With the arrival of Valentine’s day, the FBI’s Cleveland division has issued a warning regarding romance scams. Perpetrators of these scams use online dating platforms or social media to deceive targets, establishing fake relationships and gaining the target’s trust before requesting money, gift cards, cryptocurrency or private information. In 2022, the FBI received 19,000 complaints about romance scams. The estimated loss from these scams is at least $739 million.

The typical targets are divorced, widowed, elderly or disabled women over the age of 40, although anyone can be the victim of a romance scam. Romance scammers will typically avoid meeting in person by claiming to live in another state or country. To avoid being the victim of a romance scam, the FBI advises that people should never send money or personal information to someone they’ve never met.

Awareness of romance scams can keep potential targets alert and safe. Security experts weigh in on how people can avoid these malicious actors online.  

Security experts weigh in

Claude Mandy, Chief Evangelist for Data Security at Symmetry Systems: 

“It is important to reflect on the increasing threat that Generative AI's growing, and easily available capabilities pose. Gen AI is already being used very successful to improve social engineering particularly in dating and romance scams. Cybercriminals are able to leverage generative AI to create convincing and almost foolproof personas from expected text and email responses to realistic images, audio and videos. The ease of deceiving individuals into believing false narratives or identities is unprecedented as a result.

Advice: 

  1. Individuals should exercise caution. Social engineering tactics often focus on compromising accounts or persuading individuals to make payments to criminals. avoid sharing sensitive info, look for signs of gen ai usage, Employ reverse image searches, enable MFA.
  2. Dating sites also play a key role. Implement robust identity verification measures, employ advanced fraud detection algorithms to reduce the use of bots etc. implement advanced content moderation tools to detect and remove fraudulent visual content.
  3. Organizations should realize that the ease of compromising passwords has never been higher and invest in phishing resistant MFA. Also ensuring that they focus on reducing the volume and sensitivity of data that can be accessed that isn’t required.”

Bud Broomhead, CEO at Viakoo:

“Romance scams are popular with cyber criminals because they work, are hard to recover money from, and have a higher chance of not being reported. Romance scams follow a playbook familiar to scammers; they leverage relationships that are meant to be based on trust. Other very popular variations of this scam are impersonating a CEO or high level manager in order to have an employee send money or gift cards, or a grandmother getting a call late at night from someone pretending to be their grandchild and needing urgent financial assistance. As overall corporate IT security improves and becomes more automated scammers and threat actors are turning to other forms of cyber crime to make money, romance scams being one of them.  The vast amounts of personal information that is available to cyber criminals makes their starting point much easier than before:  they already know a victim’s financial situation, how connected they are to other people, whether they recently ended another relationship, where from and when they last moved residence, and many other forms of personal information.  With more advanced AI capabilities (ChatGPT and others) in the hands of cyber criminals the threat is that romance scams can be automated at scale, and developed over a longer period of time to gain additional trust. Deepfake images, AI-generated conversations, and emotion analysis can or soon will be performed at a large scale, making current romance scams into a mild warm-up to the main event that is coming.  To prepare for the coming AI-driven onslaught more education and training is needed, with people needing to become more practiced and better at detecting such scams.  Online courses and other training can and should be part of general cybersecurity awareness training.”