This Valentine’s Day, bot operators don’t have love on the brain, just money on their mind (yes, a cheesy, but timely Rihanna reference).
Romance Fraud schemes have plagued dating platforms since their inception, but losses reported by the FBI hit an all-time high recently at nearly $1 Billion, affecting over 24,000 people in the United States alone. Romance fraud is a type of scam where a person creates a fake online identity to form a romantic relationship with another person with the intention of obtaining money, personal information, or both.
Since most users are aware of the presence of bots and catfishing schemes, how exactly have so many people become victims with so much money lost to romance fraud?
Unfortunately, it’s due to yet another type of bot.
Why are dating platforms especially prone to bots and fraud?
Dating platforms are extremely popular and used by millions of people around the globe. This offers an opportunity for bad actors to exploit vulnerabilities in people looking to make genuine connections.
Sources: Business of Apps 2022, FBI IC3 Report
How do bots get through the sign-up process?
Account generation bots have been targeting major online dating platforms for years now, bypassing security measures like CAPTCHAs and image verification checks during the signup process. These bots have allowed cybercriminals to quickly create and verify hundreds and thousands of fake accounts using images purchased in bulk from criminal forums. This year, a highly successful bot can sell for about $200 USD a day, or $1,500 USD a month based on Kasada’s latest threat intelligence.
After automating the account creation process, bad actors use these accounts to commit various forms of romance fraud at scale.
How are bots used to commit romance fraud?
Oftentimes, bots are used to automate communications with the target and convince them to part with their money or personal information. Bots can mimic human behavior by sending messages and responses in real time. In addition, bots can be programmed to follow a particular script, such as building trust with the victim, making emotional appeals, and offering a fake financial investment opportunity (usually cryptocurrency). An adversary may also use a combination of automated and personal messages to tailor messaging to the victim.
Once the victim has developed a relationship with the bot, the bot operator can then use that relationship to extract money or personal information from the victim, such as asking for money to cover unexpected expenses or to help with a financial investment. In some cases, the bot may also try to install malware on the victim’s device to steal sensitive information.
Bot-enabled romance fraud:
- Profile verification – Bots ask users to verify their profile by sending a link to a “verification” site. The site then asks the user to input their personal information and credit card details in order to “verify” their identity, but it is really just a phishing attack to obtain that information.
- Malware injection – Direct messages with links containing malware are sent to users through bots. Messages often include the above profile verification method or ask the user if they’d like to play a game or continue the conversation on another site.
- Catfishing at scale – Multiple fake accounts are created by bots with fake images in an attempt to develop relationships with the victim(s) to then make their asks or conduct fraud.
- Blackmail – Fake user accounts created by bots solicit pictures or written information from other users in order to blackmail them.
- Account takeover – Using credential stuffing, bot operators test thousands of credentials to take over existing accounts and perform fraud.
As always, online users need to be cautious when engaging with individuals they have not met in person. More so, it’s imperative that dating platforms and social media sites take the necessary steps to protect against automation, especially during the account creation process as fake profiles are the root of the problem.
Kasada protects billions of account logins across the web from malicious automation. See if your site/login can detect automated requests by taking our free test.