Snipe.Net Geeky, sweary things.

Mexican Mafia Scams: A New Twist On an Old Trick

M

Two days ago, I received a terrifying phone call.

This is a cautionary tale about a two-minute conversation I had earlier this week.

For those of you who don’t know, my husband and I moved to Portugal 5 months ago, so calls coming in on my US phone number (technically a NY area code, but we moved from SoCal) are unusual. I’d normally just ignore them but this one came in with caller ID from Mexico.

Huh.

I have some friends in Mexico. They wouldn’t normally call me, but, sure. Okay.

When I answered, a man who spoke very good English but with a clearly Mexican accent responded to me with a deep sense of urgency. (Caveat: this all happened very quickly, so I might have missed some stuff from memory. Please forgive me.)

It went something like this:

Them: “Yes, hello – ma’am. I am an EMT in Mexico. Do you have a sister?”

I do, in fact, have a sister – and she does visit Mexico quite often, since she lives in Yuma, Arizona, right across the border from Mexico.

Me: “Uhm, I do, yes.”

Them: “Okay, your sister has been in a very bad accident. She’s bleeding a lot.”

This already feels scammy, especially since they didn’t ask for me by name, but anyone who knows me knows that I protec, so…

Me: “Okay, can you tell me her name. Does she have ID on her?”

Them: “Ma’am, she has no ID. She was in a terrible accident. She was hit by a car and is covered in blood. If you don’t have a sister, I’ll just keep calling until I can find someone who knows her. She’s unresponsive and is in really bad shape.”

Me, thinking – wait, if she has no ID, where did you get this number? Keep calling? Keep calling whom exactly? Where are you getting that list of people to try to call? But still, maybe my sister had my business card on her? That would be a little weird, but maybe not that weird. Maybe.

Me: “I do have a sister.”

Them: “What is your sister’s name?”

Me: “Why do you need to know that?”

Them: “Ma’am, I need to know her name so I can calm her down. She’s very disoriented right now.”

Wait, I thought she was unresponsive. Now she’s suddenly hysterical? Still, my sister, so…

Me: “I do have a sister, but… what does this person look like?”

My sister has a pretty specific look – weird hair, a particular build, etc.

Them: “Ma’am, she’s covered in blood and we’re running out of time. She’s going into shock. I need her name, and I need to know if she’s your sister so you can come here.”

If her head was covered in blood, I could see how they couldn’t have given me a hair color. At this point I should have asked for height/approximate build, etc. I didn’t.

Also, bro, I live in Portugal. While I’d definitely be on the first plane, that’s still 20 hours away.

Me: “Sir, I’m in Portugal. I can’t get to you or her quickly.”

I still don’t believe this is legit, but again, it’s my sister, so I’m still talking to him.

Them: “Please ma’am, just give me her name so we can calm her down.”

So, again, unresponsive or hysterical? Which is it?

I finally gave him her first name – which BTW is not exactly a national secret. I speak of her often on social media, in conference talks, etc. She had a TV show, after all. And she does the same about me.

Immediately after I told him her name, his tone completely changed, and he screamed at me that he worked for the “fuckin’ mexican mafia”, that if I hang up now I’d never see her alive again, and that if I tried to text her, he’d know because he had her phone and he’d kill her immediately. Every other word at that point was peppered with expletives – which, I mean, whatever, I’m a NJ Italian. That’s not threatening language, that’s just a regular Tuesday.

While I was talking to him, I texted her quickly, asking if she was okay. I hadn’t yet remembered that she was about as far away from Mexico as someone in the U.S. can be without being in Alaska or Hawaii. I also didn’t hear my text tone in the background (and my sister annoyingly always has her sound turned up for every little notification), so at this point I’m pretty sure this is complete bullshit.

While risky, a kidnapper wouldn’t actually kill the one piece of leverage they have, and if it really were her and he saw the text message, he’d just move the goalposts, since killing her would mean he gets nothing. (Rational brain knows this, but it’s still scary af in the moment.)

Funny thing tho. Time zones are a bitch. I remembered during this very brief (2 minutes!) convo that she had just texted me 7 hours before, telling me she was in Green Bay, Wisconsin for a welding competition, and she was headed to Virginia soon after for a different welding competition. Mexico was not on the agenda. It wasn’t her, and this was very much a scam.

Yes, this is mental math I’m doing on the phone with a stranger who claims to have kidnapped my sister and is threatening to kill her. This is what working in infosec does to your brain, for better or worse. Worse yet, I actually do know people who have had family members kidnapped in Mexico.

He screamed at me one more time that he’s “with the fucking Mexican mafia”, to which I laughed at him, saying “My sister is not in Mexico. You’re not with the Mexican mafia, you piker” and hung up.

I admit my hands were a little shaky.

This all happened really, really fast, and I was caught on my back foot, for sure. And because enough things were plausible (unlikely, but plausible), even the skeptic I am had to consider it might be real. I was legitimately scared for my sister, the entire way through until I hung up. I’m also thousands of miles (and an entire continent) away.

Imagine the guilt I’d feel if it were real and I wrote it off, and my sister died on the side of the road somewhere in Mexico.

THAT is what they’re counting on.

