[author: Charlene Bond]
While romance might be viewed as a personal matter, an employee falling for a romance scam can have a direct impact on an organization’s bottom line. Not only could their performance suffer, but a criminal may try to steal the employee’s or company’s confidential information, money, or mobile devices to gain access to company data. Or the employee being scammed might fraudulently divert company funds to benefit the scammer, as one Minnesota company that lost $4 million due to a romance scam discovered.
Whether a victim is approached online or in person, the financial consequences of dating scams are immense. As the number of victims has increased, the financial losses have also increased. According the Federal Trade Commission (FTC), romance scam losses in 2019 totaled $493 million, and by 2022, those losses totaled $1.3 billion.
By educating employees about romance scams and their common indicators, organizations can help protect their workforce, finances, and confidential information.
How Romance Scams Develop
Criminals who specialize in romance scams are con artists who manipulate people’s emotions and their desire for love through social engineering. They use charm and flattery to feign romantic interest or even profess their love, and then take advantage of the victim’s belief in a real relationship.
In a romance scam, criminals target victims with strategic behavior that can be viewed as red flags:
- “Love bombing” the victim. Criminals use flattery, affection, and praise to build trust. By overwhelming the victim with verbal or written messages, they hope to distract the victim from asking questions or becoming suspicious.
- Making peremptory requests. The criminal may ask for money, claiming it will be used for an investment, medical care, or travel. They may ask to borrow an employee’s mobile device to add their phone number to the contacts list. Or they may ask the victim to send intimate photos or videos of themselves.
- Appearing to be in sync with the victim. The criminal often molds their interests and opinions to reflect those of their victim. They seem caring and genuinely interested, and want to know about their victim’s life.
Common Romance Scams
Catfishing
The scammer pretends to be someone else online by posting fabricated biographies and photos on dating apps or social media sites to target people. They use the fake identity to manipulate the victim into sending money or revealing confidential or personal information.
Catfishing scams can span months or even years. Often, if the criminal convinces the victim to grant one request, they can convince the person to acquiesce to more requests—resulting in deepening emotional and financial consequences for the victim.
Sextortion
Sextortion (sex + extortion) has been proliferating for the past several years. While victims tend to be in their teens or early stages of adulthood, people at any age could be targeted in a sextortion scam. Victims may be blackmailed with explicit photos or videos that they sent to their “partner”—in reality, they had sent the images to a criminal conducting a dating scam. Alternatively, criminals send an email to the victim claiming that they have hacked the victim’s laptop or phone, and have filmed the person doing personal acts, or they have evidence that the victim visited porn sites. Even if the victim pays the original extorted amount, the criminals sometimes demand more blackmail at a later time, which the victim often pays—losing even more money.
Mobile Device Theft
While many romance scams are conducted online, this romance scam occurs face-to-face when a criminal strikes up a conversation with the victim. While wooing the victim, the criminal observes them unlocking their phone: If a passcode is used, the criminal memorizes the code; if biometrics are used, the criminal finds a reason to borrow the phone and surreptitiously turns off the biometric, forcing the victim to use their passcode.
Once the criminal learns the passcode, they steal the mobile device, type in the passcode, and quickly change the iCloud or Google Play password—locking the victim out of their account, and preventing them from accessing their information or wiping the phone. This puts not only the person’s information at risk, but also the organization’s.
Awareness Can Protect Employees and the Organization
Organizations should include romance scams in cybersecurity awareness training. By educating employees on how to identify a romance scam, risks to the organization and employees can be reduced.
Encourage employees to follow these tips when meeting someone new online or in person:
- Research potential partners. If the person seems to be too good—or perfect—to be true, they may be conducting a scam. Enter the person’s name, location, and images into a search engine to find out more information, including if the potential love interest has been involved in prior scams.
- Be aware of how their public information could be used. The more public information that is available about a person, the easier it is for a criminal to target them. Individuals should check the security and privacy settings of all social media to confirm that only trusted contacts and friends can view their profiles.
- Be wary of an unknown person’s overt interest. People should respond cautiously if a stranger appears very interested in them and asks for personal or professional details. They should never allow anyone to use or borrow a device with access to work information.
- Pause before responding to requests. People should never email or text personal or professional sensitive information (e.g., username, password, banking details) or explicit photos or videos.
- Discuss the situation with another person. If the situation or love interest feels “off” or is moving very quickly, the victim should consult a trusted friend or family member. They are more likely to have an unbiased opinion.
Organizations should set up controls to reduce such risks:
- Ensure employees are familiar with reporting channels and key points of contact such as the IT and security teams.This will ensure that, if a security incident needs to be reported, employees will contact the correct channel. Advise them to report a lost or stolen laptop or a mobile phone with access to corporate data immediately. Review the organization’s policies and procedures regarding lost or stolen devices to reduce the risk of exposure.
- Specify and enforce technical requirements for mobile devices that connect to the network or access corporate data.Implementing mobile device management (MDM) software provides security administrators with threat detection and monitoring abilities while reducing security vulnerabilities. MDM software also provides organizations with remote wiping ability if a device is lost or stolen. In addition, establishing an acceptable use policy that requires employees to update their devices regularly is critical to devices remaining secure.
- Implement internal financial controls. Ensure that an employee who initiates a payment is not also the one who authorizes it. Having multiple checks and balances will reduce the chance of fraud or irregularities.
Responding to a Romance Scam
Financial fraud and blackmail are crimes, and victims should not feel embarrassed or ashamed in these situations. People who fall victim to these scams are encouraged to report the crime, as law enforcement may be to identify the criminal or fraud ring and perhaps bring the scammers to justice. Reporting the crime may also help prevent future scams.
In addition to reporting the scam to law enforcement, employers should encourage employees to follow the Federal Trade Commission’s recommendations on steps to take is someone was a victim of a romance scam.