You can’t hurry love: romance scams steal your heart and your data.

As the calendar and greeting card peddlers have decreed, Valentine’s Day is this weekend. Online dating has made it easier than ever to find your significant other without stepping away from your computer, especially necessary in this time when pandemic lockdowns have rendered the singles bar a wasteland. But as is always the case with cybersecurity, with increased convenience comes increased risk. 

Fools rush in: dating site data theft.

In honor of Cupid’s favorite day of the year, the researchers at Digital Shadows have published a report warning about the dangers of dating on the web. Researchers at Kaspersky found that, In an effort to find their perfect match, users are willing to fill dating profiles with private details -- age, location, sexual orientation, even weight and political views -- that they might not publicize on other social media. And when signing over the rights to their love lives, users often fail to read the fine print in the dating site’s privacy policies, unwittingly permitting the site to share their data with third parties and advertisers. 

In the famous 2015 Ashley Madison data leak, cybercriminals infiltrated the dating site, stole the data of 34 million users, and published it on the dark web. More recently, Tech2 explained how dating app Bumble inadvertently exposed the data of 100 million of its users due to an API vulnerability. Dating site data is a hot commodity on underground marketplaces, as this information can be used to gain access to user’s financial accounts, or even to engage in “sextortion,” the act of blackmailing individuals by threatening to share intimate details.

McAfee found that 18% of individuals using dating apps in Great Britain have been the victim of an account hack, the Evening Express reports. Among them, 40% were emotionally blackmailed, and 27% were financially extorted. As McAfee chief scientist Raj Samani told Evening Express, “This data gives a glimpse at the scary repercussions of sharing too much information online can have, if it ends up in the wrong hands, and the consequences can be even worse if it ends up in the hands of online criminals.”

In the face of these threats, Security Magazine notes that leading dating site Tinder became the first app in its category to earn certification for its Information Security Management System under the International Organization for Standardization and the International Electrotechnical Commission 27001:2013 standard. According to the Vice President of Privacy and International Assurance at Coalfire, who issued the certification, “The popularity of dating apps has meaningfully accelerated - spurred even more by the recent pandemic - and Tinder has responded aggressively to increasing scrutiny for services that handle private information to ensure their members’ data remains secure.” 

However, this doesn't mean Tinder’s practices are above reproach. TechRepublic reports that Mozilla published its Privacy Not Included report, a review of the privacy practices of the twenty-four most popular dating apps, and deemed a whopping twenty-one of them lacking, including Tinder. Grindr was called out as one of the worst offenders, for transgressions like previously sharing members’ HIV status with third parties and having extremely lax password requirements. Its privacy issues are particularly concerning given that the app tracks users’ location in order to base matches on proximity. The researchers noted, “Given Grindr is the world's largest gay dating app, and given that in some parts of the world outing someone as gay can get them killed, these bad data privacy practices aren't just awful and illegal, they are also life threatening.” 

The great pretender: online romance scams.

It’s one thing to put your data out there for the sake of love, but what to do when love comes knocking on your computer? The Love Bug virus, one of the first social engineering attacks, invaded systems twenty years ago, and to commemorate the anniversary, Vade Secure published a blog on the evolution of email attacks. Like the world’s worst chain letter, the insidious campaign (also dubbed the ILOVEYOU virus) began with a secret admirer email that, once opened, infected the victim’s system and spread the virus to everyone in their contact list. In just ten days, it infected more than 50 million individuals, forced the Pentagon and CIA to shut down their email systems, and paved the way for the now dismally familiar modern-day phishing attacks. 

Over the years, hackers have gone from simple phishing attacks impersonating AOL employees in the 1990s to sophisticated phishing-as-a-service schemes, where crooks sell phishing campaign packages on the criminal-to-criminal market, complete with templates designed to make the messaging and branding as convincing as possible. Valentine-centered scams are increasingly popular. According to the Indian Express, Check Point Research recorded a rise in phishing scams in the second half of 2020, with over four hundred Valentine’s Day-themed phishing emails reported per week. While most don’t promise love, many entice the recipient with special holiday “deals” on romantic gifts, like a recent scam that on its face appeared to offer a discount for Pandora jewelry. 

The US Federal Trade Commission saw a 50% increase in romance-related scams in 2020, racking up a record-breaking $304 million in stolen funds. “Scammers fabricate attractive online profiles to draw people in, often lifting pictures from the web and using made up names. Some go a step further and assume the identities of real people,” the FTC told Cyberscoop. The isolation of pandemic lockdown has provided both a catalyst for more online interaction and the perfect excuse to avoid meeting in person, making it that much easier to string along an unsuspecting lonelyheart. For example, a teacher in New York City was recently led to believe the director of the US National Security Agency General Paul Nakasone was her online paramour. Once the phony has won the victim’s affection, they fabricate a reason to ask for a loan, usually in the form of a wire transfer or gift card. (How “Nakasone” planned to get his target to part ways with her wallet is unclear.)

According to a recent study, email security firm Tessian found that one out of every five individuals in the UK and US has fallen prey to romance fraud. UK Finance saw a 20% increase in romance scams resulting in bank fraud in 2020 over 2019, with victims losing £68 million to their faux beaus. You’re more likely to be in a fraudulent relationship with a cybercriminal if you’re between the ages of twenty-five and thirty-four, possibly because 25% of these scams start on social media.

You’ve got to hide your love away: protecting your data.

So how can users open their hearts without opening up their data to cybercriminals? When it comes to online dating, besides the obvious advice -- limit the data you share in your profile, avoid using your full name, and please, read those privacy terms -- Digital Shadows also recommends keeping your social media info and workplace data out of your dating profile. Setting up a dedicated Voice over IP phone number is an alternative to sharing a personal cell number, and using a virtual credit card to pay for memberships or services can keep card credentials secure. As for avoiding phishing scams or other types of email fraud, don’t open emails with unusual attachments, keep your system updated with available security patches and antivirus solutions, and use a reverse image search to make sure your admirer is really who they claim to be. And most importantly, don’t send money to even the most financially destitute government officials, no matter how much they pledge their devotion.

Sure, the heart has its reasons which reason knows not. But c'mon, reason, pay attention: you've got a stake in this, too.