Sign up to our newsletter
The latest security news direct to your inbox
For today’s gangs of professional cyber criminals, few things are sacred, and true love certainly isn’t one of them. Fake wedding invitations have been a standard spam attack for years, but cyber criminals have begun to play longer, more complex games to lure in victims.
Sadly, these can include ‘love affairs’ on dating sites that are faked purely to steal. Criminals use fake profiles, and attempt either to dupe a lover into sending money, or installing malware on their computer. (See Stephen Cobb’s Valentine’s Day post for more examples.)
According to the authorities, dating and romance scams are one of the fastest-growing areas of fraud online, with a 27% rise year-on-year reported in the UK. The FBI issued an official warning this year, saying that women over 40 were particularly at risk.
“Their most common targets are women over 40, who are divorced, widowed, and/or disabled, but every age group and demographic is at risk,” the FBI said. In 2012 the agency revealed that the Internet Crime complaint Center had received 5,600 complaints involving romance scams, with admitted losses totaling $50.4 million. Here’s how the FBI says the romance scam usually works.
You’re contacted online by someone who appears interested in you. He or she may have a profile you can read or a picture that is emailed to you. For weeks, even months, you may chat back and forth with one another, forming a connection. You may even be sent flowers or other gifts. But ultimately, it’s going to happen; your new-found “friend” is going to ask you for money.
Sadly, this happens far to often, and as recent news stories confirm, there are a huge number of fake profiles on dating sites. Some of these fake profiles are made by unfortunate people in a misguided attempt to find love while others may used to lure customers to the site, as alleged here. Of course, you want to avoid all of these, and you definitely want to steer clear of that undetermined percentage of fake profiles that are simply bait for cybercrime. Don’t be a victim, check out these tips and take them to heart:
If you’re suspicious, Google the message text he/she sends you
Unlike spam, dating scams require a fair amount of work from the criminals – so they tend to cut corners. Often, the ‘romantic’ message you receive has been sent to dozens of other people. Put quotes around it and Google it: if it brings up results from former victims, you should start to worry. If the messages are in broken English, but your lover claims to be American, it’s another good reason to be cautious. Ask advice from a site administrator, or a friend.
Don’t be ashamed to ‘play detective’
Millions of people use dating sites, but they DO carry risks that normal dating does not. You don’t know whether the person you are speaking to is real, where they’re from, or whether the photos are them, or someone different. In the old days, you would often meet people via friends of friends–but you don’t have this reassurance online. So play detective–Action Fraud says that you’ll often be speaking not to one person but to several members of the same gang, and they will be reluctant to give you details. If they won’t tell you where they work, worry. Likewise, if they keep asking questions about you, but never answer any about themselves, worry. Search for them on LinkedIn, or just via Google – it’s almost impossible NOT to leave traces online these days. If someone has not, they probably aren’t real.
If their photos are really glossy, be afraid
Oddly, one of the giveaways that your lover may not be who they seem is that they look too good–as in, the photographs are professional. Few normal people would make this much effort–but for a cybercriminal, the easiest way to create a fake profile is to use glamorous pictures from the web, shot by professional photographers.
Don’t hand over information bit by bit
Dating sites are a huge growth area for cybercrime, and scams vary from simple cons, where people are asked for money for visas, to classic phishing. The problem is that handing over information is a normal part of romance–but perfect for identity thieves. Until you have verified that the person is genuine, do not give out your address, ever, and if possible limit other details such as workplaces and contact details.
Don’t share ‘racy’ photos with people you have not met
One variation of today’s dating scams is a simple one – blackmail. Do not hand over pictures you would be embarrassed to see published online–otherwise, you’re at risk from blackmailers. Even racy messages can be a tool for criminals – particularly if you’re attached. Keep things clean until you know your ‘romance’ is real. Allowing someone to see you via webcam, or to, for instance, undress on webcam, is particularly risky.
