We hold an “arm’s length” perspective on social engineering until we become a victim. Allow me to introduce myself, I am a victim. Don’t stop reading, you’re going to want to know a few things about me.
First, I manage the cybersecurity awareness program at a University in Southern California.
I also had a stage career and taught theatre performance at a large university in the midwest. I say this because I know great acting. The social engineering scheme that I was victim of is called the Kidnap scheme. The actors were good. There were multiple actors. The script was crafted to leverage the psychology of terror that only a parent can know. They knew about me. They had me profiled.
The call came in on my cell with a Mexico country prefix. Ordinarily, I never would have answered. I would have employed the CIO’s mantra. “If you don’t know the number, let it go to voicemail”. But it just happened that weeks before, I had connected with a friend of a friend who lives in Mexico. That sound you hear off in the distance is the perfect storm approaching.
I answered expecting to hear a friendly voice. What I heard instead were to sobs of a young girl calling out: “Daddy help me, they tied me up and threw me in a van”, she went on “please don’t let them kill me daddy”…Even the background noise was authentic with sounds of a struggle as the antagonist grabbed the phone and called me by name. Yes, he knew my name. He knew I had a daughter. He had my profile. All the while, I could hear the child crying in the background. They followed the script expertly. “This is really happening, don’t hang up the phone or you won’t see your daughter again” (more crying in the background). He has my attention.
In my job, I spend hours pouring through the latest security material and had never read anything about the kidnap scheme. It was the IRS scam on acid. My wife was in the room, and she grabbed her phone to record the call which was on speaker. At the same time, she tried to call my daughter in the midwest and my son in the EU. I began to feel the paralytic grip of fear. My thoughts wavered, even though I am an IT professional, his words rang in my ear: “This is real. Get ahold of yourself you need to be calm and I will give you instructions”. I’m thinking about the girl’s voice, it was the right age, the right pitch…she always calls me daddy when she’s in trouble. Things are moving faster than my analytical mind can process them. The kidnapper is not leaving me any time, any space, he’s giving clear and concise commands that I must follow and reminding me of the consequences if I don’t.
I remember he told me to grab my phone and my car keys and head to my car. I was literally being hijacked psychologically. My brain started catching up with the nightmare and I regained just enough presence of mind to remind myself that this was a con; then I thought “Wait! – what if this is real and it’s someone else’s kid?. I picked up my keys and headed to my car with my wife trailing, still trying to reach my kids. I am numb, caught between belief and disbelief; my professional self and my inner parent. I have to keep the game alive at least until my wife hears my real daughter’s voice.
The key was in the ignition when my wife ran up to the car and drew a finger across her neck, I knew she was screaming silently at me to hang up. Do it! Your daughter’s fine! I reached up and pressed -end call-.
5 seconds later the phone rings. Then again, then again and again. At this point I wonder how persistent they will be. All from a burner phone in Mexico. Untraceable.
Once my heart stopped pounding, I called the local PD. They were casual. They took my information and assured me that there was an ongoing investigation. No, they didn’t want me to file a report. Next I called the FBI and was met with a similar response.They were aware of the increased activity in Ventura County, and no there wasn’t anything they could do. They suggested I call the Federal Trade Commission. I just sat there, dumbfounded.
Teaching about social engineering and cyber crime is no longer a theoretical exercise. It is part of my life experience. I will be haunted by this experience for the rest of my life. This was ungodly. It was predation on a level I had never heard of much less experienced. These were highly skilled, well equipped, intelligent criminals without conscience. They used weaponized data. This was an experience of abject evil.
Until now I have stood in front of faculty and staff and described phishing and spam and man in the middle attacks. I’ve lectured on what could happen unless you take precautions. If anyone should have been able to dodge this bullet, it’s me. Please, please, don’t let it be you.