Suspicious Activity Reporting (SAR): Misrepresentation
- 1 page
- For Official Use Only
- September 14, 2012
(U//FOUO) Terrorists might use disguises, fraudulent or stolen credentials, and cloned or repurposed vehicles to gain access to restricted areas, to blend in with their surroundings when conducting surveillance, or to conceal other activities while planning or executing an attack. Anders Breivik, the gunman who was sentenced to 21 years in prison for the July 2011 attack on the Workers’ Youth League summer camp in Norway, wore a police uniform and displayed false identification to gain unauthorized access to the camp. Depending on the target, disguises might be aimed at impersonating law enforcement, emergency services, or officials of an institution who have legitimate access to secured/restricted sites.
(U//FOUO) The following SAR incidents from the NSI shared space demonstrate types of behavior terrorists might exhibit during planning or actual attacks. Although none were linked to terrorist activity, we consider the examples relevant for situational awareness and training:
— (U) A security officer at a critical infrastructure site approached two individuals who displayed badges and holstered hand guns and claimed to be “homeland security” personnel conducting an investigation. The individuals refused to identify themselves and directed the officer to stay back. Subsequent investigation revealed the individuals were not authorized homeland security/law enforcement officials.
— (U) A subject, who falsely claimed to be an undercover FBI agent, contacted a security officer at an indoor concert arena in an attempt to obtain security plans for the building. He presented a fake business card that identified him as a special agent with the FBI and was later arrested and charged with impersonating a police officer.
(U) Possible Indicators of Misrepresentation
(U//FOUO) The following activities might indicate attempts at misrepresentation and fraudulent impersonation. Depending on the context—time, location, personal behaviors, and other indicators—suspicious persons who attempt to access restricted areas under disguise or using questionable credentials should be reported to appropriate authorities.
— (U//FOUO) Presentation of outdated, expired, tampered with, or otherwise invalid credentials, including documents displaying photographs that don’t match the individual.
— (U//FOUO) Display of uniform without proper identification, or use of partial uniforms and props such as mock weapons to access restricted areas.
— (U//FOUO) Attempt to gain entry by using stolen access cards or special keys.
— (U//FOUO) Attempt to discourage security personnel from requesting proof of identification by evoking authority or displaying intimidating behavior.
— (U//FOUO) Use of one’s legitimate credentials to access areas outside his or her scope of responsibilities (insider threat).
— (U//FOUO) Use of cloned emergency vehicles where the identifiers (decals, markings, logos) differ slightly from the official government or industry vehicles.
Related Material From the Archive:
- (U//FOUO) DHS-FBI Suspicious Activity Reporting Bulletin: Attempted Breaches/Intrusions
- (U//FOUO) DHS-FBI Suspicious Activity Reporting Bulletin: Terrorists Eliciting Information
- (U//FOUO) DHS-FBI Suspicious Activity Reporting Bulletin: Aviation Flyovers
- (U//FOUO) DHS-FBI Bulletin: Indicators of Suspicious Behaviors at Hotels
- (U//FOUO) Indiana Fusion Center: Suspicious Activity Involving Emergency Services and Hospitals
- (U//FOUO) New Jersey Suspicious Activity Reporting Brief
- Suspicious Activity Reporting Line Officer Training Video
- (U//FOUO) DHS-FBI Suspicious Activities Involving School Buses