One of the weakest links in our cyber defenses is the human factor. The (ISC)2 Cybersecurity Trends Report for 2017 stated that cybersecurity professionals are most concerned about phishing attacks.1 But phishing is just one of many social engineered attacks mediated by technology. Now we are seeing an upswing in virtual kidnapping scams.
How the Scam Works
Virtual kidnapping begins with the criminals scouring an intended victim’s social media sites. The criminals will even break into a victim’s phone or computer to plant spyware and gather personal details. They scrutinize the victim’s social media links and select a suitable virtual kidnapping victim, often a family member. They’re willing to wait until the victim’s loved one posts on social media that they are leaving on a trip. Sometimes the criminals will victimize parents whose kids are at school and can’t respond. The criminal then calls the victim and says they have kidnapped the victim’s loved one.
This is all fake, of course; no one has been kidnapped. It’s all just a scam to get the victim to pay a ransom. To make the call seem more genuine, the criminal will provide personal details of the loved one—details that were gleaned from their hacking and investigation. Some criminals will add realism by faking a voice in the background of someone screaming and crying for help. If the criminals have hacked the victim's phone, they may be accessing the GPS and tracking the victim's movements or blocking calls from the virtually kidnapped individual.
The Tricks of Social Engineering
Why does this work? Scammers frequently use four specific tactics to get victims to comply with their scams. Here are each of those tactics and an explanation of how they’re used in virtual kidnapping:
|Ring of familiarity||Scammer use recognizable information or signs that lower a victim’s guard and open their mind up to the new information.||Virtual kidnappers use web-scraped or stolen information to do this.|
|Story||Scammer uses a progression of related events to create a narrative that engages the victim’s emotions and moves them away from logic.||Virtual kidnappers capitalize on known preconceptions about kidnapping and the victim builds a story in their head.|
|Incentive||Scammer dangles something desirable—either a prize to win or a penalty to pay.||Virtual kidnappers push emotional hot buttons by threatening a loved one.|
|Urgency||Scammer tries to force you to feel like you must make a fast decision. This panic can short-circuit reasoning so that bad decisions are made.||Virtual kidnappers demand money quickly so that the victim doesn’t have time to think clearly.|
Virtual kidnappers often have a lot of experience in pulling off this scam and know exactly what to say to make the scam seem like a real kidnapping. It is believed to have started in Mexico several years ago but is now migrating globally, where several variations of the scam are being carried out.
Responding to this Crime
The FBI has offered the following direction if faced with virtual kidnapping:
- Try to slow down the situation. Request to speak to the kidnapped individual directly. Ask, “How do I know my loved one is okay?”
- If they don’t let you speak to your loved one, ask them to describe them or describe the vehicle they drive, if applicable.
- Listen carefully to the voice of the kidnapped victim, if they speak.
- Attempt to call, text, or contact your loved one via social media. Request that the kidnapped victim call back from their cell phone.
- While staying on the line with alleged kidnappers, try to call the alleged kidnap victim from another phone.
- Ask questions only the kidnapped individual would know without offering any information.
- To buy time, repeat the caller’s request and tell them you are writing down the demand, or tell the caller you need time to get things moving.
- Don’t directly challenge or argue with the caller. Keep your voice low and steady.
- Request the kidnapped individual call back from their cell phone.
- Contact law enforcement as soon as possible.
Virtual kidnapping is a crime for which awareness can reduce the risk. Being aware of new crimes and scams is a fundamental part of security awareness training. Ensuring that employees, family, and friends are aware of this scam will greatly reduce the likelihood of victimization. Advise users not to share too much information on social media, which can feed scammers and criminals. Scams like these are good lessons and reminders for users to control their social media usage. Lastly, ensure computers and mobile devices are secure from hacking and phishing.