Dating Sites and Scams: The Trends You Need to Know
We’re currently in “cuffing season.”. This means scammers are keeping their eyes on dating apps. Dating sites and apps make prime targets, not just because there are a lot of people on them, but because these sites can have all kinds of data available for malicious people. If you’re looking for a partner online, you need to know what’s going on with dating sites and scams.
See Fake vs Taken Over Accounts with Jason Kent and Will Glazier for a complete transcript of the Easy Prey podcast episode.
Jason Kent is the Hacker in Residence at Cequence Security. His job is to understand the attacks that hit Cequence’s customers and figure out what the attackers did and why. In addition to this research and studying real attacks, he also does a lot of public speaking. He has been interested in computers since he was a kid. But he didn’t get into security until the late 1990s, when his wife, at the time a web application designer, told him about a person with the last name O’Neill who broke her web app because of the apostrophe in his name. Jason became interested in all the ways you can “break” software and programs.
Will Glazier is the Director of Threat Research at Cequence Security. His team includes security engineers, data scientists, and machine learning experts, and their job is to deal with the attacks. They protect some of the world’s largest brands from bot attacks and threats to public APIs. Not only do they deal with the attacks, they work to understand them and apply that learning to Cequence’s products and threat intelligence cloud.
Sharing Experiences with Scams
Jason’s wife is also a bookkeeper – specifically, the fiscal officer for a small township. The township is so small that it consists of the two guys who drive the plow in the winter and a trustee who decides how much salt to buy. It’s a small operation with very small paychecks.
At one point, a scammer gained access to the trustee’s email. They then sent an email from the trustee’s account to the fiscal officer asking to change what bank account the trustee’s checks were deposited into. The email was from the right address – it wasn’t spoofed – and nothing seemed suspicious. So Jason’s wife made the change. It wasn’t until a couple months later, when the trustee asked where his check was, that anyone noticed anything was amiss.
Jason’s wife eventually had to file an insurance claim to get that money back. It was embarrassing, especially since Jason is well-known in security. But it illustrates a challenge in trust placement. When we have trust in systems and other things, we’re going to make assumptions that may not be true and extend that trust to other tings that maybe shouldn’t have it.
It’s important for people who are victims of these types of scams to talk to each other and share. Nobody should feel ashamed to admit they were scammed. The trouble with the dating sphere especially is that it’s very human. Dating sites and scams make Will especially mad because they’re preying on vulnerable people.
The Major Warning Sign of Scams on Dating Sites
It’s getting cold outside – wouldn’t it be nice to have someone next to you? A lot of people agree. We’re in “cuffing season,” the time of year where single people actively search out partners to share the colder months. This means that people are using dating sites and apps, providing their information, and putting some measure of trust into these platforms.
The biggest warning sign of scams on dating sites and apps is trying to get you off the platform. Scammers know that eventually the trust mechanisms in the dating app’s technology are going to pick up that their profile isn’t trustworthy. They need to move you to an app that they can keep you on. If someone reaches out to you and quickly wants to move your communication to texting, WhatsApp, or something else, that’s suspicious.
They are trying to convince you that they identity you met on the dating site transfers over to the new app or messaging system. But likely you were talking to either a completely fake account or a legitimate account that was taken over by scammers. And the kind of money that scammers can steal from someone who gets emotionally involved can be a huge amount. But even if the amount isn’t large, losing any amount to a scammer you thought was a trustworthy romantic partner can be traumatizing.
The kind of money that we see in this goes from a nicely-priced used car to a house … this is a lot of money that gets scammed out of these folks.
Jason Kent
Fake Accounts and Compromised Accounts
On any given month, Cequence blocks several billion malicious attempts to access or use systems. For all the dating sites they work with, they blocked about 150 million malicious attempts in the last quarter. That’s one transaction for every two Americans – dating sites and scams is a problem with a huge scale.
Scammers use two types of accounts to run scams on dating sites – fake accounts and compromised accounts. Fake accounts are just like they sound. The scammer creates a completely made-up profile for a completely made-up person. Compromised accounts, on the other hand, are real accounts that at one point belonged to real people. But the scammers found a way to take over the account and lock the original owner out. Once they have control, they can use these genuine profiles to scam others.
The ratio of fake accounts to compromised accounts varies based on the dating platforms’ current fraud initiatives and business concerns. But for scammers, compromised accounts are much more valuable than fake accounts. An account that was legitimate until the scammer took it over has a history of being legitimate. It’s much less likely that the dating platform’s security algorithm will flag it as a scam immediately. New accounts don’t have that reputation to the algorithm and are more likely to be spotted and shut down quickly.
Those accounts [that are taken over] have higher value for attackers because they will come with this positive reputation.
Jason Kent
Dating Sites and Scams is a Numbers Game
A lot of account takeovers rely on the law of large numbers. If your attempts fail 99.9% of the time, the best way to be successful is to put out a huge number of attempts. It takes a lot of repetition for them to get accounts to scam others with. Fake account creation is easier, but it’s slower to do.
