Blog February 13, 2024

Love in the Time of Cyber Threats: Romance Scams and Dating App Cybersecurity

by Dr. Jared Smith, Distinguished Engineer, R&D Strategy

As the digital attack surface expands, organizations and individuals worldwide face the nonstop threat of cyberattacks, phishing scams, and other cyber vulnerabilities. And with Valentine’s Day here, romance scams — especially ones originating online — are intensifying. With that in mind, SecurityScorecard’s researchers took a close look at the world of dating app security and romance scams to protect people—and their hearts—during Valentine’s Day.  

Dating app security

To measure cyber risk, SecurityScorecard calculates “A to F” letter grades that measure and validate companies’ security posture and supply chains in real time. Validation of SecurityScorecard scores using statistical analysis demonstrates that companies with an F rating have a 13.8x greater likelihood of a data breach than companies with an A. 

Key findings 

SecurityScorecard found that 95% of dating apps received the highest cybersecurity ratings — an A or B, while 5% had a C rating or below. Further findings reveal: 

  • 85% have had a breached entity in their third-party ecosystem in the last year
  • 90% have had a breached entity in their fourth-party ecosystem
  • 5% have a C rating or below
  • The 55% who have an A grade remained breach-free over the past year

Though most of the top 20 dating apps received high cybersecurity ratings, they should still be mindful of the potential for cyber risk lurking in their third- and fourth-party ecosystems. To mitigate risk and enhance their overall cybersecurity posture, we recommend the following actions:

Focus on application and network security: Prioritize improving application and network security. These two aspects are fundamental to safeguarding against a wide range of cyber threats.

High-Risk Companies: The 5% of dating apps with C scores require urgent attention. In addition to improving application security and network security, these high-risk companies should place special emphasis on:

  • DNS Health: Ensure the health and integrity of your Domain Name System (DNS) configurations. Misconfigurations in this critical component can lead to vulnerabilities.
  • Endpoint Security: Strengthen the security of all endpoints, including laptops, desktops, mobile devices, and BYOD devices. Identifying and addressing vulnerabilities in these endpoints is crucial.
  • Patching Cadence: Establish a consistent and timely patching cadence for your systems, software, and hardware. Frequent updates help mitigate known vulnerabilities.

Overall, these companies would benefit from a thorough evaluation to identify and mitigate weaknesses. Regardless of the score, all companies need to know not only their score but the factors that influence it. Any company can obtain a detailed report on their score for free from SecurityScorecard.

The rise of romance scams 

Dating app security is only one piece of the puzzle on Valentine’s Day. This is also a good time to be on the lookout for romance scams that can play on our emotional vulnerabilities. 

According to the FTC, in 2022, nearly 70,000 people in the US reported a romance scam, and reported losses hit a staggering $1.3 billion. And the numbers for 2023 will almost certainly be higher. In fact, 40% of people who claim they lost money to a romance scam last year said the contact started on social media; 19% said it started on a website or app. Many people reported that the scammer quickly moved the conversation to WhatsApp, Google Chat, or Telegram.

Romance scams defined 

A romance scam is a deceptive scheme in which someone pretends to be romantically interested in another person online, building trust and affection to exploit them financially or emotionally.  Scammers create fake online profiles on dating sites, social media, or gaming platforms and then shower their victims with compliments, attention, and promises of a loving relationship. 

Gradually, they invent emergencies or situations requiring financial help (medical bills, travel costs, etc.). And once trust is established, they pressure their target to send money through untraceable methods like cryptocurrency or bank transfers. 

AI and deep fake trends

AI-generated deep fakes are becoming a popular tool for online scammers, and romance scammers are no different. Late last year,  a man was convinced to send his online “lover” $60K after the scammer leveraged AI-generated voice clips and photos to convince him she was real. Since then, AI voice generation and cloning of real voices have accelerated.

With the help of online tools, all it takes is capturing 10 seconds of someone’s voice to build a model that can sound like that person. This has been widely used to create fake images and videos of celebrities. Scammers often say “babe” or “honey” because they use the same pet names for multiple targets. That said, scammers are growing more sophisticated, and they will likely change this technique to adapt and become harder to spot. 

Threat intelligence findings 

After surveying our global signals intelligence infrastructure (sensors that listen to attacks on the Internet), SecurityScorecard found a sample size of ~15,000 unique “browsing sessions” in the last seven days for the following sites: Facebook, Instagram, Bumble, Tinder, Hinge, TikTok, Match.com, Dating.com, eHarmony, and OkCupid. We then correlated this information with our own and our partners’ threat detection engines from across the industry, and here are our findings:

  • Over 50% of the traffic seen through our sensors comes from countries adversarial to the United States and its allies (Russia and China were number 1 and 2).
  • ~25% of the traffic directed users towards phishing sites set up to look like real social networks and dating sites; asking them to input their passwords on sites that look real (like a fake Facebook login page).

Unique email campaigns are also being sent to users with accounts on dating sites, trying to redirect them to fake site setups to collect their information. Most email addresses targeted are gmail.com (consumers), not company emails. Among all sessions, a majority of them redirect from the fake-looking site back to the real site as if you have succeeded in logging in, when in fact, you sent your password to hackers.

Tips for protecting yourself 

Trust your gut

The saying “don’t believe anything you see online” is important to remember as the Internet shifts towards more and more fake, AI-generated content. 

Sharing is NOT caring

Never give away money or sensitive information (e.g., passwords, addresses) to anyone you’re romantically considering that you don’t already have a personal or professional relationship with. 

Establish trust first, connect later

When you first start talking to someone, request a live video or Facetime call—and if anything looks suspicious, either stop or, if you really want to make sure it’s not AI, have them do something like pick up the latest newspaper and show you. Artificial intelligence can’t generate things that clearly just yet.

At the end of the day, anyone can be a target of a romance scam. If you believe you’re a victim, it’s important to act quickly and decisively. Contact the FTC, and be sure to save all records of your online communication. 

 

Threats move fast. We move faster.