The chance of being kidnapped on a business trip is a rare but real risk and organisations put various measures in place to mitigate this risk as well engaging specialist support should the worst happen. However, as a result of rapid technology advancements, we’ve seen an increase in a relatively new kid on the kidnap block.
The call began with a woman’s screams. We’ve got your daughter, an unknown male voice said. In the background, there were sounds of a scuffle, more screaming and male voices shouting. The caller then demanded a ransom for her safe return.
But the alleged victim was aboard a plane. Safe and well, 35,000 ft over mainland Europe, she was on the way to a business trip. The family had been a target of a virtual kidnapping.
This is the latest extortion scam that tricks victims into paying a ransom to free a family member or employee, who they believe has been kidnapped.
Criminals may clone a person’s phone number to make it seem as if the call is coming from the victim’s phone. Or clone their voice, using AI and deepfake technology, to make the attack seem more convincing.
Virtual kidnapping attempts: how to spot them
While terrifying in the moment, many elements of a virtual kidnap scam rely on old tricks repackaged. For example, the kidnapper sows fear, uncertainty and doubt to catch their victim off guard. Their appeal is designed to trigger an emotional response. This is an attempt to prevent the victim thinking and acting rationally.
They spin up a story to make things more plausible and convincing. And create a sense of urgency or put the victim under time pressure. Either by being aggressive, making threats to harm the alleged kidnap victim, or insisting on expedited payment.
Successful cons are an exercise in the art of persuasion. Often the perpetrator will manipulate the situation, so victims persuade themselves.
Virtual kidnapping: a view from the market
Kidnap is a risk for various reasons, depending on the location. At Maiden Voyage, we include anti-kidnap training as part of our travel safety training programmes to mitigate the risks.
There’s express kidnap, where someone is frogmarched to an ATM, in hotspots such as Central and South America to withdraw cash until their bank stops paying out. There’s also kidnap for ransom, as well as tiger kidnap, whereby two crimes are committed. First a person is taken and then instead of requesting money, the captors will demand that a second crime is committed such as violence, robbery or in some cases murder.
Virtual kidnapping is when the criminal pretends to kidnap someone to extort money from their family or employer. We’ve seen an increase in virtual kidnapping since people started posting to social media.
For example, “I’m in the airline’s first-class lounge en route to Australia”. That person is likely to be off grid for a while, which gives criminals a window of opportunity to carry out the fraud.
We asked the team at Cortida, experts in cyber security consulting what steps individuals and companies can take to reduce the risk of becoming a victim of virtual kidnap.
Virtual kidnapping: how to prevent it
There’s a lot of overlap between virtual kidnapping prevention tips and other forms of social engineering in a business context.
Be wary of sharing details of travel plans or real-time location online.
Restrict social media posts and the use of hashtags, which could give away location, to friends, family and trusted colleagues only.
But, if you’re speaking at a conference or attending a trade fair for business, you’d probably publicise the fact, including on social media. The event organiser would likely do the same, precisely to let customers, prospects and others know about it.
Just be aware that criminals can also use this info to time and tailor their attacks. They’d know when a potential kidnap victim is away from home or unavailable to be contacted.
Consider using a tracking app to let trusted parties check where you are. Various apps can track a mobile device and store the route in the cloud. Even if the device is switched off, the last location can be available for a trusted party to check.
Conduct regular staff training.
Virtual kidnapping is like other forms of social engineering. A prime example is CEO fraud, also known as bogus boss fraud or business e-mail compromise.
Forewarned is forearmed. So, train your staff on how to recognise various types of phishing attacks. This should include targeted ‘spear-phishing’ and vishing, voice-initiated phishing attempts.
To avoid becoming a victim, try to slow the situation down. Repeat the caller’s request. Tell them you’re writing down the demand and that you need time to get things moving. Avoid sharing information about yourself, your business or the alleged kidnap victim.
Verify all requests.
Request to speak to the alleged victim direct. Ask questions of them that only they would know. Consider a password to be agreed in advance that colleagues can use to confirm they are actually in danger.
Attempt to contact the alleged victim via phone, text or social media and request a call back.
If you receive a video file of someone that looks to be bound, gagged or pleading for help, software, such as Deepware, can help determine whether it is fake. Generally, through the use of artificial intelligence to check human faces for signs of manipulation.
Be suspicious of urgent requests.
Urgent, secret or unexpected requests that arrive at the end of a business day or week. Or those that pressure you to act quickly, should automatically raise a red flag in most cases.
With virtual kidnapping, callers may also try to keep you talking and insist you stay on the line. This is to prevent you from raising the alarm or contacting the alleged victim. In most cases, if you receive a call demanding a ransom to free an alleged kidnap victim, the best course of action is to hang up, the FBI advises.
If you suspect a real kidnapping is taking place, or believe a ransom demand to be a scam, contact law enforcement immediately.
Cortida offers information and cyber security consulting, including awareness training for mobile and remote workers. For more information, please get in touch: firstname.lastname@example.org
Physical and virtual anti-kidnap training is included in the syllabus of some our travel safety training courses and eLearning modules. Find out more here.