Romance scams, which are pretty much what their name suggests, often lead to victim blaming, where those who fall for them are derided for what other people consider plain old gullibility.
But these scams predate the word ‘cyber’ and the internet, and they are human-led fraud that can’t be solved by technology alone.
What can we do to avoid them, and to keep our own vulnerable friends and family safe?
Cybercrime was a problem even before the internet took off.
Malware, for example, first appeared back in 1982, first on the Apple II computer and later on IBM PCs.
At that time, most people swapped files and information on floppy diskettes, forming an informal global computer ‘network’ affectionately dubbed sneakernet.
This sort of super-slow, low-bandwidth file sharing system was more than enough to let the underground malware scene thrive, with thousands of distinct computer viruses appearing within a few years.
And ransomware first showed up in 1989, predating the World Wide Web and consumer access to the internet.
The infamous PC Cyborg ransomware Trojan couldn’t use the internet to spread, so its creator bought up tens of thousands of floppy diskettes and snail-mailed them out to individuals and companies on mailing lists he had bought.
The arrival of the internet changed all this, opening up entire company networks to continuous attack 24 hours a day.
Malware and phishing scams can now be spammed out to tens of millions of recipients at a time, not merely tens of thousands, at next to no cost, using email that takes seconds to arrive instead of snail-mail that took days.
Even ransomware attacks, which today generally involve human-led intrusions rather than mass malware mailouts, seem to be speeding up.
In theory, the longer that ransomware attackers spend getting ready, the more subtle and surreptitious they can be, but in practice, the longer they take, the greater the chance of being spotted.
In the late 2010s, network-wide ransomware attacks sometimes went weeks or even months in the making; by the early 2020s this preparation time was typically measured in days; in 2024, some researchers report that ransomware attacks often seem to start and finish within a single day.
As the internet gets faster, attacks and attackers are, perhaps unsurprisingly, getting faster with it.
But not everyone in the cybercrime underworld is obsessed with speed.
Sadly, there’s one devastating type of online crime that continues to be a serious problem despite, or perhaps because of, the slow, sometimes even languorous, way in which it unfolds.
Romance scams, which are pretty much what their name suggests, exploit the scale, reach and speed of the internet to get started.
But once they’ve got their hooks into a victim, the human perpetrators of romance scams rely on a very different approach to the typical ransomware gang, who aim to finish with a dramatic, all-at-once, network-wide finale.
Romance scammers, in contrast, almost always play what’s known in the trade as a long con.
Their initial aim is not to hide away but to get themselves noticed right away.
Their goal is to catch your eye, to lure you into friendship, to win your trust, to elevate the friendship to a romantic level, and then to fleece you slowly but steadily for as much money as they can for as long as they can.
Romance scams are perhaps better described as internet-enabled crimes rather than as pure cybercrimes, because they make use of but do not strictly depend upon cyber-technology.
Malware, for example, is undoubtedly a cybercrime, given that malware is just shorthand for ‘malicious software’, which is by definition a program that runs on a computer.
But romance scams between ‘soul partners’ who never meet, yet end up trusting each other to the detriment of the victim, have existed for hundreds of years, perhaps even thousands, from long before the word ‘cyber’ came along.
In pre-cyber days, romance scam messages might be forwarded by innocent go-betweens, carried by messengers who were in on the scam, sent by snail-mail, or spoken over the telephone.
The advent of the internet hasn’t changed the human-to-human aspect of romance scamming, and hasn’t deflected the scammers themselves from taking the time to play the ‘long game’, over months or even years if they can.
The internet has, however, made romance scams much faster and easier to initiate; has massively increased the level of contact that scammer and victim can maintain; and has reduced effectively to zero the cost to the scammers of keeping the victim on the hook.
Similarly, the internet has enabled romance scammers to take more money off their victims in ways that are much harder to trace, and as good as impossible to refund afterwards.
The internet also makes it easier for scammers to find and to latch onto fake but realistic identities, for example by trawling social media and dating sites looking for real people who have already uploaded images of themselves and shared enough of their backstory to make a perfect starting point for fraud.
As FBI agent Christine Beining puts it on the FBI’s scam advice pages:
The internet makes this type of crime easy because you can pretend to be anybody you want to be.
Romance scams typically unfold like this:
Some of us may think it’s unbelievable that anyone would agree to send money, sometimes over and over again for months or even years, to someone they’d never met, and who had consistently evaded any attempts to meet.
Sadly, this sometimes leads to victim blaming, where those who fall for these scams are derided for what other people consider plain old gullibility.
But human relationships don’t always evolve in easily-explained ways, and romance scammers know how to exploit this by cultivating what appears to be a deep friendship and a genuine emotional connection.
The scammers know that humans tried to give much more leeway to people with whom they have a strong emotional connection than to anyone else, especially if that connection has been cultivated and affirmed over months or even years of regular and pleasurable online contact.
As we mentioned above, romance scammers aren’t like ransomware criminals, who aim to keep the lowest profile possible while setting up their sting, before unleashing a mammoth attack as abruptly as possible.
Romance scammers want to keep things going for as long they possibly can, putting ongoing effort into maintain the trusted affection of their victims.
Unfortunately, this means that the scammers may deliberately open up a rift between their victims and their own friends and family.
The criminals deliberately persuade their victims to follow their own emotions, as irrational as they may seem, and to turn their backs on any warnings coming from the circle of people who truly care for them.
If you are one of those true friends and family trying to warn someone that they’re a scam victim:
For advice on avoiding romance scams, and to report them, you can use these sites:
In the US
Advice from the FBI: https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/romance-scams
Advice from the FTC: https://consumer.ftc.gov/articles/what-know-about-romance-scams
Report cybercrime to the Internet Complaint Center: https://www.ic3.gov/
Report scams to the FTC: https://reportfraud.ftc.gov/
In the UK
Advice from Crimestoppers UK: https://crimestoppers-uk.org/keeping-safe/fraud/romance-fraud
Report scams to ActionFraud UK : https://www.actionfraud.police.uk/
In Australia
Advice from Crime Stoppers: https://crimestoppers.com.au/resource/romance-scams/
Report scams to ScamWatch Australia: https://www.scamwatch.gov.au/report-a-scam
In Canada
Advice from the Canadian Anti-Fraud Centre: https://antifraudcentre-centreantifraude.ca/scams-fraudes/romance-rencontre-eng.htm
Report scams: https://antifraudcentre-centreantifraude.ca/report-signalez-eng.htm
In the European Union
Europol portal page for scam reports: https://www.europol.europa.eu/report-a-crime/report-cybercrime-online
Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!