A federal sting operation dubbed “Operation Gold Phish” has led to the arrest of nine people accused of bilking at least 18 victims out of $2 million through socially-engineered romance scams over the last two years.
As first reported on December 19, the defendants are accused of manipulating victims into becoming unwitting money mules in an alleged wire fraud operation. According to the Chicago-Sun Times, an FBI affidavit alleges the defendants posed as romantic partners to their victims, slowly nurturing an emotional connection before asking them to make deposits into bank accounts they set up using fake passports.
According to the report, victims they targeted included a woman who admitted she was recently widowed and feeling lonely, and another believed he was dating a woman with cancer named “Clair Anderson.”
In one con, a fraudster allegedly posed under the alias “Sarah Allison,” convincing a target she needed help acquiring a $2.5 million inheritance. According to NBC5 Chicago, the victim sent $38,100 to various fraudulent bank accounts over an 11-month period to help out.
In most cases, victims absorb the losses from such scams—nearly $90 million in the US in the last year alone. While many may wonder how anyone could be fooled by such schemes, the emotional pull of social engineering can be as profound as it is effective. What’s more, while it may seem far from a threat for most businesses, nothing could be further from the truth.
Without a doubt, con artists have been exploiting human psychology for hundreds of years, beguiling their targets into becoming accomplices in the very crimes that victimize them. It’s no different in the digital age—it’s just easier and far more scalable.
According to the FBI, today’s schemes increasingly start with fake online profiles on Match.com, Facebook, Instagram, and other social media platforms. A photo of somebody else—someone attractive without being too good looking—is paired with a well-crafted bio, along with posts designed to appeal to their target audience.
In the US, that audience includes women over 40, who suffer the highest losses from online romance scams, at nearly $70 million last year. Men over 40 make up a distant second, losing roughly $14 million. Worldwide, total losses are believed to be as high as $800 million. But since the vast majority of cases go unreported, actual losses are likely much higher.
While there are any number of variations, these ploys generally riff from a familiar playbook.
Online matches, likes, posts, or comments spark friendly conversations. The con artist on the other end is imminently charming, interesting, funny—and very much interested in continuing the conversation via personal email, text, or WhatsApp.
From there, the flirtations fly fast and romantic interest is professed as quickly as possible, despite the fact these relationships nearly always represent a long-distance love connection. Over time, sometimes weeks or even months, the shyster will nurture a personal bond with his mark, identifying and capitalizing on their emotional vulnerabilities in order to engender what is ultimately misguided or, as some victims later admit, willfully-blind trust.
It’s just a matter of time before this counterfeit Romeo starts asking for a “short-term loan,” to help him buy a plane ticket so they can meet in person, cover an unexpected car repair, or launch a new business venture. Sometimes it’s just a request to handle money transfers on his behalf.
According to support group RomanceScams.org, the average loss per victim is $12,000. But some lose much more. Just ask the Houston woman in her 50s who recently lost her entire life savings—all $2 million worth—to such a scam.
Unfortunately, that’s just the start of the financial and emotional chaos these attacks can leave in their wake.
Romance scams used to be orchestrated by lone cads and scoundrels. But increasingly, they’re carried out by networked crime rings and even highly-sophisticated, international cybercrime operations. According to the FBI, most romance scams originate in Nigeria, Ghana, England, and Canada.
Though lucrative in their own right, these ruses are often part of much larger crimes that can include business email compromise (BEC) scams, spear phishing campaigns and any number of other advanced email threats targeting businesses in every industry.
In some instances, for instance, victims are recruited as money mules, helping launder stolen proceeds from successful attacks against businesses. In others, victims may be hoodwinked into coughing up login credentials to their personal or work email, giving the fraudsters access to an account from which to launch phishing and BEC campaigns.
While that first scenario specifically impacts banking and financial services organizations, the second is often part of what is quickly becoming a major threat to every business. Over the last five years, account takeover (ATO)-based attacks and other advanced email threats may have contributed to $12.5 billion in direct business losses.
These and other advanced email threats are the impetus for a new generation of AI-based solutions that map email communications between people, organizations, and infrastructures in order to detect and disrupt identity deception, social engineering ploys, and other forms of email fraud that can originate with romance scams.
With advanced email threats now ranking as the number one cyber-threat facing businesses, being aware of these and other social engineering-based fraud schemes is the first step in avoiding them.
To learn more about social engineering-based advanced email threats and how to defend against them, download a free copy of “Email Security: Social Engineering Report” from Agari and ISMG.