Each week, the NTIC Cyber Center highlights a different social engineering scam impacting individuals and communities within the National Capital Region. We encourage everyone to share this information with friends, colleagues, and loved ones to help reduce their risk of becoming a victim of financial fraud and identity theft.
Virtual kidnapping is a type of phone scam in which the perpetrator uses online reconnaissance and social engineering tactics to research their victims and convince them that their loved ones have been kidnapped. The perpetrator then demands a ransom payment for their safe return. However, the kidnapping never actually took place and the victims’ loved ones are safe, often having no knowledge of the alleged threat. In this scam, the perpetrator relies on generating a strong emotional response to cloud victims’ judgment and extort large sums of money.
The following are common tactics used to conduct these scam calls. With our increased reliance upon mobile phones and social media to communicate with one another, it is crucial to understand how these scams work to reduce the risk of becoming a victim.
Reconnaissance: The perpetrator selects a target and then conducts extensive online research about him or her, often scouring social media accounts and public records websites to gather as much personal information as possible to make the scam call seem credible. The most popular information collected includes the names of family members, home and work locations, and makes and models of vehicles. Sometimes, videos posted online by targets and their loved ones are collected in order to obtain audio samples of familiar voices to play during calls.
Social Engineering: The perpetrator uses the collected information to craft a story to convince the target that the threat is legitimate. The perpetrator may use text messages or social media to initiate contact with the target, but often they simply make a phone call, preventing the target from contacting the supposed kidnapping victim to verify his or her status and location. Audio samples of the either the kidnapping victim’s voice or generic screaming may be played to strike fear and prevent the target from ending the call or contacting law enforcement before the ransom is paid. Sometimes, the perpetrator uses caller ID spoofing tools to display the kidnapping victim’s actual phone number to further convince the target that the situation is real.
Extortion: The perpetrator tells the target to withdraw a certain amount of money from his or her bank account and wire it to a specific account. Targets may also be instructed to deliver the money to a physical location to be collected by an accomplice. In either case, the perpetrator will try to keep the target on the phone until the payment is made to prevent him or her from alerting bank officials or law enforcement.
These virtual kidnapping extortion schemes can be frightening, unsettling, and even costly experiences. To help reduce the risk of you or your loved ones becoming targets, familiarize yourself with the following prevention and mitigation strategies and be sure to share this information with your friends and family.
Tighten privacy settings on social media accounts to prevent anyone other than those listed as a friend or a connection from seeing your posts and personal information.
Limit the amount of personal information you post on websites, applications, and social media platforms and be especially cautious about posting job, home, and vacation locations.
Proactively establish an alternative method of contact for loved ones should you become targeted in a virtual kidnapping scam. Consider social media messaging, text messaging, or contact through another communication application.
If you receive a virtual kidnapping scam call, ask to speak to your loved one directly to verify the authenticity of the phone call.
Refuse to share personal details with the caller such as the names of family members or loved ones.
If you are able to verify the safety of your loved ones, tell the caller that you refuse to pay the ransom and end the call.
If you are not able to verify the safety or location of your loved ones, contact law enforcement immediately, either on another phone line or in person, while remaining on the phone with the scammer.
Report all virtual kidnapping attempts to your local police department and the FBI’s Internet Crime Complaint Center.