blog / Mar 30, 2017 Virtual Kidnapping: The Latest in an Endless Stream of Scams by Mike Levin, Center for Information Security Awareness SHARE In 2007, Michael Levin retired from the United States Department of Homeland Security after a distinguished thirty-year career in law enforcement. Michael served at the Department of Homeland Security as the Deputy Director of the National Cyber Security Division. Michael previously served as the Branch Chief of the U.S. Secret Service Electronic Crimes Task Force program in Washington DC. Michael was a member of the Secret Service Electronic Crimes Special Agent program and worked around computer forensics and cybercrime investigations for over fifteen years. After this distinguished career and seeing the need, Michael founded the Center for Information Security Awareness. The CFISA (cfisa.org) brought together a group of leading academics, security and fraud experts to explore ways to increase security awareness among many audiences, including consumers, employees, businesses and law enforcement. One of the weakest links in our cyber defenses is the human factor. The (ISC)2 Cybersecurity Trends Report for 2017 stated that cybersecurity professionals are most concerned about phishing attacks.1 But phishing is just one of many social engineered attacks mediated by technology. Now we are seeing an upswing in virtual kidnapping scams. How the Scam Works Virtual kidnapping begins with the criminals scouring an intended victim’s social media sites. The criminals will even break into a victim’s phone or computer to plant spyware and gather personal details. They scrutinize the victim’s social media links and select a suitable virtual kidnapping victim, often a family member. They’re willing to wait until the victim’s loved one posts on social media that they are leaving on a trip. Sometimes the criminals will victimize parents whose kids are at school and can’t respond. The criminal then calls the victim and says they have kidnapped the victim’s loved one. This is all fake, of course; no one has been kidnapped. It’s all just a scam to get the victim to pay a ransom. To make the call seem more genuine, the criminal will provide personal details of the loved one—details that were gleaned from their hacking and investigation. Some criminals will add realism by faking a voice in the background of someone screaming and crying for help. If the criminals have hacked the victim's phone, they may be accessing the GPS and tracking the victim's movements or blocking calls from the virtually kidnapped individual. The Tricks of Social Engineering Why does this work? Scammers frequently use four specific tactics to get victims to comply with their scams. Here are each of those tactics and an explanation of how they’re used in virtual kidnapping: Tactic Description Virtual Version Ring of familiarity Scammer use recognizable information or signs that lower a victim’s guard and open their mind up to the new information. Virtual kidnappers use web-scraped or stolen information to do this. Story Scammer uses a progression of related events to create a narrative that engages the victim’s emotions and moves them away from logic. Virtual kidnappers capitalize on known preconceptions about kidnapping and the victim builds a story in their head. Incentive Scammer dangles something desirable—either a prize to win or a penalty to pay. Virtual kidnappers push emotional hot buttons by threatening a loved one. Urgency Scammer tries to force you to feel like you must make a fast decision. This panic can short-circuit reasoning so that bad decisions are made. Virtual kidnappers demand money quickly so that the victim doesn’t have time to think clearly. Virtual kidnappers often have a lot of experience in pulling off this scam and know exactly what to say to make the scam seem like a real kidnapping. It is believed to have started in Mexico several years ago but is now migrating globally, where several variations of the scam are being carried out. Responding to this Crime The FBI has offered the following direction if faced with virtual kidnapping: Try to slow down the situation. Request to speak to the kidnapped individual directly. Ask, “How do I know my loved one is okay?” If they don’t let you speak to your loved one, ask them to describe them or describe the vehicle they drive, if applicable. Listen carefully to the voice of the kidnapped victim, if they speak. Attempt to call, text, or contact your loved one via social media. Request that the kidnapped victim call back from their cell phone. While staying on the line with alleged kidnappers, try to call the alleged kidnap victim from another phone. Ask questions only the kidnapped individual would know without offering any information. To buy time, repeat the caller’s request and tell them you are writing down the demand, or tell the caller you need time to get things moving. Don’t directly challenge or argue with the caller. Keep your voice low and steady. Request the kidnapped individual call back from their cell phone. Contact law enforcement as soon as possible. Virtual kidnapping is a crime for which awareness can reduce the risk. Being aware of new crimes and scams is a fundamental part of security awareness training. Ensuring that employees, family, and friends are aware of this scam will greatly reduce the likelihood of victimization. Advise users not to share too much information on social media, which can feed scammers and criminals. Scams like these are good lessons and reminders for users to control their social media usage. Lastly, ensure computers and mobile devices are secure from hacking and phishing. 1 http://cert.isc2.org/cybersecurity-spotlight-report-b/ To read more from Michael Levin, please visit The Center for Information Security Awareness blog at cfisa.org/security-blog.html. SHARE MODIFIED: Jul 24, 2017 Tags: cyber security, ransomware, threat intelligence, virtual kidnapping stay up to date Get the latest application threat intelligence from F5 Labs. There was an error signing up. Thank you, your email address has been signed up. submit Follow us on social media. Related Stories article / Jul 22, 2016 Web Injection Threats: The Cost of Community Engagement on Your Site article / Oct 23, 2016 DARPA Proves Automated Systems Can Detect, Patch Software Flaws at Machine Speed blog / Aug 12, 2016 Is HEIST a Risk or a Threat?