Scarlet Widow Part 1: Breaking Hearts for Profit

Nigeria-Based Romance Scam Operation Targets Vulnerable Populations

Executive Summary

Text

Since 2017, Agari has been tracking and gathering intel on a Nigeria-based crime ring we’ve named Scarlet Widow. The group has a history of exploiting vulnerable populations, from romance scams against farmers and individuals with disabilities to wideranging business email compromise (BEC) attacks against organizations around the world.

 

This report presents an in-depth look at how the group’s romance scams work, and includes the heartbreaking case study of a victim who was conned out of more than $50,000.

Scarlet Widow has mastered the seductive art of the romance scam, defrauding victims in the United States out of thousands of dollars through a prolific number of cons. In all romance scams had led to personal losses of nearly $1 billion in the US and Canada since 2015, according to research from the Better Business Bureau (BBB). And that’s only the crimes that get reported. In all actuality, this number is likely much larger.

This document is the first of two reports Agari has prepared on Scarlet Widow. The second report, which will be released in late February 2019, covers more about the group’s members and structure, their transition to BEC attacks, and how they launder their fraudulent proceeds.

Who is Scarlet Widow?

Text

While much of the high-profile cybersecurity news of the past few years has involved state sponsors like Russia and North Korea, American individuals and businesses are far more likely to be targeted by West African crime groups. These groups, which frequently hail from Nigeria, account for a significant majority of the social engineering-based cyber attacks that American businesses encounter on a daily basis. In fact, previous Agari research indicates that 90 percent of BEC groups operate out of Nigeria.

Scarlet Widow is a Nigeria-based cybercriminal organization that has been in operation since at least 2015. Over the past four years, the group has continuously evolved their methods, testing new types of fraud and moving to more lucrative scams as their tactics evolve.

To date, we have fully identified three Scarlet Widow actors who top the group’s hierarchy, all of whom currently reside in Nigeria. Through extensive research and analysis, we have been able to connect these primary actors to specific scams and personas. The second report on Scarlet Widow, which we will release in late February 2019, covers more about the group’s members and structure, their transition to BEC attacks, and how they launder their fraudulent proceeds.

Femmes Fictionale and Counterfeit Romeos

A model from Texas, currently in Paris for a modeling seminar

A handsome United States Army captain stationed in Afghanistan

A Norwegian saleswoman eager to visit the United States, looking for an “honest and caring man to date and have as my future husband”

Text

Each one is an alluring romantic partner—attractive, sensitive, and eager to find a life partner. Each one is also a fraud, custom-crafted to fill a gap in the life of a lonely heart, pry open their bank accounts, and heartlessly bleed them of every dollar they have—and then some.

The fake profiles, posted on a wide range of dating sites, include a photo of a handsome man or a beautiful woman scraped from social media sites. Many have a back story of loss or hardship endured—a parent who died young or a boyfriend caught cheating. Yet their faith in true love is undiminished.

From the scam artists targeting the elderly to taxi drivers conning foreigners arriving at an international airport, criminals tend to target the vulnerable. Scarlet Widow finds many of its victims by seeking out lonely people with limited options: older divorced people, farmers, and the disabled, to name a few.

They string their victims along for months or even years, always finding a new reason to request money, always finding an excuse for being unable to meet in person. Families and friends of the victims are often the first to realize what is going on and warn the victims. But by this point, the victims are often too emotionally invested in the imaginary relationship to see the truth.

Romance Gone Wrong

While it’s true that con men have been exploiting human psychology since the dawn of time, the digital age has made their schemes easier and far more lucrative. As a result, romance scams that may have once been the stock-in-trade of lone cads and scoundrels are increasingly carried out by organized cybercriminal operations—mostly based in Nigeria, Ghana, England, and Canada.

Leveraging proven social engineering techniques, these fraudsters nurture emotional bonds with their prey, first via social media or dating sites, and later by email. It’s just a matter of time before these counterfeit Romeos begin conning their victims out of money—and sometimes into a life of crime.

Though the BBB estimates losses approaching $1 billion since 2015, exact figures on the financial damage that stem from these schemes are hard to come by since the vast majority of incidents go unreported.

