To Resist or Not to Resist — That is the Question

One question that often comes up is whether or when to resist a criminal.  There is no clear-cut answer as it depends a lot on the situation and the individual involved.  Generally though most people agree that pure property or economically motivated crimes should not be resisted.  If the criminal just wants your money or jewelry or whatever property you have its best to turn it over without delay.  You should never put your life at risk for property.  In many places in the world criminals are armed and will use violence at the slightest provocation.

If the criminal is a violent physical crime against your person such as an assault, attempted rape, etc. the response is really a personal decision:  what will you tolerate or not tolerate?  Again will usually be driven by the situation as well.

An area that may be less clear is an abduction or kidnapping.  In these situations its important to know the local norms and the local security environment.  In the US for example kidnapping for ransom is relatively rare.  Many abductions are done by sexual predators or others that will do you harm regardless.  For this reason many experts recommend fighting back to prevent being moved to what is referred to as crime scene 2.  The abduction site is crime scene 1 and its probably better to resist at crime scene 1 than risk being taken to crime scene 2 where the predator will have more time and better control over you and the consequences may be much worse.  However when you shift this dynamic overseas the scenario may change dramatically.  In many international locations kidnap-for-ransom is rampant and in many of these places kidnap victims are usually released unharmed.  In Colombia as an example, there was a period when kidnapping was a very developed business and kidnappers generally kept their victims alive and managed their captivity well to be able to collect the ransom.  In some locations such as Yemen and Egypt’s Sinai Penninsula foreigners are kidnapped by local tribes as a bargaining tool in disputes with the government.  In these cases the victims are usually released unharmed after a short period.  In many locations where express kidnapping is common victims are kept for a few hours to drain their ATM accounts and then they are released.  Therefore it is reasonable to say there may be some abduction scenarios where not resisting increases the likelihood of a better outcome.

A similar – and often related issue to the abduction/kidnapping scenario is the risk of being tied up.  If there is a home invasion at your residence or if you in a place of business when it is robbed and the perpetrators want to tied you up or otherwise restrain you should you resist?  In some cases the criminals may want to do this simply for their own protection or to buy them more time to escape and they may mean you no harm.  Of course you have no way of knowing their intention and some experts will correctly advise you not to trust what they tell you.  Keep in mind that anytime you allow yourself to be restrained you reduce and probably remove your ability to fight back.  That’s a fairly significant consideration and something to think about before the incident occurs.
If you are the victim of an abduction or kidnapping chances are the perpetrator or perpetrators have done some planning and have chosen the time and place to attack so that circumstances favor them.  It’s also possible, in fact likely that they have committed this crime before.  Also – the actual point of abduction is the most volatile time in a kidnapping.  The criminals are on edge and worried about facing resistance so tensions are running high.  That said it may still present the best opportunity to escape as once they have control over you they will move you to a location where they plan to confine you and the level of control will be even greater.  At that point escape will likely be very difficult.

If you are fairly confused at this point or more confused than before you started reading that is normal.  Like so many personal security questions there is no one right pat answer, no on-size-fits-all solution.  There are only ideas and options to consider.  You need to think about the environment you are in, your personal triggers, thresholds and tolerances and weigh the different options.  Some thought should be given to these things before an incident ever occurs.

The Criminal “Interview”

While we are discussing unsolicited approaches it’s a good time to mention the criminal “interview” that is often the precursor to a robbery or assault.  The interview occurs when the criminal engages the potential victim in conversation prior to initiating a crime.  This usually serves two purposes:

(1) it gives the criminal or criminals and opportunity to further assess the suitability of their target and

(2) it can serve as a distraction technique to get the potential victim to lower their guard and/or diver their attention which facilitates the attack.

The criminal usually interviews you by approaching you and asking a question – it may be for directions, the time of day or something similar.  They will use this opportunity to gauge your reaction and your alertness level.  Did they surprise you with their question? Did you jump back?  Did you look down to consult your watch?  Did you appear fearful and shrink back?  All these factors will be processed in a second or two and he will make a determination whether or not to try to victimize you.  Predatory criminals generally want to maximize their chances of committing their crime successfully, avoiding injury and getting away without being caught.  They will usually factor this in when selecting a victim.

By demonstrating that you are alert and displaying a confident demeanor you reduce the chances that you will be selected for victimization.  Notice I said “confident” and not “challenging”.  You do not want to appear so confident or aggressive that the criminal feels you are challenging him, especially if he is in a group in which case he may feel the need to prove himself to save face.

