Teenage girl lost in deserted gateway, phoning trying to explain where she is

How to spot the signs of a virtual kidnap scam

Threats and bluster play a key role in most online attacks: Ransomware has its ransom note; trolls threaten to ramp up the pressure; tech support scammers insist your PC needs urgent assistance.

Some take it a step further, leaning in with a more direct approach, ranging from death threats to sextortion, and even kidnap claims. These tactics have been around for a very long time. You can reach back to 2007 and look in amazement at the 419 death threat. In 2013, we had pretend hitmen threatening murder unless victims paid $25,000 to survive their non-existent wrath.

An example of the kidnapping variety is currently in the news, and it’s well worth familiarising yourself with it.

The virtual kidnap: Step by step

Kidnap scams involve making a phone call to a victim and telling them a loved one has been taken. Threats of violence soon follow, unless a ransom—typically in the form of a wire transfer—is paid. The most disturbing aspect of these calls is that scammers play recordings of screams in the background.

One horribly fascinating aspect of this crime is that panic and adrenaline can convincevictims that the voice they hear is that of their son, daughter, spouse, and so on. You see this time and time again. In that kind of high-stakes, high-pressure scenario, who can blame them?

Things become even worse when social engineering combines with publicly available data to make it even more convincing.

Profiling the victim

Victims of the most recent virtual kidnap attemptlikely had some of their information used against them in the call. Scammers pretended to have someone’s mother held hostage, with the threat of never seeing her again. Sadly, the ruse was made more convincing because the caller ID displayed as the recipient’s mother’s phone number. Somehow, somewhere, they were able to connect the two relatives and their cell numbers.

The already convincing impact of the scream recording would be amplified by the recognisable number. At this point, it’s already game over. The fraudster on this occasion asked for money to be sent through Venmo. We see criminals gravitating to digital payment systems, cryptocurrencies, and even gift cards across most realms of attack. Wire fraud is still big business, but digital transfers are appealing to those wanting to make a quick getaway.

On this occasion, the victim is $900 out of pocket and that’s before we consider the significant psychological impact of a supposed kidnap phone call.

Tips to avoid virtual kidnapping attempts

This is clearly an incredibly disturbing thing to have happen, and plenty of tactics to combat this crime have developed this past decade. FBI Chicago released several good pieces of advicein March, which take into account the social engineering side of things:

  • Never post news of upcoming travel dates and locations online.
  • Discuss virtual kidnapping with family members prior to any travel.
  • Have a “password” that family members can use to confirm a loved one is really in trouble.
  • Be wary of providing financial information to strangers over the phone.

Some of the other tips focus mainly on bogus wire transfers. As we see above, criminals are happy to use other methods to swipe ill-gotten gains. Not being able to describe the victim is another good tip, but how many people would risk asking this in the heat of the moment? Would you reallywant to upset a kidnapper and have them just hang up because you said the wrong thing?

Keeping cell phone numbers private on any website is a must. Posting photos of your vacation in real-time? Set up a private Instagram and share it with close friends and family only. Don’t leave contact details of family members stored in easily compromised email accounts. Lock them down with whatever additional methods are to hand. 2 factor authenticationand password managersare good places to start.

Nobody wants a late night call claiming a loved one is being held hostage. Having said that, if the worst happens? Keep cool, take a deep breath, and work your way though the above suggestions. It’s almost certainly an astonishinglymalicious piece of fakery.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.