In the United States, these attacks primarily target women over 40, who also suffer the highest losses from these rackets, at nearly $70 million last year. According to support group RomanceScams.org, the average loss per victim is $12,000. But some lose much more, like the recent case of a Houston woman in her 50s, who the FBI reports lost her entire $2 million life savings to the con artist she believed she loved.

Targeting Farmers, the Disabled, and the Divorced

Within Scarlet Widow itself, members of the group created dozens of fake profiles on a variety of different dating sites. While they hit the popular dating sites like Match, eHarmony, and OKCupid, the group also targeted relationship seekers on more specialized sites, such as Dating4Disabled.com, Farmers Dating Site, and DivorcedPeopleMeet.com. Farmers in rural areas and people with disabilities are at higher risk of isolation and loneliness, making them especially vulnerable targets.

Religion and Romance

Religion is a major theme that is injected into most of these emails and, based on observations of the group’s successful romance scams, it is clearly an area the group actively tries to exploit. This is likely one way to test willingness to fall for the scam, and a way to build connection and trust with religious-minded victims.

The Long Con: Making Moves for Money

After creating a new profile on a dating site, generally posing as an attractive woman looking for love, Scarlet Widow simply waited for men to contact them to start a conversation.

Text

By far, the most prominent and successful fictitious persona used to facilitate their schemes was named “Laura Cahill.” To bring this persona to life, the group used photos of a real person, a former model, likely copied from her social media profiles. The likeness of this real-world individual served as the face of the Laura Cahill persona for more than two years.

After an initial email was received from an interested romance seeker, “Laura” responded with a very detailed, pre-crafted email, where she would tell them about her background and her interests. She tells them that she’s originally from Texas, but she’s currently in Paris for a modeling seminar and would be traveling back to the United States in a few days.

As the conversation continued, Scarlet Widow used a series of other detailed templates, each containing more information about Laura and asking the other people questions about themselves as a way to build rapport and trust.

The first response includes phrases to encourage trust and perhaps lower skepticism:

“I also believe in open communication, Standing in trust, Being honest and having integrity. Honoring and respecting each other is high on my list. And again, I treat people the way i like to be treated because i believe what comes around goes around. I’m in no rush to find a partner, I want it to happen naturally.”

 

Later, it continues,

“You can’t communicate deeply with someone you do not trust. Family is also a very important thing to me. The one good thing i learnt from my parent is to be honest. The kind that sits together at dinner and open with each other. They also have made me strive to never lie to someone. NEVER! I personally know how much it hurts to be lied to and i have no desire to ever put someone through that. Life is too short. Especially at this stage and point in life.”

 

The emails do contain plenty of off-notes, using dialog that seems more likely to come from a 25-year-old male Nigerian scammer than a 25-year-old American woman:

“I also have several pairs of shoes. I am open to a new things and i am willing to try different stuff but if it doesn’t match with my personality i won’t wear it. I use facial cleansers at times, Lotions and eye creams. I generally don’t smell.”

 

In her list of favorite foods alongside sushi and tacos, Laura lists “candy yams”—usually eaten in the United States only on the Thanksgiving holiday, while yams are a staple of the West African diet.

Emails like these continue until Scarlet Widow believes that they have a willing target. This is the point where “Laura” moves from getting to know the person to testing their willingness to fall for her scam.

Image
Scarlet Widow Email Phishing Example

 

Making the Move

Once rapport has been established, Laura gets to the hook: she likes the mark and would like to meet him. Unfortunately, there is a problem. She’s still in Paris and her credit card has been frozen due to possible “identity theft.” Laura tells the target that she doesn’t have any other means to pay for the return plane ticket back to the United States and asks them for help. She asks the target to send some money via Western Union or MoneyGram to help pay for the flight.

Image
Email Scam Asking for Money Example

 

If the mark is hesitant to send the funds, Laura gives them the information for a “travel agent” who they can contact to confirm her story. If the target reaches out to the travel agent, which is simply a separate account under control of the group, they receive a “confirmation” of Laura’s story.

Image
Email Scam Validation from 3rd Party Example

 

If the target accepts this explanation and sends the money as requested, Laura sends the victim an email containing an airline “confirmation” that a ticket has been purchased for the flight home. In reality, this confirmation is, of course, fake. Scarlet Widow created these fake airline confirmation emails by booking and canceling actual flights to receive the email from the airline, then modifying the source HTML code in the legitimate email to make them look realistic.

