AI and the rising threat of virtual kidnapping

Authored by AXA XL’s Denise Balan and Peter Doherty

Though no cases have been confirmed, deepfake technology may be leveraged by “kidnappers” to extort exorbitant ransoms from their victims. It’s a risk every corporation needs to keep on their radar.

For all of the advancements in problem-solving, communication and productivity that technology has driven, it has also fueled the ingenuity of fraudsters, presenting ever more complicated risks to individuals and businesses alike. More recently, concern has risen around the potential applications of artificial intelligence to mimic voices – a form of deepfake with great criminal potential.

Just as hackers have copied corporate logos and writing styles to send phishing emails, they can now leverage artificial intelligence to replicate voices, using the fake audio to commit fraud and extortion.

One of the most frightening examples of this is “virtual kidnapping,” in which the “kidnapper” uses AI to copy the voice of the supposed victim to convince a friend or family member over the phone that their loved one has indeed been taken and will only be returned in exchange for a ransom.

While there have been no high-profile cases of virtual kidnapping so far, there have been instances where targeted individuals paid sums to criminals who were able to mimic the voice of the “victim” to some degree. It’s unclear whether AI was used, or if the perpetrators simply used a similar voice or a generic recording to fool their victims, but the capability of AI to pull off such a scam is certainly there. In a world where many people have an online presence, it would not be difficult for a scammer to find an audio clip of a high-profile executive’s teenager, for example, and use it to demand an exorbitant sum. It is a threat that corporations and their employees must prepare for.

In the event a ransom call is received, there are ways to identify a scam and protect yourself from being taken advantage of in this high stress situation.

Keep a cool head
Virtual kidnappers or extortionists prey on panic. They count on their targets to act out of fear and emotion rather than rationality. Even in instances where AI is not used to fake the victim’s voice, it can be easy to manipulate a panicked person’s perceptions. In most cases, the target can reach the supposed kidnappee themselves and confirm their safety within minutes, and it’s critical to take this step before giving in to a criminal’s demands.

In January of 2023, a Texas mom received a call from a man stating he had her daughter, whose life was in imminent danger if she did not send him $1 million. He then played the sounds of a woman screaming and crying, which the mother insisted sounded just like her daughter. After calling several family members, the mother was able to speak to her daughter within four minutes. Though these scenarios tend to evolve very quickly, taking a moment to attempt to contact with the kidnappee can end the situation – and the fear – almost immediately.

Establish proof of life

Whenever law enforcement or security consultants get involved in a kidnapping case, the first thing they will ask for is proof of life (POL). The best form of POL will always be achieved in a direct telephone conversation between the kidnappee and a person who knows them well and recognizes their voice and mannerisms. When POL is expanded upon, this typically comes in the form of a question that only the alleged kidnappee can answer. This should go beyond generic information like a favorite color or a pet’s name, and should be highly personal and memorable – often something with a story behind it – so there is not a shadow of a doubt that if the victim answers correctly, he or she is indeed who the kidnapper claims them to be. It is worth thinking about what memories or pieces of information might work best for each family member, as it can be difficult to recall specifics in a high stress situation. If no proof of life can be established, all negotiations should be treated with great care and speculation.

This was the case during negotiations over the release of a kidnapped Jordanian pilot in 2015, who had been taken by members of ISIS. After weeks of negotiations, the kidnappers were unable to provide proof of life. Negotiators refused to move forward, and no concessions were made to the kidnappers. It was later confirmed the pilot had been killed within days of his capture, though the kidnappers continued to negotiate for his release.

In a virtual kidnapping scenario, the same principles apply. AI may be able to replicate the melody, tone and inflections of a victim, but it cannot answer a specific and unique proof of life question.

Know who to call

Clear communication is critical to manage a kidnapping scenario quickly. AXA XL’s kidnap and ransom coverage provides access to S-RM, a global security consultancy. If a covered employee receives a ransom demand, among the first calls they make should be their company’s crisis management point of contact. If that individual determines the threat to be a critical event, they call S-RM’s 24/7 confidential hotline.

Once a threat is received, a specialist crisis management consultant is assigned to work with the crisis management team to keep everyone on the same page and serve as the main advisor in relation to negotiations with kidnappers, if negotiations are needed. This consultant is in contact with the client within 15 minutes of receiving a call, and deployed on-site within 24 hrs. When the situation is resolved, the firm will also provide a review of the case to identify risk mitigation strategies. Was this an isolated incident, or does it highlight shortcomings in the corporation’s overall security program?

Utilize preventive services

AXA XL’s kidnap and ransom policy also provides access to preventative services from S-RM. This includes training to reduce overall exposure to a kidnapping threat.

Management of online presence is a big component, not just for a high-profile executive but for family members as well. Strong privacy controls give kidnappers less information to leverage and make that person a less attractive target.

A strong internal crisis management plan which outlines a chain of communication within a corporation is also critical and helps to allay initial moments of panic and confusion.

Though the full potential – and risks -- of artificial intelligence remains untapped, following these basic practices can help to reduce exposure to and effectively manage any kidnapping scenario.

About the Authors

Denise Balan is head of U.S. Security Risks for AXA XL. She joined AXA XL in 2013 to establish its Kidnap, Ransom and Extortion business, part of its regional Crisis Management operation in the US. AXA XL’s Crisis Management insurance business helps businesses operate in an increasingly volatile world, providing Kidnap, Ransom & Extortion, Political Violence and Terrorism insurance protection, as well as risk consultancy that helps clients avoid or manage a crisis.  

Peter Doherty leads S-RM’s global crisis response capability, responding to a varied and complex client base, and specializing in 24/7/365 response to critical incidents and security risks; from natural and man-made disasters, terrorism, kidnap and evacuation to providing resilience against cyber-attacks and security threats. Prior to joining S-RM, he was a highly experienced Detective at New Scotland Yard, with 30 years’ experience in Specialist Operations including counter-terrorism, homicide, serious and organized crime and sensitive intelligence.