Cyber kidnapping: new scam on the rise

"Technologies are now so advanced that images and videos can be imitated deceptively realistically. You don't even need in-depth knowledge to use artificial intelligence," explains Ildikó Bruhns, project manager of the Eset Safer Kids Online initiative. "With a little practice, fake voice messages or images in which family members are supposedly in emergency situations, for example, can be created with convincing quality. And many people provide the criminals with the templates for this free of charge, because social networks are a veritable treasure trove of material, and not just for this type of scam."

This is how virtual kidnappers work

According to Eset, a typical virtual kidnapping scam consists of the following steps:

1. The fraudsters research potential victims whom they can call and from whom they can extort money. AI tools are already being used to help them in their search.
2. The kidnappers identify a "kidnap victim". They often choose a child of the person they identified in the first step. In doing so, they mainly rely on information that parents disclose publicly, for example on social networks.
3. The cybercriminals then create an imaginary scenario to intimidate parents. The more parents fear for their children, the more likely they are to make rash decisions. As with any good social engineering attempt, the fraudsters build up pressure to push parents into a knee-jerk reaction.
4. The fraudsters find out the ideal time to make their blackmail call. To do this, they use information that may be available on social media: When is the child at school? Is the son or daughter on vacation with relatives or at a vacation camp? The idea behind this: The kidnappers contact parents at a time when their child is not present and they have no opportunity to speak to them.
5. Now another AI tool is being used: with the help of readily available software, the fraudsters create audio recordings of the victim's voice in an attempt to convince the victim's family that they have abducted the child. Other information from social media can also be used to make the scam sound more convincing, for example by inserting details about the "abducted" child that a stranger would not appear to know.
6. If parents fall for the scam, the kidnappers ask them to transfer money, for example in the form of cryptocurrency.

A vicarious agent of cyber kidnappers?

The potential of ChatGPT and other AI tools for virtual hijackers is worrying, according to Eset. The technical foundations that come into play here have existed for some time. Advertisers and marketers in particular would use similar techniques to analyze target groups. Experts refer to this as "propensity modeling": statistical models are used to calculate when a certain event is likely to occur in order to target the right message to the right group of people.

According to Eset, cyber criminals use this technology to find the ideal time for their apparent kidnapping. It is enough to "feed" a generative AI with the right questions and it will present potential victims who:

• have the necessary income and are prepared to pay a ransom in the event of a kidnapping,
• disclose a lot of information about themselves and their family on social networks or
• live in a particular region.

"Unfortunately, cloned voices already sound worryingly convincing. And the technology behind it is easily accessible to fraudsters: voice-cloning-as-a-service providers have already adapted to the demand and provide easy-to-use services for little money. If this trend continues, cyber kidnapping and similar attacks will no longer be isolated incidents," continues Bruhns.

Tips for parents

This all sounds worrying at first, according to Eset. However, a few tips would help parents to be better armed against such scams:

• Do not disclose too much personal information on social media. Avoid posting details such as addresses and phone numbers. If possible, don't even post photos or video/audio recordings of your family, let alone details about your loved ones' vacation plans.
• Keep your social media profiles private. This will make it harder for criminals to find you online.
• Watch out for phishing messages designed to trick you into revealing confidential personal data or logins for social media accounts.
• Install parental control apps on your children's smartphones. These contain a tracking function that allows you to quickly track your child's location. If a stranger claims to have abducted your son or daughter, all it takes is a glance at the app and you can see whether your child really is in an unusual place.
• If you receive a blackmail call, try to drag out the conversation with the "kidnappers" as long as possible. At the same time, try to call the person you think has been kidnapped or have someone else call them.
• Remain calm, do not disclose any personal details and, if possible, get the caller to answer a question that only the abductee knows the answer to.
• Notify the police as soon as possible - even if the kidnapping turns out to be a fake.

Source: Eset Germany / pts