Once the victim has been scammed, Scarlet Widow continues to engage with him, exploiting him as long as possible. Of course, Laura never travels back to the United States and provides a variety of excuses for why she can’t leave Paris, generally revolving around her modeling agency still needing her for additional projects. All communication between the victim and “Laura” is done over email and text messages. They never talk on the phone or meet in person, allowing Scarlet Widow to continue the scam as long as the victim is willing to fall for it.

Image
Email Scam Fake Airline Confirmation Receipt

Starry Eyes for Starling Micheal

While Laura Cahill was, by far, the most frequent persona used by the group, Scarlet Widow has used a number of other fictitious identities to lure victims into their trap over the years.

Text

There has been “Britney Parkwell,” a 27-year-old woman from San Jose, California. Britney is half Puerto Rican and works in art and fabric sales, which she was introduced to by her father who died five years ago. Her favorite sports are baseball and basketball and she describes herself as “independent, optimistic, respectful, sensual, and attractive.” She’s really focused on finding “Mr. Right” and she’s ready to relocate anywhere in the United States to be with her true love.

Then there’s “Lisa Frankel,” an only child who lost her mother to cancer when she was four years old. She lives in Oslo, Norway, and just got out of a relationship a few months ago because she found her ex-boyfriend cheating on her. Lisa sells medical equipment for a living and loves traveling to visit interesting places. She hopes to travel to America on vacation one day, but she doesn’t know anyone there that she could visit. Lisa is looking for an “honest and caring man to date and have as my future husband,” who will be a person who “knows the meaning of love and what it takes to love.”

But the most interesting persona used by Scarlet Widow has to be “Starling Micheal,” a supposed active duty U.S. Army Captain. Captain Micheal was used as an identity to con women through romance sites including MilitaryCupid.com and MarriedDateLink.com during a six-month period between February 2017 and August 2017.

According to one of his fake dating site profiles, Captain Micheal is a 43-year-old Catholic man from Austin, Texas, who is currently serving a tour of duty overseas in Kabul, Afghanistan. His profile indicates that, like most of the other personas created by Scarlet Widow, he has lost a loved one in his past. In this case, Captain Micheal lost his wife, as his status describes him as “Widowed.” Since the death of his wife, he has been “searching for so long” for the perfect woman and hopes the women has a trusting mind to fall in love.

Digging a little deeper into Captain Micheal’s personality, he describes himself as the “life of the party” and considers himself sarcastic, noting that “Dennis Miller is a cream puff compared to me.” He seems to be quite an environmentalist, saying that his fashion sense is “nature loving,” and he loves wearing hemp shorts and an Earth First t-shirt. In a description that is likely very intentional, Captain Micheal says that he’s “generous to a fault” when it comes to money.

While it may seem that Captain Micheal’s profile is a relatively benign description of a man looking for a partner, parts of it are specifically used to act as a priming mechanism so that potential victims enter a conversation with a conditioned mindset. When he writes that he hopes potential partners will be trusting, it’s because he wants them not to think twice when he tells them something that is untrue. When he says that he’s generous when it comes to money, it’s because he hopes a potential victim would reciprocate this mindset when he eventually asks for money.

Image
Fake Dating Profile Example

During email conversations with suitors, Captain Micheal is aggressively affectionate. Even early in their “relationship,” he constantly tells the women he’s communicating with that he loves them and can’t wait to build their “special friendship” into a family. His messages are also generally shorter and to the point. The tone used by Scarlet Widow in the Captain Micheal persona is notable when compared to one of their female personas, which usually takes a softer, inquisitive, and more verbose tone. These differences demonstrate how scammers adapt based on who they’re pretending to be and how they think their target population wants to be treated.

Image
Captain Michael Email Scam Example

Up Close and Personal: The Case of “Robert Blackwell”

While we have observed a number of victims that have been conned by Scarlet Widow’s romance scams, one stands out as a notable example of how intrusive and damaging these scams can be.

Text

The victim in this case is “Robert Blackwell,” a Texas man whose real name has been changed to protect his identity. During his initial conversations with Laura in August 2015, Robert described himself as being a very religious man who was going through a painful divorce. After being run through the same deceptive process described above, Robert was persuaded to send Laura money for a flight home to Denver, where she said she was currently living.

