Home
Blog
Romance Scams: The cybercrime that just won’t go away

Romance Scams: The cybercrime that just won’t go away

Paul Ducklin
Paul Ducklin
09/20/2024
9 min read
Share this article:

Romance scams, which are pretty much what their name suggests, often lead to victim blaming, where those who fall for them are derided for what other people consider plain old gullibility.

But these scams predate the word ‘cyber’ and the internet, and they are human-led fraud that can’t be solved by technology alone.

What can we do to avoid them, and to keep our own vulnerable friends and family safe?

Cybercrime in a more leisurely era

Cybercrime was a problem even before the internet took off.

Malware, for example, first appeared back in 1982, first on the Apple II computer and later on IBM PCs.

At that time, most people swapped files and information on floppy diskettes, forming an informal global computer ‘network’ affectionately dubbed sneakernet.

This sort of super-slow, low-bandwidth file sharing system was more than enough to let the underground malware scene thrive, with thousands of distinct computer viruses appearing within a few years.

And ransomware first showed up in 1989, predating the World Wide Web and consumer access to the internet.

The infamous PC Cyborg ransomware Trojan couldn’t use the internet to spread, so its creator bought up tens of thousands of floppy diskettes and snail-mailed them out to individuals and companies on mailing lists he had bought.

Romance Scams: The cybercrime that just won't go away - SolCyber

Cybercrime at internet speed

The arrival of the internet changed all this, opening up entire company networks to continuous attack 24 hours a day.

Malware and phishing scams can now be spammed out to tens of millions of recipients at a time, not merely tens of thousands, at next to no cost, using email that takes seconds to arrive instead of snail-mail that took days.

Even ransomware attacks, which today generally involve human-led intrusions rather than mass malware mailouts, seem to be speeding up.

In theory, the longer that ransomware attackers spend getting ready, the more subtle and surreptitious they can be, but in practice, the longer they take, the greater the chance of being spotted.

In the late 2010s, network-wide ransomware attacks sometimes went weeks or even months in the making; by the early 2020s this preparation time was typically measured in days; in 2024, some researchers report that ransomware attacks often seem to start and finish within a single day.

As the internet gets faster, attacks and attackers are, perhaps unsurprisingly, getting faster with it.

Slow scams at human pace

But not everyone in the cybercrime underworld is obsessed with speed.

Sadly, there’s one devastating type of online crime that continues to be a serious problem despite, or perhaps because of, the slow, sometimes even languorous, way in which it unfolds.

Romance scams, which are pretty much what their name suggests, exploit the scale, reach and speed of the internet to get started.

But once they’ve got their hooks into a victim, the human perpetrators of romance scams rely on a very different approach to the typical ransomware gang, who aim to finish with a dramatic, all-at-once, network-wide finale.

Romance scammers, in contrast, almost always play what’s known in the trade as a long con.

Their initial aim is not to hide away but to get themselves noticed right away.

Their goal is to catch your eye, to lure you into friendship, to win your trust, to elevate the friendship to a romantic level, and then to fleece you slowly but steadily for as much money as they can for as long as they can.

Internet-enabled crime

Romance scams are perhaps better described as internet-enabled crimes rather than as pure cybercrimes, because they make use of but do not strictly depend upon cyber-technology.

Malware, for example, is undoubtedly a cybercrime, given that malware is just shorthand for ‘malicious software’, which is by definition a program that runs on a computer.

But romance scams between ‘soul partners’ who never meet, yet end up trusting each other to the detriment of the victim, have existed for hundreds of years, perhaps even thousands, from long before the word ‘cyber’ came along.

In pre-cyber days, romance scam messages might be forwarded by innocent go-betweens, carried by messengers who were in on the scam, sent by snail-mail, or spoken over the telephone.

The advent of the internet hasn’t changed the human-to-human aspect of romance scamming, and hasn’t deflected the scammers themselves from taking the time to play the ‘long game’, over months or even years if they can.

The internet has, however, made romance scams much faster and easier to initiate; has massively increased the level of contact that scammer and victim can maintain; and has reduced effectively to zero the cost to the scammers of keeping the victim on the hook.

Similarly, the internet has enabled romance scammers to take more money off their victims in ways that are much harder to trace, and as good as impossible to refund afterwards.

The internet also makes it easier for scammers to find and to latch onto fake but realistic identities, for example by trawling social media and dating sites looking for real people who have already uploaded images of themselves and shared enough of their backstory to make a perfect starting point for fraud.

As FBI agent Christine Beining puts it on the FBI’s scam advice pages:

The internet makes this type of crime easy because you can pretend to be anybody you want to be.



(FBI video. Watch directly on YouTube or read the transcript.)


A typical romance scam

Romance scams typically unfold like this:

  • The scammer creates a fake profile on a dating site, often copying details from someone else online. Using someone else’s data makes it much easier to create a believable persona with a consistent and realistic life history, including birthplace, schooling and further education, and early work history.
  • The fake person often pretends to be on some sort of overseas assignment, for example with the military (a handy cover for any later reluctance to answer personal questions), or on a remote oil rig (which can be used to justify their apparently unreliable internet connectivity and inability to make video calls). The remote work posting is a convenient excuse for why they can’t meet in person.
  • After making contact on the dating site, the scammers lure their victims away from the dating site and begin communicating directly, using personal email and other end-to-end messaging services that draw the victim into a personal and private, perhaps even secretive, friendship.
  • Once the victim feels they can trust their new ‘friend’, whether they have developed romantic feelings yet or not, the scam proper begins. Their friendly conversations begin to involve money: the scammer needs some urgently, and the victim is lured into providing it.
  • The previous step, involving money but never actually meeting up in person, then repeats for as long as the victim retains their emotional ties with the scammer.

