Nearly half a million people will take in the pageantry, competition, drama and electric atmosphere of the 2016 summer sports event in Rio de Janeiro. But the trip can quickly turn into a nightmare for tourists who fall victim to social engineering.

The Stranded Traveler Scam

Visitors should be on particularly high alert for the stranded traveler scam. In an effort to solicit money, cybercriminals gain access to a victim’s email account and disseminate messages to contacts found in the address book. The emails claim that the victim is in distress in a foreign country and desperate for immediate cash. To add insult to injury, you don’t even need to be on your dream vacation to become the unwitting pawn of cybercriminals; the perpetrators can simply claim you are traveling.

Fraudsters have used the stranded traveler email scam since at least 2008. The FBI issued a warning in July 2010 about the growth of the scam. By 2012, the FBI’s Internet Crime Complaint Center reported that they had about 150,000 related complaints on file, according to ABC News.

Although it is not as pervasive as it once was, this fraud continues to ensnare many people. The volume of stranded traveler incidents tends to rise during high-profile worldwide events, such as the World Cup, because it is more plausible that someone is attending the event and might be in dire need of assistance.

Read the full report from IBM X-Force: 2016 Brazilian Threat Landscape

Mechanics of the Scam

The basic mechanism of the scheme is the initial breach of the victim’s email account. In many instances, the cybercriminal gains access to the victim’s social media accounts as well.

No one is immune to this type of takeover by social engineering. Even Facebook founder Mark Zuckerberg fell victim when malicious actors gained access to his Twitter, Pinterest and LinkedIn accounts.

Following the account takeover, the attacker will message everyone listed on the contact list. The email contains a tale of woe and requests money, which, of course, will be repaid when the stranded person is back home. To make it more difficult to uncover the scheme, many attackers change the account password, redirect return emails and delete the address book for good measure.

Nice Guys Finish Last

This fraud scheme is often successful because the email comes from a familiar person. Most people’s immediate reaction is to pity and help the friend, relative or colleague who appears to be in real trouble.

The plea originates from an address that you recognize (including the appropriate headers should you investigate) and is likely to include the person’s real name and signature. In this way, it seems to be legitimate.

The appeal is additionally persuasive if you know that someone is traveling to the location stated in the message. It only takes a few compassionate friends to act quickly to make the trick profitable for the criminals.

Seeing Through the Charade

After you get over the initial shock of seeing a stranded traveler communication, you as recipient may notice a number of suspicious elements that tip you off to the scam.

First, the message may be riddled with clumsy word usage, incorrect grammar, and improper punctuation and capitalization. Secondly, the note may be addressed to a generic friend, not personalized directly to you. Social engineering can only do so much. Third, ask yourself why you are being contacted to help. Is this something this person would request of you? Is this person even traveling to Brazil?

You may not notice these signs because you’re caught up in the emotion of the moment. A request to wire cash to someone is the ultimate red flag.

The Gold, Silver and Bronze of Social Engineering

Because it is relatively easy to uncover this scam, fraudsters are motivated to work harder.

According to the U.S. National Counterintelligence Executive Bill Evanina, the summer event in Rio will represent a “great playground” for criminals. In the spirit of competition, we will categorize the level of effort in executing the stranded traveler scam as gold, silver and bronze.


The scammer performs the basic level of effort. The message will be impersonal and unconvincing. Everyone on the mailing list will be contacted. Payment will be a simple wire transfer. It will be unknown if the target person is traveling.


At this level, the attackers will be more selective in trying to send emails to close friends and relatives. The message content will appear realistic. They will lock the user from the accounts, wipe the victim’s address book and set up a new email address that messages can be sent to.

The silver level of fraudster may even communicate directly with people who want to wire money. In this situation, the attacker doesn’t verify that the subject (i.e., the stranded traveler) is on vacation.


A con going for the gold will be difficult to discover and will probably be profitable. This will be a targeted attack. These masters of social engineering will know that the target is attending the international sporting event, most likely by trolling social media for information, and will then target and infiltrate the accounts of those travelers.

After confiscating accounts, they will only reach out to the closest contacts and will personalize all the notes. By scouring the personal information they have access to, they can add touches that might put the reader at ease.

The fraudsters will set up a message redirect to allow them to receive and send emails. They might even update a Facebook page or send out tweets to reinforce the fictitious story. The best of the best will offer up a phone number for the hotel or of a local authority that is aiding the stranded traveler. This level of criminal may be willing to take a debit card for payment.

Victims and Aftermath

The nightmare isn’t so much the act of the scam but the cleanup and impact to your extended contacts. Unlike other internet tricks designed to impact a single person, the stranded traveler fraud has many potential victims.

The first victim is the person whose identity is misappropriated. The other victims are the people who are contacted. In some cases, the numbers can be considerable. One bronze-level cybercriminal gained access to the account of a person who runs a charity and sent a deceitful message to 50,000 addresses.

Should you succumb to the heart-wrenching appeal and send money, your interaction with online bandits may just be beginning; as a victim, you may be targeted as an easy mark. For example, ABC News investigated such a scam and sent the fraudsters $20 to learn more. Soon afterwards, the organization began to receive new phishing emails.

The purported stranded traveler faces the embarrassment of needing to inform people that this is a scam. Many hours are spent answering calls and emails from friends and acquaintances to let them know you are safe. This process can go on for a week or more given that some emails will not be read immediately. There can be considerable guilt should someone you know lose money trying to help you.

Lastly, there is time and effort required to restore access to your email and social media accounts. In many cases, should your contact lists and email history be erased, those might need to be reconstructed from scratch.

Safeguarding Yourself

Safeguards against the stranded traveler scam and other fraud schemes are different for the two types of victims. On the traveler side, the key is to ensure that your email and social media accounts have strong passwords. You do not reuse passwords across accounts, and you should change them periodically and utilize two-factor authentication when offered.

You must also be wary of phishing emails, which can be used to install malware that in turn passes login information to attackers. Travelers should be careful when using public Wi-Fi, which can be an avenue into accounts. The goal of these defensive activities is to prevent account hijacking.

On the other side of the equation, when an acquaintance emails you with a fantastic tale of misfortune that depicts them as a stranded traveler, you should consider the story with a healthy level of skepticism. If someone asks you to wire them money in a foreign nation, you can have a high level of confidence that it is a hoax being perpetrated by cybercriminals. If you remain concerned about the safety of the friend, contact them or someone close to them, preferably by phone or text.

To learn more about the threats affecting Brazil, read the full report from IBM X-Force.

More from Fraud Protection

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today