The Real Price of Virtual Kidnappings

By Matthew Harwood
A man travels to Mexico on business. During his trip, his wife receives a call from her husband’s cell phone. Upon answering, she hears screaming. Then the voice of a stranger comes onto the phone, saying the screams were those of her husband, whom he has kidnapped. He demands a money transfer of $1,000 within five hours, adding that if he doesn’t get the payment, he will kill her husband. A few expletives are thrown in for emphasis.
The wife is terrified. She calls her husband’s cell phone, and the same man answers. Convinced he has her husband, she complies with his demands and sends $1,000 through Western Union.
Hours later the husband calls and tells her what actually happened. His cell phone was stolen earlier that day.
The wife in this scenario has just been the victim of the crime of “virtual kidnapping,” where criminals leverage a stolen cell phone or stolen personal information to scare a quick ransom payment out of a company or a family without ever abducting anyone.
The practice has become so prevalent in Mexico that the government has created a cell phone registry to try and track down virtual kidnappers. 
Christopher Voss, managing director of Insite Security’s kidnapping resolution practice and a former FBI kidnap and ransom negotiator, tells Security Management of one case the FBI worked on in the San Diego area. A family’s college-aged kid went down to Tijuana to party and lost his ID and his phone. Knowing they had some time before the hung-over co-ed started looking for his missing property, the people who found it decided they had time to try and extort money from his parents. In this case, they called the FBI, which determined that it was a hoax, and the parents did not pay the ransom.
Special Agent Brad Bryant, chief of the FBI’s Violent Crimes and Major Offenders Unit, says the bureau has no open virtual kidnapping investigations in the United States to his knowledge, but that doesn’t indicate how often cases occur. Solid statistics on this type of crime are hard to come by, says Fred Burton, vice president of intelligence for STRATFOR, a private intelligence firm. Multinational companies that have fallen victim to the ruse won’t publicize it for fear of harming their brand and making themselves and their employees a bigger target for other virtual kidnappers. Burton confirmed to Security Management that U.S. companies have been victimized but would not elaborate. 
Burton adds that he would look on any virtual kidnapping statistics with a grain of salt. “I don’t think there’s any one entity that you can go to that’s capable of providing…accurate numbers,” he says.
While the specifics may be hard to nail down, there’s no doubt that, in general, virtual kidnappings are attractive to criminals and are likely to continue to be a problem. “[F]rom the criminal’s side, there’s very little investment in time or effort,” explains Voss.
When criminals carry out real kidnappings, they need safe houses to hide the abducted subjects, and they must go to the trouble to keep them reasonably cared for if they plan to return them for the ransom. Virtual kidnappers, on the other hand, just need a phone line, some personal information, and the ability to terrify their victim—which isn’t hard when he or she believes an employee or a loved one’s life is on the line.
There are ways to avoid being the victim of a virtual kidnapping scheme, say experts. One of the first and most important steps is to practice good cell-phone hygiene. Jaime Garcia, security manager for Mexico and Texas for the automotive parts maker Delphi, advises employees to go through their cell phones and eliminate any generic names.
“There should be no ‘home,’ ‘office,’ ‘babe,’ ‘honey,’ whatever,” he says. That way, a virtual kidnapper can’t just steal a phone and hit one of those contacts to make the ransom call. Garcia suggests that travelers clear their calling history daily so that a thief won’t be able to guess by the frequency of calls that a particular number is a loved one or an employer.
He also advises employees with the ability to password protect their cell phone or smartphone to do so. Virtual kidnappers can’t access phone numbers or personal information if they can’t get at it. And they need that type of information to carry out their scheme.
Cell phones are not the only source of that type of personal information, however. Virtual kidnappers also harvest personal numbers and family information from wallets or purses they’ve stolen, says Voss. 



Cell phone OPSEC

It's something most people simply do not practice.  There are various levels and layers one should consider going to depending upon the environment they are in, but geez how many people don't even use a password on their cell phone?  It may be an inconvenience, but when somebody gets a hold of your cell phone you will wish like hell you had practiced the most basic security.

"There Are No Silver Medals in the High Risk Environment"™


The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.