Ideally you want to be practicing good situational awareness and spot the potential criminal before he approaches you and be ready.  Ensure you allow sufficient physical space between yourself and the other person.  Also be mindful of possible accomplices in the area so that one is not able to come up behind you while you are focused on the primary threat.  Do not allow yourself to be distracted by the question or request.  As with our discussion of surveillance detection principles watch for correlating movement or signs that seemingly unconnected people are communicating with each other.  Someone cross a street at a diagonal in your direction or otherwise intentionally moving to cross or block your path should be an immediate warning sign.

Sometimes these approaches are innocent and the person really does want directions, to know what time it is or a light for their cigarette.  Nonetheless you should be aware of these ruses and raise your alert level — without over reacting — when approached by someone you don’t know.

 

 

Unsolicited Approaches

Consider possible ulterior motives when approached by a stranger

In keeping with the themes of social engineering and elicitation its a good point to discuss the need to be wary of unsolicited approaches.  We also need to be mindful that these approaches are not necessarily made in person although they can be. In today’s technological world they are frequently also made via email or through social media.

These types of unsolicited approaches are made by criminals and other dangerous people for a variety of reasons.  Their objective is often fraud or theft of proprietary or classified information or other sensitive data.  Sometimes – as we saw in the case of the Colombian Facebook kidnapping gang it can be to facilitate more violent crimes such as kidnapping, armed robbery or rape.  Anytime people you don’t know seek you out – whether in person or online – you should look at the situation with a critical eye and question their motivation.

I once attended a counterintelligence presentation that addressed this issue.  The instructor – a short, overweight middle-aged man with a beard and glasses wearing suspenders and a bowtie – stepped to the podium.  He began by saying how when he was at home in the US he couldn’t get an attractive women to give him the time or to even spit on his shoes.  But when he goes overseas its another story.  He turns into Brad Pitt and beautiful women at the bar flock around him.  He gets phone calls from women and has them knocking on his hotel room door at all hours of the night.

The point is well made.  If these types of things don’t happen to you regularly at home why are they suddenly happening when you arrive in country X?  His presentation was focused on counterintelligence but the motivation may be different and probably related to separating you from your money in some way.  The broader concept is that you should be cautious of someone’s potential ulterior motives if you are approached unexpectedly.

Sometimes these are “cold approaches” that come largely out of the blue and some are “warm approaches” where the person may have gathered some basic information on you (often through social media or other Internet resources) and has – or purports to have – something either professional or personal in common with you.  This is one of the risks of posting too much on social media sites, especially concerning hobbies, interests and other things that can be used as a vehicle to get in contact with you, establish rapport and so forth.

These warm approaches can take places over time and may be very effective in getting you to gradually lower you guard.  It appears that was the case in the Colombia Facebook case.  The kidnap gang was apparently successful in convincing their wealthy male victims via Facebook that they were attractive women and by cultivating an online discussion and ultimately enticing them to come to a physical meeting where they were subsequently drugged and kidnapped.

There can also be “cold approaches” where you are approached by a stranger who initiates conversation without any prior connection of any sort.

Be wary – but not paranoid – if you are approached by a stranger.  Always look at the situation with a critical mind and ask yourself what ulterior motives or hidden agendas might exist.  You do not need to be rude but be cautious, especially if the situation seems unusual or outside your usual frame of reference.

Loose Lips — Recognizing and Avoiding Elicitation

In discussing social engineering and threats to your personal security we mentioned elicitation.  Elicitation is a technique that is used by an adversary to get a person to unintentionally divulge more information about a particular subject than they normally would.  Its used to gather confidential or proprietary information and in the realm of personal security it can be used by an adversary to gather information for use in targeting you or to build rapport with you or someone close to you.

While we are not going to attempt to teach elicitation or counter-elicitation here we are going top briefly outline some of the common techniques that are used so that you can recognize them being used against you.  Remember these can be employed in person, over the phone or through electronic communication of various types such as email, online chat, etc.

This is by no means an exhaustive list but these are some of the key elicitation techniques you may encounter:

Flattery: The adversary will complement you on personal and or professional aspects of your life to build rapport and increase your likelihood to talk openly.  This may include requests for advice based on your “expertise”, etc.

False Statements:  The adversary may make statements he or she knows are incorrect in order to prompt you to correct them by providing the correct information.

Provocative Statements: Similar to the false statement the adversary may make a statement that he or she knows will initiate an emotional response on your part an a desire to either strongly agree or disagree with them.

Disbelief:  The adversary will feign disbelief at a statement you make to prompt you to elaborate more fully.

