The Lessons I Learned Sitting in Frank Abagnale’s Audience

By David Bellini, CEO, CyberFOX

I’ve spent decades in this industry. I’ve heard hundreds of speakers talk about cybersecurity threats, risk management, and the latest attack vectors. Most of it blurs together. But last week, I sat in a room and listened to Frank Abagnale, and I haven’t stopped thinking about what he said.

For those who don’t know, Frank is the former con artist whose life became the movie “Catch Me If You Can.” He spent his teenage years forging checks, impersonating airline pilots, and running elaborate schemes. He got caught, served time in three countries’ prisons, then spent the next 50 years teaching FBI agents how criminals think.

He’s 77 now. And when he talked about today’s threat landscape, I realized most of us are still thinking about security all wrong.

Prevention Beats Detection Every Time

Frank has based his career on these three words: prevention, verification, and education. Not Detection, not Response. Prevention first.

The uncomfortable truth he mentioned is that at the end of 2024, there existed $110 billion dollars in outstanding court-ordered restitution. Ninety-one percent of that money will never be recovered. The statistics have not changed for over 10 years. When your funds are stolen by cybercriminals, they’re gone.

Less than .05% of cyberattacks have ever been prosecuted. It takes most attacks approximately 280 days to even figure out what happened.

Why do so many organizations allocate the largest portion of their security budget to detection and response? Frank’s point was straightforward; once you are responding to an event, you have already lost.

AI Changed Everything

The thing that made Frank’s audience go quiet was his description of what AI has done to fraud. A criminal can now take a $4,000 check, let AI change the amount to $400,000, alter the payee, and produce an exact replica, including the signature. It takes minutes.

He told the infamous story about the multinational company in Hong Kong that lost $25 million in a single attack. A video call appeared to be from their CEO. He knew employees by first name and asked about their spouses and children. Everyone in the room would have sworn it was him. It was, of course, a deepfake.

We’re at about 97% accuracy with deepfakes right now. In a couple of years, we’ll hit 100%. Yes, labs will eventually be able to tell you something was faked. But by then, the money is gone.

The Problem Isn’t Technology. It’s People.

Frank said something I’ve never heard anyone put so bluntly: “Hackers don’t cause breaches. People do. All hackers do is look for opportunities.”

He told the story of South Carolina, where hackers stole 3.8 million tax returns. The commissioner said his office did nothing wrong. After a Secret Service investigation, they found a contract employee took home a laptop they weren’t supposed to, opened it in an unsecure environment, and that single action gave hackers access to everything.

Every breach happens because someone did something they weren’t supposed to do, or someone failed to do something they were supposed to do. Every single one.

The MGM breach cost $800 million. Shut down operations worldwide. And it all started with social engineering. Someone convinced someone else that they were someone they weren’t.

The Uncomfortable Math on Passwords

Frank said he hates passwords. “Passwords are for tree houses,” he told us. They were invented in 1964, and we’re still using them.

Here’s the math: 80% of network intrusions involve compromised user passwords. There are 18 billion password attacks per year. The three largest banks in America spend over $100 million annually just resetting passwords in their call centers.

Passkeys are coming. About 4.5 billion cell phones now have passkey capability. But of the 100 most common sites people visited in 2025, only 48 supported them. We have better technology. We’re just not using it.

The Question Leaders Should Ask

After listening to Frank, I kept thinking about how we make security decisions. We invest heavily in detection tools and incident response teams. We run tabletop exercises to simulate breaches. We buy cyber insurance.

But how much do we invest in making breaches less likely in the first place?

Frank put it this way: “There is no foolproof system. If you believe you have a foolproof system, then you have failed to take into consideration the creativity of fools. But you can make something so difficult that it would be like asking you to move the Empire State Building two blocks in two days.”

That’s the standard. Not perfect security, but security so difficult to breach that attackers go somewhere else.

The threat isn’t going away. Criminals will always find ways to use new technology for harm. But when people understand how scams operate, they don’t fall for them. When employees know what social engineering looks like, they spot it. When organizations build their defenses around prevention rather than just response, they stop the bleeding before it starts.

Frank has been teaching this for half a century.