Scams on dating sites live and die on how trustworthy their accounts look to the security algorithms. So they have other strategies to look more real. Sometimes the fake accounts are left to “age” so they have a longer history. Sometimes, the scammers will actually invest some real money. This is something Will calls “VIP fraud.”
VIP fraud involves scammers buying and selling accounts, likes, visibility, and other engagement. It also involves buying “VIP” or “premium” plans for their fake accounts. Most dating sites have some sort of upgrade process where you pay an additional monthly fee for extra bonuses and features. Scammers will sometimes upgrade their fake or compromised accounts to these higher tiers to gain the higher credibility and reputation that comes with it. Putting some money into the accounts looks like legitimate behavior to both the security algorithms and their potential victims. The scammers then try to take their victims for even more money to make up their investment.
Can Sites Tell When an Account is Taken Over?
Dating sites know that having a platform full of scams will hurt their business. And those of us online looking for love want to be able to put our trust in these platforms. The question is, how well can these apps and sites tell when an account becomes suspicious?
There are some analytics that are good giveaways. One is the impossible travel model. Dating sites can tell where you are when you send messages. If an account sends a message from a device located in China, and then five minutes later sends another message from a device in the US, that’s suspicious. In reality, sometimes the system flags these things, sometimes they don’t. For example, Jason travels, so he sends messages from all over. If the system isn’t specifically looking at the timing, it’s not going to understand.
Dating sites have the capabilities to notice when a user’s behavior shifts. The question is what kind of behavior patterns they’re looking for. Scammers tend to focus on just one or two victims, then disappear when they convince the victim to move to another platform. But if that’s what your algorithms are looking for, they’re not spotting scammers until they already have victims on the hook and away from anything you can do about it.
If you’re watching for the pattern to change when they leave the platform, it’s too late. You have to see a change in real time.
Jason Kent
There are other behavior change indicators that work better. For example, scammers often use automated tools to interact with posts and other users to make an account look active. But the way an automated tool does it is way different than a human. The key is to look for these things in advance.
Business Goals and Security Goals
One of the challenges in working with dating apps and scams is the tension between business and security. The business side of the platform often has different goals and motivations than the security team. To business, growth and daily active users is essential. If the security team is going to do anything that effects those numbers, the business side will want to see solid data before they take action.
It’s a classic case of long-term benefits coming at the cost of short-term gains. No one wants to see a dip in this quarter’s numbers. But if the platform doesn’t do something about the challenge of scams, bots, fake accounts, and compromised accounts, real people will eventually stop using the platform. After all, who wants to put their trust in a platform that you know is overrun with scams?
If you let this problem persist … eventually the tide will turn and people will stop using the platform.
Will Glazier
Security is one of those departments that business often views as the “Department of No” or the “Department of Reducing Sales.” People on the business side often feel like the security team isn’t aligned with the rest of the company. But if you don’t have enough security and all the accounts are taken over by bots, everyone is going to leave. It happens every time. And if a story breaks that someone loses a million dollars through a scam on your platform, that’s going to hurt, too. No matter how much it seems to slow business growth, security is essential.
Trends in Dating Sites and Scams
Predicting what will happen with dating sites and scams can be difficult. We just came out of two years of behaving completely differently than normal due to the COVID-19 pandemic. Online dating was a huge thing, and that caused a large fraud fallout. Now, people are able to go out and aren’t as reliant on dating apps. But the people who are there are highly vulnerable. They want connection, are putting a lot of trust out there, and may ignore warning signs.
It’s important to normalize what’s going to happen. You’re going to get a message from someone you shouldn’t trust wanting to chat. They’re going to tell you about their financial problems. And they’re going to play on your vulnerabilities to exploit you as much as they can. The fact that they are targeting you has nothing to do with you. And there are so many scammers out there that it will happen. You just need to know that it will and never be afraid to report, block, and move on.
Economics Matters
Economics also affects these scams more than many people think. Consider a non-dating site example: “Hype sales.” These are situations where people use bots to buy a bunch of something that’s really in-demand and then resell it for a higher price. But when the Federal Reserve started raising interest rates to slow things down, all of the sudden the margin got tighter. Exploiting hype sales was less profitable. It had a strong impact on the efficiency and profitability of scammers.
This also applies to the dating site universe. The margins are getting tighter for the bad guys there, as well. Imposing financial costs on scammers wherever possible can really hurt them. There’s an opportunity for dating sites to target scams by leveraging the current macroeconomic conditions. It doesn’t mean it will stay effective when the economic situation changes. But more safety, even if it’s temporary, is never bad.
Making people safer for a little longer is never a bad thing.
Will Glazier
Profit Margins of Scams on Dating Sites
Imagine you’re a scammer. If you just have one account, there’s a limited amount you can do. If you create 1,000 bot accounts, now you can do significantly more. But if the platform starts charging every account $1 per year just to exist, it costs more to operate. For most people, $1 per year isn’t a lot of money. But if you’re trying to run an army of 1,000 scam bots, it now costs you $1,000 per year to operate. If you have more bots, it costs even more.