But that’s not where this story ends. Laura’s exploitative relationship with Robert continued for another year, finally ending in August 2016. After Laura’s initial flight to Denver unsurprisingly fell through, the two continued communicating and regularly exchanged pictures via email. After a month passes, Laura again told Robert that she was going to fly to the States to visit him.

Once again, Robert helped Laura pay for the ticket by sending $1,700 via Western Union to her “travel agent.”  Once again, though, Laura’s tells Robert that she has to postpone her trip because she was offered a long-term modeling contract with a (fictitious) French modeling agency. As evidence of this new opportunity, Laura sent Robert a fake contract that stated that she would be paid $145,000 for 10 months of work.

Image
Email Scam Fake Modeling Contract

At this point, Robert was out more than $2,500, but he still had faith that his relationship with Laura would flourish. Over the next few months, Robert became convinced that he and Laura were meant for each other and it was divine intervention that brought them together. After three months, Robert opened multiple bank accounts in his name and gave Laura online access to the accounts. He regularly deposited large sums of money into the accounts for Laura so she could withdraw the funds electronically, thereby enabling her to easily and quickly continue to swindle him out of his money.

As time went on, some of Robert’s friends and family began to sense that something wasn’t right and confronted him about the possibility that he was being scammed. When one of his relatives warned him that he was being “catfished,” Robert responded that their relationship was part of God’s plan and he needed to have faith that everything would work out.

Robert was fully committed to Laura, financially and psychologically. At one point, Laura failed to respond to a series of messages from Robert for more than a week. Robert’s manic email to Laura demonstrates how psychologically invested he had become in this relationship:

Image
Falling in Love with Scammer

The amount of money Robert sent to Laura was staggering. Over the course of their one-year “relationship,” Robert sent Laura at least $50,000. Underscoring the lengths he went to to please Laura at one point, Robert’s stepfather confronted him about an incident where Robert apparently stole $10,000 from him to “give to some stranger.”

The relationship between Robert and Laura ended in August 2016 after Laura abruptly stopped responding to Robert’s messages. This also corresponds with a mysterious absence in activity amongst the entire group of more than a month. Laura Cahill’s disappearance likely saved Robert from continuing to send her money, ultimately limiting the pain and suffering caused by the members of this exploitative group.

Chain of Fools

Unfortunately, the case of Robert Blackwell is not that unusual. Hundreds of people throughout the world get scammed by Scarlet Widow and other groups like it every single day. While Robert’s case shows how deeply entrenched he was in the relationship, he is one of the lucky ones, as there is no evidence that he ever became an unwitting money mule for the group— which is the case for others thrown into his situation.

Scarlet Widow is one of an uncounted multitude of online con artists conducting romance and other scams. The Nigerian gangs appear to share tactics, evolving their methods together over the several years during which Agari has had insight into their operations.

We are tracking a number of Nigerian scammer groups that continue to engage in romance scams and seek out new victims. In 2018, Agari documented a long-running, $500,000 swindle of a divorced American woman with children who refinanced her home to send money to the con artist. Eventually the creditors closed in, and she was forced to sell her house, pull her children out of school, and move the family in with a friend. She continued to believe he was real until Agari presented her with irrefutable evidence of the truth, enabling her to finally break free in 2018.

Conclusion

Text

Agari’s investigations into Scarlet Widow and groups like it show how they are able to continue finding and conning victims despite the many obvious red flags. In many instances, they target groups more likely to be lonely and vulnerable, including older divorced women, farmers, and the disabled. Their victims often ignore numerous warning signs and continue to send money, despite being disappointed over and over again by fictional partners who always find another excuse for being unable to meet in person.

These groups are methodical, operating like professional sales organizations, gathering prospects, using scripts to move toward the sale, managing numerous scams in parallel, and putting in the long-term investment of time needed to squeeze the maximum cash out of each victim. Once the victim is no longer useful to the gang, they drop all communication, ultimately leaving the victims alone and without the answers they crave.

Like similar Nigerian scammer groups, Scarlet Widow has branched out into multiple types of scams, including business email compromise, tax fraud, rental scams, and more. These other scams, and the methods Scarlet Widow uses to launder money, is the subject of Part 2 of this report.