Once she finally answered me, my sister said she was still in Green Bay, stuck at the airport for hours, her flight to Virginia delayed. The most danger she was in was being overcharged for airport bar drinks while waiting for her flight.

This is not a new scam, just a more urgent, updated version of an old one that worked often enough for it to be worth the time of the criminals behind it.

TLDR of the old version is: you get a call from a (likely spoofed, but probably sometimes not) Mexican phone number where they claim to have kidnapped a family member, and they often demand other family contacts so they can extort them as well.

Normally it’s just a run of the mill kidnapping call, where they don’t actually have your family member, but they often have someone screaming in the background “just give them what they want!!!!” amid fake sobs.

The new twist is a bit more of a social engineering aspect – which, hey, nice job guys. Way to evolve.

The soft-open – “I don’t know your sister, I’m just trying to help” – gains trust and lowers guard.

The “I don’t know, but we’re running out of time” gives them plausible deniability for not immediately knowing things you’d expect someone to know, because they’re, y’know, trying to save someone’s life. It also adds a sense of urgency which will cause the victim to potentially ask less critical questions, react impulsively, etc.

It’s a clever twist on an old trick, and I almost have to respect the evolution of the game.

It’s abhorrent and vile and if I ever, ever meet one of these pieces of unmitigated shit, expect a bail gofundme for me to happen shortly after, because I will show no mercy to these monsters. People who prey on grief are the worst of the fucking worst.

Going with the premise that she’s incapacitated also takes away the best tool they would have had – proof of life from her own voice. Deepfakes are everywhere now, but I don’t think this was targeted, so they wouldn’t have known what she sounded like. In a targeted situation, this would have been a lot harder to detect and would have been way scarier.

Things I Should Have Asked

In the heat of the moment, this stuff is always really hard. You’re trying to stay calm, trying not to panic, maintain a healthy level of skepticism, but this is also a visceral, real emotional situation.

In this particular situation, some things I could have asked that would have defeated the “Ma’am we have no time, she’s going to die on the street narrative”:

  • What is her build? You’re an EMT, you can give me a basic weight/build description. How tall is she? Is she fat or skinny? 50/50 chance on that last one, but I’d know for 100% certain it was BS if they guessed wrong.
  • What city in Mexico are you in? (I know where she’d normally be if she was there.)

That wouldn’t have gotten me there that much faster – it was a two minute interaction after all, but it would have made it clearer a little sooner that this guy was full of shit.

So, how do you safeguard yourself?

Nothing is going to be foolproof, for sure, but there are some small things you can do with the friends and family you have to at least be able to confirm whether or not the threat is real.

Set up “danger” words. My sister and I have had safeguards in place for years. We have a “danger word”, which is a normal english word that if we ever utter it to each other in private or public, we know that things are Officially Not Good. In this case, that word would have been defeated by the premise that she was disoriented, confused, unresponsive, etc because of the alleged car accident. If that were true (which it was not), it would be plausible that she wouldn’t remember or respond to that word or phrase. That wouldn’t have saved us in this case, but it’s generally a good policy and will help more often than not if you need it.

Set up fake names. Have a specific fake name that you would call yourself in a danger situation to someone who would know that 1) it’s really you and 2) you are in actual danger. My sister and I have them. If they really had her and they really didn’t know her name, we would be able to communicate that we both acknowledge the danger without making it more dangerous.

If it would be too confusing to try to remember a first name, settle on a middle name that’s definitely not correct. Middle names don’t come up much, so it would stick out if it were present where the person had none, or was just flat out wrong.

Ask what tattoos/piercings they have to identify them. This may or may not work, depending on the situation, but could potentially be a canary. If the “abductor” says “none” or “I can’t tell, there’s too much blood”, suggest a tattoo you know they don’t have that would be obvious outside of intimate areas, and try to get them to tell you. They won’t have an answer, so they’ll either lie (which outs them immediately) or they’ll keep stalling, which an EMT who is genuinely trying to find family members wouldn’t do.

Make some shit up. “Did you find her prosthetic leg? What about her glass eye? I heard those can shatter – oh my god did it shatter?? Is it in her brain??” My sister does not have a prosthetic leg or a glass eye, but back to the 50/50 chance, if you let them believe you believe them, you can sometimes catch them in their own game.

Tell your family your travel plans. This one seems obvious, but my sister travels constantly for her work and hobbies. Usually on big, international trips, she’ll email me flight details just in case, but for domestic flights, she doesn’t always tell me, especially since I’m 7 time zones away now. Thank god she did this time, or this could have gone worse.

Obviously, these types of scams are scary as hell, and they’re counting on the urgency they convey to cause you to misstep, even if you’re normally very savvy and skeptical about this type of thing. A little pre-planning can go a long way.

Stay safe out there everyone. <3

About the author

snipe

I'm a tech nerd from NY/CA now living in Lisbon, Portugal. I run Grokability, Inc, and run several open source projects, including Snipe-IT Asset Management. Tweet at me @snipeyhead, skeet me at @snipe.lol, or read more...

By snipe
Snipe.Net Geeky, sweary things.

About Me

I'm a tech nerd from NY/CA now living in Lisbon, Portugal. I run Grokability, Inc, and run several open source projects, including Snipe-IT Asset Management. Tweet at me @snipeyhead, skeet me at @snipe.lol, or read more...

Get in Touch