Some of us may think it’s unbelievable that anyone would agree to send money, sometimes over and over again for months or even years, to someone they’d never met, and who had consistently evaded any attempts to meet.

Sadly, this sometimes leads to victim blaming, where those who fall for these scams are derided for what other people consider plain old gullibility.

But human relationships don’t always evolve in easily-explained ways, and romance scammers know how to exploit this by cultivating what appears to be a deep friendship and a genuine emotional connection.

The scammers know that humans tried to give much more leeway to people with whom they have a strong emotional connection than to anyone else, especially if that connection has been cultivated and affirmed over months or even years of regular and pleasurable online contact.

As we mentioned above, romance scammers aren’t like ransomware criminals, who aim to keep the lowest profile possible while setting up their sting, before unleashing a mammoth attack as abruptly as possible.

Romance scammers want to keep things going for as long they possibly can, putting ongoing effort into maintain the trusted affection of their victims.

Unfortunately, this means that the scammers may deliberately open up a rift between their victims and their own friends and family.

The criminals deliberately persuade their victims to follow their own emotions, as irrational as they may seem, and to turn their backs on any warnings coming from the circle of people who truly care for them.

What to do?

  • Never send money to a ‘friend’ you have never met. Just say no. If the ‘friendship’ doesn’t survive this simple test, then the person wasn’t interested in you, but in your money. Romance scammers almost always want you to pay in ways that can’t be cancelled, contested or refunded. These payments will usually involve gift cards (you send them the redemption codes so they can use them online), cash transfer services such as Western Union, or cryptocurrency transactions.
  • Cut off all contact with a scammer as soon as you suspect them for the first time. Never ask them to explain or to justify the inconsistencies in their story or their behavior. These scammers tell tall tales for a living, and if you give them the slightest chance to talk you round from your skepticism, they will take it. Formally report the scammer to the relevant authorities right away (see links below). You are unlikely to get any money back, but it’s a helpful way of drawing a rigid line under the experience so you don’t relapse into sending money again. If you met on a dating site or other online platform, report the scammer’s account to them so they can act against it.
  • Don’t turn your back on your true friends and family. If they are trying to warn you that your new acquaintance is a scammer, assume that they are right. And see point 2 above: don’t ask the scammer whether they’re genuine – they are simply going to insist that they are! Once they suspect that people are warning you that they’re fraudsters, they may try to drive a wedge between you and your family, which will leave you emotionally as well as financially bereft when you finally accept the truth that you’ve been scammed.
  • Consider doing an internet search for the profile of your new ‘friend’. Do a reverse image search to see if the image they are using appears on other profiles. Not all scammers can be uncovered this way (their first victim, for example, might not find any evidence of a re-used profile), but it’s a simple test that could prove beyond doubt that it’s scam before it even starts.

If you are one of those true friends and family trying to warn someone that they’re a scam victim:

  • The sooner you intervene, the better. The longer a romance scam continues, the more invested the victim becomes, both emotionally and financially, and the harder it is to convince them to throw away their dreams.
  • Be careful not to get drawn in yourself. Although this is unlikely with a one-to-one romance scam, for obvious reasons, criminals use very similar techniques, including starting off on dating sites, to lure victims into investment scams instead. These relationships turn into non-romantic trusted ‘friendships’ that the criminals use to convince victims to invest in fraudulent schemes, notably involving fake cryptocurrencies. These scammers routinely use their immediate victims to evangelise and recruit amongst their own friends and family.

For advice on avoiding romance scams, and to report them, you can use these sites:

In the US
Advice from the FBI: https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/romance-scams
Advice from the FTC: https://consumer.ftc.gov/articles/what-know-about-romance-scams
Report cybercrime to the Internet Complaint Center: https://www.ic3.gov/
Report scams to the FTC: https://reportfraud.ftc.gov/

In the UK
Advice from Crimestoppers UK: https://crimestoppers-uk.org/keeping-safe/fraud/romance-fraud
Report scams to ActionFraud UK : https://www.actionfraud.police.uk/

In Australia
Advice from Crime Stoppers: https://crimestoppers.com.au/resource/romance-scams/
Report scams to ScamWatch Australia: https://www.scamwatch.gov.au/report-a-scam

In Canada
Advice from the Canadian Anti-Fraud Centre: https://antifraudcentre-centreantifraude.ca/scams-fraudes/romance-rencontre-eng.htm
Report scams: https://antifraudcentre-centreantifraude.ca/report-signalez-eng.htm

In the European Union
Europol portal page for scam reports: https://www.europol.europa.eu/report-a-crime/report-cybercrime-online


Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!

Romance Scams: The cybercrime that just won't go away - SolCyber


More About Duck


Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!

Featured image by Eli Pluma via Unsplash.

Paul Ducklin
Paul Ducklin
09/20/2024
Share this article:

Table of contents:

The world doesn’t need another traditional MSSP 
or MDR or XDR.

What it requires is practicality and reason.

Related articles

Businesses don’t need more security tools; they need transparent, human-managed cybersecurity and a trusted partner who ensures nothing is hidden.

It’s time to move beyond the inadequacies of current managed services and experience true security management.
No more paying for useless bells and whistles.
No more time wasted on endless security alerts.
No more dealing with poor automated services.
No more services that only detect but don’t respond.
No more breaches caused by all of the above.

Follow us!

Subscribe

Join our newsletter to stay up to date on features and releases.

By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.

CONTACT
©
2024
SolCyber. All rights reserved
|
Made with
by
Jason Pittock

I am interested in
SolCyber XDR++™

I am interested in
SolCyber MDR++™

I am interested in
SolCyber Extended Coverage™

I am interested in
SolCyber Foundational Coverage™

I am interested in a
Free Demo

9259