By Ronnie Tokazowski
Emotional manipulation is everywhere around us. Every day we’re presented with ads to suggest we buy things, presented with news telling us what to believe, and most of the time we don’t give it a second thought. Romance scams make use of the very same marketing tactics; however, they employ them with the sole intent to defraud and manipulate someone into giving them money.
Romance scam victims are socially engineered to send thousands to “lovers” abroad through emotional manipulation while unknowingly facilitating different types of crime. Some of these crimes include gift card fraud, business email compromise, check fraud, or re-shipping scams, which consist of receiving and sending goods. These unwitting participants become the underlying money networks responsible for billions in fraud, both foreign and domestic. With victims in 90% of the countries in the world, this is far from a US-only problem.
At Cofense, we have a long history of addressing the human aspect of cyber fraud, an element that intimidates many organizations. We understand that there’s a lot more at stake than simple bits and bytes and have seen the benefits of what millions of educated end-users can do to protect a company. We want to give back to the world this Valentine's Day by creating this three-part series on romance scam recovery. In this series, you will learn how romance scams work, what to look out for, what to do if you're a victim, and who to reach out to for help.
Romance scams facilitate business email compromise, currently the number one cybercrime for the 7th year in a row. In addition, a second flavor of romance scams, pig butchering, is quickly making headlines with losses in the billions. When combined, we have victims in 177 countries across the world making this a global cybersecurity issue with billions lost to human emotional manipulation.
BEC is the largest crime, whether the security community wants to admit it or not. This is our continued attempt at addressing the root causes of the most significant cybercrime out there... educate users to be better prepared about what’s to come and how to spot, and report, these scams.
How do Romance Scams start?
Let’s say you’re single, alone, and looking for someone to date. You might live in a small town or village, or you may even live in a larger city. Meeting someone face to face is intimidating, so much so that where would you even start? You've seen the ads about dating websites about meeting your soul mate so why not give it a try? It was on TV, on the radio, or you saw someone mention it online...so it must be trusted.
As you go along you may search on social media or one of these dating sites for a partner, longing for the day that you find that one person who is lost and alone, just like you. And finally, you meet that special someone who is cute, funny, loving, and alone just like you. It seems like a perfect match.
The two of you really hit it off. You have the same interests, may have been previously married or widowed, and FINALLY found that one person who feels the same way you do. You spend hours chatting, exchanging sweet nothings, texting every morning, and begin chatting about when the two of you can finally meet. They may live in another country that seems like they’re a world away, but you can FEEL their presence with you every time you chat. Heck, you may even fantasize about the day you’re able to finally meet.
Except something horrible happens. They were in a horrible accident, were picked up by customs, or some other terrible thing that puts you and their meetup in jeopardy. You’re devastated, are sick to your stomach, and just feel horrible. You want to help, but you feel helpless and have no way to turn. It’s impossible to shake the feeling and no matter what you do it just doesn’t go away.
But if you send $500 for the medical procedure to the person you’ve been dating for 6 months the two of you can live happily ever after.
And this is how romance scams actually work.
From the Scammers Perspective
While a lot of time and research is spent understanding the damage caused by scammers, we rarely see a dive into the ecosystems and methodology that scammers use to identify their victims. After spending seven years researching fraud, understanding the geopolitical problems that drive the crime, and speaking directly with scammers and sources on the ground...here’s how romance scams happen.
Many of the scammers behind romance scams actively participate in other types of fraud. Some do business email compromise attacks, some do check fraud, and others may simply need witting participants to move money around the United States. While scammers abroad could move to the US for their operations, the preferred method is to stay remote. To facilitate crimes locally, these scammers recruit unwitting participants to take the fall for them, all the while telling the victims whatever they want to hear, so the scammer reaches their end goal: to have the victims unwittingly send money for the scam.
Before the first profile is built, scammers spend countless hours scouring the internet for profile pictures. Scammers scrape Instagram, Facebook, and public websites to convince users that they are who they say they are. Some go to the extent of building fake personas using celebrities to convince unsuspecting victims that yes, they too are looking for a relationship. In addition to pictures, scammers routinely use long bodies of text, often called scripts or formats, that can be used to easily copy and paste stories to unsuspecting victims. These can include perspectives such as being widowed with two kids, a military officer abroad who is looking for a relationship, or really any other story to try and convince a victim to fall for them.
Once the data has been collected, scammers create profiles on social media and dating platforms. Some may reach out to try and build a relationship or some may create a profile so they can wait for someone who is interested in a relationship. Once a connection has been made, it’s game on to emotionally give the victim what they want to establish a connection.
What to look out for in romance scams
I have heard this time and time again, “I would never fall for a romance scam.” Unfortunately, with how these scams work anyone is susceptible to these types of scams, myself included. When someone is emotionally hurt, alone, and looking for any opportunity they cannot hurt again, we make choices to make that hurt go away which can put us in jeopardy.
Based on years of research here are several things to watch out for when it comes to scams.
- It’s okay to go on dating apps and it’s okay to try and date someone online...but if someone is giving you the runaround about meeting in person or asking for money it’s a scam.
- Know your emotions. Heartbreak is one of the hardest things humans emotionally feel, however, it’s better to break off a potential scam and feel a little hurt than spend years in a scam. Scammers take you on emotional roller coasters of love to keep you in their clutches.
- Scammers go to great lengths to make profiles look as legitimate as possible. They have pictures and templates and go to great lengths to trick YOU. Use reverse image searches, search for the names and email accounts using a search engine, however, don’t use this as 100% verification.
- If you have a gut feeling that something bad is going to happen it probably is. Your intuition is trying to warn you to keep you safe.
- If you’re telling a story to someone and they say, “that sounds like a scam,” trust the second opinion. When we admit we’re wrong we feel vulnerable. However, that vulnerability is what makes us connect as humans.
And lastly, if you think you’re in a scam it’s important to speak up. In our second blog post, we will walk through what to do if you find yourself in a romance scam.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.