Travel data and personal information have become more accessible, making virtual kidnappings increasingly common. Although these threats can be difficult to avoid or detect, a proper risk plan can help prepare for such a situation.
What is Virtual Kidnapping
In a virtual kidnapping, the most common circumstances are that a demand is made, almost always over the phone, but there is no actual hostage-taking to accompany it. The demand is made to the family, or even a company on the pretext that the person or virtual hostage (most often a relative) has been kidnapped and is under threat.
This crime had its origins in Mexican prisons with prisoners carrying out multiple calls and requesting ransoms to pay for their phone credit. The crime has since become more widespread with cases throughout Latin America, the USA, and Asia, but the ‘scam’ can be so successful that examples could occur anywhere.
Most recently the scam has become much more sophisticated, with criminals using robocall technology and spoofing software to make it appear that they are calling from your relative’s phone number.
The success of a virtual kidnap depends on the victim being unable to prove or disprove the well-being of the purported hostage until the ransom has been paid. As it is unlikely that the virtual hostage will remain uncontactable or cooperative for very long, this type of kidnapping also tends to move very quickly and involves smaller sums that are to be paid by some form of wire transfer. However, in these most recent cases, the sums involved were significant running into millions of dollars.
Chinese Students Targeted in Recent Virtual Kidnapping Events in Australia
In this most recent group of incidents, it was reported that ”kidnappers” or remote actors persuaded several Chinese students in Australia to cut off all contact with their family, rent hotel rooms, and then fake their own kidnapping. They were then told to take photographs of themselves pretending to be tied up and threatened with knives.
It is possible in these Australian cases that there may have been some background research carried out beforehand, but the overwhelming majority are “robocalls.” Reports by the authorities suggest the criminals were calling from an offshore location targeting anyone with Chinese names; they chanced upon a vulnerable group and, realizing the method was successful, it would appear they repeated it.
Virtual Kidnapping Modus Operandi
Virtual kidnappers can have several ways of operating, including collusion with other accomplices, but most are made using “robocall” software making vast numbers of calls. The range of cases and methodologies used by the virtual kidnappers are very wide and are limited only by their imagination.
In some instances, the kidnappers will target individuals staying at a hotel, or as in the Australian cases, students studying at universities abroad. The reports from this case suggest that these individuals were contacted randomly by gangs operating from robocall centres offshore based on their having Chinese names. In some rare cases, the victim is kept under observation by the offenders, but more likely accomplices have passed on the victim’s contact information and other personal details. Other cases involve kidnappers targeting a particular location and occupation, such as all doctors in San Antonio, Texas.
The virtual kidnappers need to rely on the lack of preparedness and naivete of victims to cooperate in their plans. These latest victims did not appear to be prepared for the virtual kidnap calls and seem not to have discussed the possibility of such calls with their families. Their families also had limited means to contact them or establish that they were not actually in danger. The reports also suggested that the kidnappers pretended to be from the Chinese authorities and threatened harm to their families in China unless they cooperated and helped their families pay “fines.” The ever-present threat from Chinese authorities likely made convincing the students somewhat easier. Similar storylines have been used in Latin America where public corruption is extremely high.
Often, as in these cases, the victim will be threatened over the phone to stay in their room and not answer any calls or make any contact with family or friends. Through these and other threats, such as telling them “we are watching you” and “we have a man outside your door,” they were coerced to provide their next of kin details and cooperate by taking pictures of themselves tied up and in apparent danger. Using spoofing software, which changes the telephone number you are calling from to any number you like, the abductors mimicked a call to relatives using the victim’s telephone number and issued their threats and demands. In some instances, the kidnappers may pretend to be from the local police and ask you to pay a fine or make a special payment for your loved one’s release, “before it is too late.” A general theme will be the necessity for speed to encourage you to cooperate before you or the “victim” discover the scam.
Travel and Hospitality Workers Facilitate Risk
Hotel staff and travel agents have also been known to tip off criminal gangs when the soon-to-be virtual hostage is in a location where they are unlikely to be contacted, for example in a hotel pool, sleeping in their room, or in the cinema, theatre, nightclub, or on a transatlantic flight. The kidnappers will put in a demand for an easily affordable ransom based on the pretext of having kidnapped them and will provide the relatives some personal information, and threaten the relative with the sound of someone pretending to be their loved one being tortured in the background of the call.
Travel Data and Social Media Provide Prime Information to Abductors
Personal identifying information (PII) is often readily available in travel bookings data and hotel rewards programs or memberships. In many cases, PII is exposed publicly on social media profiles, including details about locations, clothing being worn, food preferences, friends, and selfies. These details provide ample information to create a believable story about an abduction and to demand a ransom payment.
For more information on protecting your PII while traveling, get the guide for
Protecting Your Personal Identity While Traveling.
Who’s at Risk?
Most virtual kidnappings involve the “robocall” approach, so almost anyone could be targeted, which is why prior preparation and understanding the scam is so important. More recently the level of sophistication has increased with reports of kidnappers using trade directories, and other directories including memberships of clubs, professions, and specific locations. At its simplest form, anyone could receive a random call with the sound of someone screaming, relying on the caller to panic and cooperate with the often-terrifying threats of harm.
Mitigating Virtual Kidnap Risk
Avoiding virtual kidnaps is very simple but does require a little amount of pre-planning and discussion before you travel.
- Conduct a pre-travel assessment to understand the risk of virtual kidnapping in your area or destinations.
- Discuss the potential for virtual kidnaps with staff and with family and friends before they travel. Decide on identity codes, phrases, or obscure details that your family or friends can ask for if they are contacted and told you are a hostage. Explain about the spoofing of numbers.
- Keep in regular contact with family and friends when traveling. Provide your family with several ways of getting in touch with you while traveling, including hotel phone, email, and texts. Always keep your phone on you.
- Be suspicious of hotel staff and requests for information.
- If you are the potential victim and are being directed to stay in your room and to not contact anyone, do not cooperate. Move quickly to another hotel or location in case your hotel was compromised and inform your family of your movements and whereabouts immediately. Remember these are “robocalls” from another country and rely on you not thinking the threat through or becoming panicked.
- As a family member try and reach out to the alleged victim by any means possible.
- Do not blurt out a loved one’s name if called or share personal information.
- As they rely on your panic, try to slow everything down and ask for proof that your loved one is there and okay.
- Finally, if you suspect a genuine kidnapping, immediately call the authorities, such as the FBI in the US, the NCA in the UK or the BKA in Germany.
Finally, we have discussed this before, but it bears repeating: keeping your publicly available personal information to a minimum is key, especially when linked to your travel. Post by all means, but post after your travel has ended!
WorldAware provides intelligence-driven, integrated risk management solutions that enable multinational organizations to operate globally with confidence. WorldAware's end-to-end tailored solutions integrate world-class threat intelligence, innovative technology, and response services to help organizations mitigate risk and protect their employees, assets, and reputation.