Naivete: Similar to disbelief the adversary will feign ignorance to get you to “educate” him or her.

Quid pro Quo: The adversary may volunteer some innocuous or more likely false information about themselves so that by social convention you feel compelled to reveal something to them.

These are just some techniques that may be used to get information about your schedule, your security profile, your business dealings, you personal wealth, your employer and so on.  By recognizing  when you might be encountering them you can make a conscious decision to reduce the amount of information you provide or break off the conversation.

While some of these are relatively sophisticated methods they have been and may be employed by foreign intelligence agencies and internal security units, organized crime groups, terrorists and others.  Keep in mind as well that they may be aimed not only at you directly but also at your employees, associates, domestic staff, etc.  Its important to train these people — even if its just at a very rudimentary level — to be cautious about people asking questions or try to get them to divulge information about you or your activities.

Personal Risk Assessment

Considering that personal and travel security rely heavily on context its important to consider how the threat relates to you
whether at home or abroad.  Understanding this contextual relationship let’s you realistically determine how much effort, energy and possibly money you should invest in your security.

The best way to do this is to conduct a personal risk assessment.  This can be done yourself or you can hire a consultant to do
it for you and it can be as detailed as you want to make it.  If you do it yourself its important to be as brutally honest with yourself as you can for the assessment to be accurate and have value.  This assessment can be done from a lifestyle perspective for an at-risk person or a person living in a high-risk area or it can be done for a particular event like an overseas business trip.  It can also be done using qualitative or quantitative methods or a combination of the two.  Most people will be more likely to use qualitative
means.

The standard formula for a risk assessment is that Risk = Threat x Vulnerability.  For our purposes this means you need to begin by identifying a threat or threats that exist and then look at vulnerabilities in their schedule, routine or lifestyle where their exposure to this threat is increased.

As an example a businessman traveling to a two-day meeting in Johannesburg might identify threats such as carjacking and armed robbery.  In particular he may look at the practice of criminals following people from the airport and robbing them en route or at their destination.  He might also consider the high level of gratuitous violence often involved in these crimes.
On a review of his itinerary he notes that the meetings will all be held at a 5-star hotel adjacent to the airport terminal and that he will be staying at the same hotel.  In this case the threat level is high but his vulnerability is low so the risk is relatively low.

Another aspect to consider is the probability vs. criticality or impact.  Some events are more likely but the consequences are not too severe.  Others are less likely but the consequences may be devastating.  Two examples to look at:

A photographer is going on an assignment in Barcelona that will involve a lot of work in public venues.  The threat of ickpocketing and petty crime may be high but the criticality of these types of incidents is relatively low — unless of course his cameras are

Taksim Square – Istanbul. This is a frequent location for protests and occasionally civil unrest.

stolen and he can’t complete the job.

On the other hand an engineer has a 2-week assignment in Islamabad, Pakistan.  He will be staying at a western brand hotel that has been previously attacked with a massive vehicle bomb.  Hotels of this type are targeted for spectacular attacks by militant groups. In this case the relative probability that the hotel will be attacked while he is there is relatively low.  However based on past incidents if the hotel is attacked the impact is likely to be severe.

Using this information you can determine the level of risk you face – either daily or for a specific activity or event as well as the likelihood and potential impact of an event occurring.  Using this information you can determine what countermeasures if any you should implement to mitigate the risk.

Social Engineering: Implications for Your Security

Social engineering – the calculated manipulation and exploitation of people has historically been associated with cyber security issues.  Computer hackers found they could best get access to secure networks by targeting the weakest link – the human factor.

The same techniques used to get an employee to give up their password or provide other information to facilitate entry into a network can be used to gather information to compromise a person’s personal security as well.

Social engineering can use any one of a combination of several vectors to approach the target – telephone, email and in person being the three primary ones.

The example of the Colombian kidnapping gang that use Facebook to target their victims that we discussed in the last post is applicable here.  While there is limited information currently available on that incident it appears the the victims were cultivated over a period of weeks or months via the use of social engineering techniques on Facebook. The information available on Facebook gave the kidnap gang a foundation with which to build their approach.  Knowing something about their victim – his lifestyle, interests and hobbies would help them develop an online relationship and build rapport that would put him at ease.

Understanding and recognizing the techniques employed in social engineering is the best defense against them.  Here are some of the primary ones you may encounter:

Elicitation: Elicitation is a method of extracting information from an unwitting person by framing questions and statements in such a way that the person gives more information than they normally would or would intend to.

