A similar situation happened to a web/email hosting company to which a small client company outsourced their email hosting. An ex-employee from the small company called the hosting company to reactivate his email account, claiming his company would discontinue their contract and all if they didn't reactivate his account and stuff.

Later the CEO of that small company called the hosting company, telling them not to take order from anyone from his company but him, even if someone claimed to be a CTO or president or whatever threatening their business and everything.

So, a friendly help desk clerk that's far beyond the CEO's mind and control turned out to be his major security hole. It took him a couple of calls to the hosting company before the situation stopped. Apparently, the ex-employee was very convincing.