Scammers are starting to run into this and similar problems. Security is getting better. Most attempts to take over accounts are unsuccessful if the scammers are using cheap infrastructure. The security algorithms can spot the cheaper infrastructure and block it. So to be successful, the scammers have to pay more money to get better infrastructure and equipment. This also cuts into their bottom line.
Because security is getting better, it now costs scammers more money to run scams on dating sites – or anywhere else. So they have to steal more and more money each time to stay profitable. During the peak of the hype sales, companies started up that were just bot companies. You could find job listings on LinikedIn to go wrote programs for their bots. You don’t see that anymore because they can’t afford to pay employees.
Each time they’re successful, they’ve got to get more money, otherwise they can’t cover their costs.
Jason Kent
Scams still happen. But we’re starting to take up more. The algorithms are spotting and rejecting the cheap and easy methods of scamming, and users are learning more about what to watch for. Scammers are begging for success. The more we can do and the more knowledge we have, the better.
Scams on Dating Sites are Purposeful and Targeted
One of the most-touted signs of any kind of scam is spelling and grammar errors. But those errors are often purposeful. If you don’t notice them or choose to ignore them, you’re probably going to be the kind of person who believes the scammer’s story or chooses to ignore the red flags. But good grammar doesn’t necessarily mean trustworthy, either. Scammers can use ChatGPT and other AI tools to generate grammatically-perfect text quickly. This is especially used by scammers whose native language isn’t English so they don’t have to think about it as much.
The overall trend in dating site scams is more focus. It’s almost like romance scams need to enter the world of spear phishing, targeting specific scams to specific people for a better chance of success. Volume has gone way down – there are just fewer people biting on scammers’ bait. So they have to be more clean and focused with what they’re doing, employ whatever tactics they can, and switch tactics whenever old ones stop working.
It’s Not Just Dating Sites that Can Stop Scams
ISPs should be monitoring their networks more. They can already see what’s going on in their networks. They should be able to spot suspicious patterns. ISPs could be a great help in fighting scams and malicious traffic. But they don’t seem interested in engaging.
Jason approached a couple of ISPs last year with a massive list of IP addresses that had tried attacking Cequence’s customers. But he was told that there was no one in the organization that he could give that list to where it would make any sort of difference. He got the impression that they were too busy collecting money and selling phones to care about security and safety. He had a similar experience when talking to the FBI and NSA. There really isn’t a coordinated effort on this.
One of the problems is that ISPs are dealing with so many other things as well. It would be great if there could be some more collaboration. Cequence has a solid presence in the telecom space and with ISPs. Carving out time for security people and ISPs to work together could help solve some problems.
Ironically, though, if an ISP started making phone calls about people’s computers being compromised, anyone familiar with common scams would hang up the phone. If people did believe the calls, there would be a panic and the company would end up on the news. There are human and political pressures along with security ones. That makes it difficult to do what might be ideal from a purely security-focused perspective.
What Users Should Watch For
If you are a dating site user, pay attention to where you’re placing your trust and why. Don’t immediately assume that you trust a particular site or app. Even if they use tools like two-factor authentication for security, that doesn’t mean the person messaging isn’t a scammer. Until you’ve actually met the person and know them, remember that it could very well be a twelve-year-old or a scammer on the other side of the world behind that profile photo.
If you put too much trust in the platform … it carries to the person talking to you.
Jason Kent
Be careful not to put too much trust in a particular platform, because that often carries over to trusting the person messaging you on that platform. No matter how great a platform is, scammers can still slip through. Companies are getting better, and you have more options for security features like two-factor authentication and login notifications. Whatever security features are available, turn them on. But remember that anyone can pretend to be anyone online. Be careful where you put your trust.
The statistics about how much money is lost to romance scams every year are staggering. If you’re going to be using these platforms, understand what scams can happen there. This is true on any platform. If you’re going to start buying stuff on Facebook Marketplace, learn about Facebook Marketplace scams. If you’re getting into photography, find out what kind of scams target photography beginners. And if you’re going to be on dating apps, learn what kind of scams happen on those apps. Having that knowledge will make them easier to recognize.
Learn more about Jason Kent, Will Glazier, and Cequence Security on their website, cequence.ai.
Related Articles
- All
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
Choosing from the Best VPN Trials of 2024: Which One is Best?
Whether you are shopping for a VPN for the first time or you are ready to make…
[Read More]Guide to Types of AI Models and How They Work
When you think of AI (Artificial Intelligence) models, you may automatically think of generative AI like OpenAI’s…
[Read More]Adversary Emulation for Business Cybersecurity
Security risks are constantly changing. Projects start and end, employees leave and are hired, new tools replace…
[Read More]Should You Use Apple’s Lockdown Mode? Here’s What you Need to Know Before You Decide
With the releases of macOS Ventura and iOS 16 in 2022, Apple rolled out a new feature…
[Read More]Protect Against Ransomware by Planning for Ransomware
Ransomware is a huge cybersecurity threat, and it’s only growing. It’s especially a risk for businesses, but…
[Read More]PIA: Private Internet ACCESS
The Private Internet ACCESS VPN will deliver the security, performance, and online access most users want. Behind...
[Read More]