As cybercrime gangs exploit COVID-19 to target the lonely, victims (and their banks) could get jilted out of millions.
Law enforcement agencies around the world are reporting a surge in romance scams as fraudsters seek to cash in on the profound loneliness many people are feeling due to social distancing amid the coronavirus pandemic.
Those who fall prey could face financial ruin or get conned into criminal acts. But banks and other businesses could lose millions in the process. According to data from the Federal Trade Commission, consumers in the US alone lost $201 million to romance scams in 2019. That’s a 40% increase from the previous year. It’s also six times higher than the $33 million lost to such crimes in 2015.
Factor in the volatile mix of stress, economic anxiety, and social isolation so many are experiencing thanks to the COVID-19 outbreak, and those figures may be about to hit the stratosphere. If they do, it’ll also be just the start of it.
That’s because in romance scams, victims are routinely recruited, often unwittingly, to act as money mules to help the perpetrators launder money from business email compromise.
As our researchers have noted, many of the same fraudsters behind romance schemes also propel business email compromise (BEC) scams and other advanced email threats that have cost businesses around the world more than $26 billion just since 2016.
Con artists exploiting human emotions during times of uncertainty is hardly new, of course. Scammers have always sought to profit when crisis strikes.
That includes malicious actors who adjust phishing attacks to take advantage of national or global events, from banking system failures, to Brexit, to the US presidential elections. The more people to take the bait, the more money these fraudsters can swindle from their victims.
Romance swindles are no exception. According to the FBI, these schemes typically begin with fake social media profiles featuring a bogus profile tailored to appeal to their targets. Older adults are particularly hard hit, but as the New York Times reports, people of any age can fall victim—including people in their 20s. The sweet-talker on the other end is charming, interesting, thoughtful and very much interested in continuing the conversation via personal email.
With much of America (and the world) in self-isolation, people who are already feeling lonely will only feel more so—especially when they are alone as weeks become months of social distancing. COVID-19 presents the perfect opportunity for counterfeit Casanovas to nurture a personal bond with their homebound marks using insidious social engineering tactics, including the following.
Romance scammers are relatable, which makes them extremely dangerous for people who are alone. In many of the scripts and formats sent to victims, actors tell stories about how they’re single with three kids, and are looking for the love of their lives. Other scripts may go into detail about how they’re elderly and widowed, and just want to find one more true love to be with for the rest of their lives. Scammers will use any technique they can to entrance victims, including impersonations of deployed soldiers, singles with HIV looking to date, or even different fetishes. At Agari, we’ve identified victims who have lost their homes, inheritance, and incur hundreds of thousands of dollars in debt simply because they were looking for an authentic, caring relationship.
Scammers spend a lot of time building personas and use pictures of other people stolen from Facebook, Instagram, and other social media profiles—someone generally attractive, but not too good looking as to raise suspicions. By using these pictures, these malicious actors are able to tell different stories about their fictitious children, family members, life events, and monuments and sites they’ve visited.
As conversations progress, there will always be a point where they pop the question: can you send some money? It starts small, with a $50 gift card here, or a $100 Western Union wire transfer there. As time progresses, the amounts get to be even higher, with actors weaving elaborate stories to explain why they need money. During the COVID-19 pandemic, one of the lures scammers are using goes along the lines of, “My family has it, and I need money for healthcare, can you help out?” Others no doubt involve tall tails of family members needing help getting out of a foreign country, or taxes on an inheritance payment from someone who loses their battle against the illness.
Unbeknownst to the victim, these shysters are using them to launder money and open bank accounts to facilitate fraud. They’ll ask victims to cash checks, deposit money, wire accounts, open credit card accounts, or wire money via Western Union, bitcoin, or MoneyGram. In other cases, they’ll coax their prey into sharing login credentials to their personal or work email accounts. As incredible as it all sounds, this happens more frequently than many expect.
During online relationships, people are eager to video chat with one another, while romance scammers avoid it. The primary excuse is a broken phone or camera. And forget ever meeting face to face. Scammers always come up with excuses on why that can’t happen, such as needing to buy a plane ticket, an injury—or the coronavirus: “I can’t come see you because I’m in isolation.”
As we all struggle with the physical, financial, and emotional toll of the coronavirus and its impact on our everyday lives, individuals and businesses must stay vigilant against hustlers out to take advantage of good people living through tough times. In the time of COVID-19, one unguarded moment can turn cupid’s arrow into a crisis all its own.
The problem for organizations and the rest of us is that these romance scams almost inevitably cross over into other social engineering scams and business email compromise attacks as threat actors look to fully monetize their ruse. If they can trick a romance victim into disclosing personal details or email credentials, the attacks form a contagion much like the Coronavirus itself, by affecting those most closely associated with patient zero. This includes employers, co-workers, family and friends, and just about any business the victim engages online. Unfortunately, none of us are immune.
To get an inside look at how romance scammers defraud their victims as part of much larger cybercriminal enterprises, read “Scarlet Widow: Breaking Hearts for Profit,” from the Agari Cyber Intelligence Division (ACID)