If your ‘lover’ sends you a photo which you need to click on, worry
A Nigerian ‘scam factory’ exposed by Brian Krebs, and reported by We Live Security here, used various methods to defraud wannabe lovers–but one was to promise an image, but instead send a file containing banking malware. Keep antivirus software running and be wary of profiles without images in the first place. If they have an image, ask them to add it to their profile.
Long-distance love DOES happen – but be wary
As a test, an ESET employee set up an account on dating site Badoo and the first ‘Favorite’ the profile received was from a new site user, with no picture, who lived in Lagos. It’s flattering to be messaged, especially if you are new to a site, but be cautious. Profiles without pictures, details and interests are a clear warning of a fake profile. US law enforcement say that common signs are people who claim to be American but say they are working abroad, then suddenly need plane fare home.
Stick to reputable sites
Match.com and other ‘major’ sites such as eHarmony have a reputation to protect so their systems will help to keep you safe (accusations of fake profiles notwithstanding). On Match, for instance, you can instantly flag any email or message as suspicious, and flag any profile you think isn’t quite right. Match will investigate rapidly. Other large, reputable sites have similar systems. Smaller, specialist sites–particularly those focused on short-term relationships–won’t offer the same peace of mind. However, sites which cater to a particular cultural group may achieve higher levels of trust if they fly under the radar of cyber criminals. Expect ‘Free’ sites to be the most dangerous the barrier to entry is low for enterprising cybercriminals.
Don’t be persuaded to switch to another social network, email or IM
Millions of people use dating sites, and the ‘big’ sites are facing epidemic levels of fake profiles, phishing and other scams, so cybercriminals will often persuade victims to switch to another site, the FBI warns, either a social site, or simply email. This way, they can continue the fraud in private.
If you think, “It’s all happening so fast!” It’s time to worry
Dating scams are one of the few areas of cybercrime where gangs play a ‘long game’ – sometimes stringing victims along for weeks or months. But most are impatient to be paid – so any online ‘lover’ who declares undying love in the space of a few emails should be regarded with extreme suspicion.
Do not send money, ever
The ‘red flag’ moment comes when your ‘lover’ asks for money. Do not send it–whether it’s for flights, or for life-saving surgery. Even if the story is so tragic you feel you HAVE to help. Remember Stephen Cobb’s first rule of twenty-first century romance: No wires until we’re hitched.
If the subject of money comes up early in a relationship, be wary. If someone asks outright for a Western Union payment or bank wire transfer, you may well be dealing with a criminal. Speak to a site administrator if possible. Talk to a friend – or ask advice from an independent agency, or local law enforcement.
Do a risk assessment
With all these warnings, and all those scammers out there, you might be wondering if looking for love online is just a bad idea. We asked for a second opinion from ESET security researcher Stephen Cobb who met his wife, Chey, through the analog precursor to online dating sites: the ‘personals column’. Cobb says he thinks online dating does offer some of the advantages of running a personal ad in a newspaper, like establishing mutual interests and a degree of compatibility before going to the trouble of meeting in person, but he warns “adding layers of technology to match-making is not always helpful.”
Cobb notes that back in the 1980s it was normal to switch the communication channel quite quickly, from pen and paper to phone calls and a face-to-face meeting. “Talking on the phone and seeing someone in person is a lot harder to fake than emails, online chat, and digital photos,” says Cobb, who agrees that a face-to-face meeting has its own set of risks, but says these can be reduced by agreeing on a public place, in daylight. “Chey and I agreed to meet in a popular coffee shop in North Beach on a Sunday afternoon, giving us both an easy exit if we wanted to bail–which luckily she did not.”
“I think there are two keys to successful online dating,” says Cobb, “The first is to be honest and genuine and bail at the first sign you’re not getting that from the other person; the second is to avoid highly specific matching criteria which foster the erroneous notion that there aren’t many matches out there, so you end up make excuses for someone who is acting flaky because you’re convinced they are the only one.”
Author Rob Waugh, We Live Security