooled employee; it’s the company they work for.

It was the business they worked for… the Circa Hotel.

Phishing scam + imposter scam = success.

Here is what’s known about the Circa Casino phishing scam:

• The scammer, a 23-year-old male, did enough homework in advance to get the name—and other information—of the CEO of the Circa Hotel.
• The scammer likely also did enough research to get the name of someone at the hotel who worked in the casino cage (where they keep all the cash).
• The scammer simply picked up his phone and pretending to be the CEO, talked to an employee working inside the cage. 

The request (the scam).

What lie did the Circa Casino employee believe…and do?

The story the scammer gave the employee was that Circa needed to buy fire equipment. The CEO impersonator told the cage employee that cash was needed immediately to pay for emergency fire equipment. And that the equipment was necessary because a fire department inspection had found violations.

Of course, none of that was true.

• The total amount needed would be over $1 million.
• The CEO impersonator had the employee make four different trips, at different times and days, to deliver the cash. (Evidently, the scammer had an accomplice…a pretend lawyer.)
• The employee was able to leave the cage where the money was stored on four different occasions…each time with around $300,000 in cash!

The scammer, who has been caught and is even suspected of committing similar crimes at other casinos outside of Las Vegas, used a classic “phishing” tactic. In this case, he used a phone call first, followed by text messages.

How phishing works.

The scammer uses social media and other platforms to gather information on an executive. It’s not as difficult as you might think. After he has compiled a profile of someone important, the con artist targets a different employee at the same company—one who has some ability to make money decision either on their own or on behalf of the boss.

When a con artist specifically targets a con artist, that’s spear phishing. 

Phishing in Lake Casino.

According to people who are investigating these types of crimes, the target of the scammer (who is always a male) targets an employee who is typically always a woman. (Cybersecurity experts simply say, “that’s just the way it goes.”)

Then the phishing scam follows its pattern, but two things have to happen to make the scam work:

• The employees hear enough factual information and that the callers are who they say they are.
• The duped employees feel it’s their duty to carry out the task “the executive” commands them to do.

Unbelievable, shocking…yet successful.

“Simply unbelievable.”

A casino security consultant named Willy Allison, who runs a major conference for the gaming industry, reached out to security directors at other casinos to pass along the story about the Circa.

Those security executives Allison couldn’t believe the true story, and were naturally worried about the same crime happening to them.

When Allison explains the crime in simple terms, it is quite hard to believe it worked.

“An employee in the cage can walk out with $300,000, meet a guy she doesn’t know, and give him the cash? As an ex-surveillance guy who lives and breathes internal controls and procedures, I say there are a lot of gaps to fill in. From the outside, you say, ‘how can that happen?’”

Allison is also worried that technology, innovation, anonymity  and sheer boldness on the scammers’ part is a dangerous trend. On the casinos’ side, complacency is the problem.

He sees the Circa swindle as ridiculous.  “Statistics show every year that casinos are candy stores for robberies,” Allison rants. “Now we’ve gone to the next level where you don’t even have to go into the casino to rob it. You can just call, like for a pizza, and they’ll bring the money to you.

That’s hilarious.”

How phishing scams dupe their victims

Not enough people are aware that phishing actually exists. One estimate says that more than 150 million phishing emails go out daily, with 80,000 people becoming victims. Don’t be one of them. Learn how to spot them and avoid falling prey. Read our 6 tips for avoiding phishing scams.