Pretexting:  The social engineer presents himself as someone other than who he really is in order to get information or drive a certain course of action.  In some cases this may mean the social engineer portrays himself as an authority figure.  In the case of the Facebook Kidnap Gang the kidnappers presented themselves as beautiful, available young women.  The anonymity of the Internet facilitates this immensely.

Influence and Persuasion Techniques:  By artfully exploiting human desires to be liked, reciprocity and obligation and the introduction of fear social engineers can compel people to reveal sensitive information or perform a certain action on their behalf.

This is a broad overview of social engineering – in particular how it relates to personal security.  Using clever techniques criminals can not only commit fraud and information theft, they can also facilitate violent crimes like kidnapping.  These tactics may be directed at the victim himself/ herself or at unwitting third parties like coworkers and domestic staff.  The first step to countering these techniques is being able to recognize them.

Social Networks and the Threat to Personal Security

 

Recent open source reporting indicates that the Colombian National Police just arrested a group of criminals that were using Facebook to identify, profile and target victims for kidnapping.  Initial reports the gang were using false Facebook profiles with pictures of beautiful women to target wealthy men as victims.  They would use information in the victim’s profile to assist them is selecting potential targets.  They would then engage the target in online discussions to build report and elicit additional information.  After a period of time, usually a few weeks they would arrange to meet the victim.  When the victim arrived at the pre-arranged meeting location he would be drugged – most likely with scopolamine – and moved to another location where they would be tortured and held for ransom.

This incident not only illustrates the vulnerability of revealing to much information about yourself in social network websites and to unknown persons online – which is the point of the post – but also touches on the use of drugs (probably Scopolamine in this case) in facilitating kidnaps which we discussed in “Devil’s Breath and the Ativan Gang” and also the process of victim selection, use of honey traps and utilizing technology to do a valuation of potential targets which have all been discussed to a degree previously.

The Facebook kidnapping gang is a clear example of what can go wrong if too much information is available in the public domain.  Even information that is can only be viewed by friends or contacts can compromise you if you “friend” or “link” to people you don’t know or don’t know well.

Social networking is a key part of most of our lives now and most people use if for personal or professional reasons or both.  The issue is not whether or not to use social networking but how to understand the vulnerabilities that exist and manage the type and amount of information available.

Social networks and the easy availability of online personal information is a huge force multiplier for stalkers, burglars, fraudsters, identity thieves,  social engineers of all types, terrorists and kidnappers make it much quicker, easier and safer to compile detailed dossiers on potential victims and exploit that information to their advantage.  Social networks also provide a vehicle to do a “cold approach” to a potential victim, establish rapport, gain additional information and arrange a physical meeting in person if desired.  That appears to be what occurred in this case in Colombia.

It also significantly reduces the need for physical surveillance of the target and the vulnerability to exposure that exists with that activity.  If the victim can be induced to voluntarily present themselves at a place and time of the criminal’s choosing it makes it much easier to carry out the kidnapping with limited risk.

The lesson here is not to eliminate the use of social networks which would be unrealistic given the role they now play in society.  The objective should be to understand the vulnerabilities that exist – especially in the context of your personal situation and risk profile.  Arguably a soccer mom from Annapolis, Maryland and a wealthy Colombian businessman have very different risks profiles and would need to manage their personal information differently.   While the soccer mom still has some level of risk, barring exceptional conditions (such as a stalking situation) her risk profile is much lower than the Colombian businessman.

Some things to consider regarding personal security when using social networks:

  • Security settings: most social networking platforms provide security settings that allow you to limit who is able to see what information about you and your personal network. Consider using these rather than the default settings.
  • Posting Potentially Compromising Information:  Not only can posting information about your drunken weekend put you in a precarious position with your employer, clients, etc. it also provides insight into your personal lifestyle that can be exploited.
  • The risk of using applications like TripIt when linked to social networks that share your travel itinerary.  This allows others to see where and when you are traveling.
  • The risk of using Foursquare and other GPS related applications that use your smartphone to identify and post your location to people in your social network.
  • Posting Photos:  Posting a portrait photo of yourself gives a potential assailant who has never seen you before the ability to recognize you.  Additionally many smartphone cameras also automatically geotag photos without the user being aware of it.  When the photo is posted it is possible to retrieve the geotag to determine where the photo was taken.

Social networking is here to stay and its role in our personal and professional lives will only grow. There are numerous positive aspects of social media and it can be leveraged to your benefit in many ways.

It’s important to look at the potential impact to your personal security based on an honest assessment of your personal risk profile.  You should consider limiting what you post, who you allowed into your social network or in some cases both depending on your situation.