It’s almost October, which is National Cyber Security Awareness month. I’m getting a jump on it!
I know that not many people read some of the big companies’ Internet Threat reports from cover to cover, every word. I’m not sure what it says about me that I do, save that I’m a geek and a half with morbid curiosity. Still, sometimes you find little gems buried in appendices or other seldom-checked sources. Symantec’s most recent ISTR has one such gem in Appendix C, which opens discussions about adult spam on dating sites and what kinds of things from IM to email commence this sort of scam.
In an informal poll, I asked all the gents I know that have done internet dating about what scams they see. They all confirmed that the types of spam and ‘professional’ emails they receive on dating sites is commensurate with what is described in the ISTR appendix. And yet as a girl I have only ever seen one instance of these invitations to visit someone’s website or to call and talk sexy. Girls get different sorts of financially-based attacks, which are far more lucrative to the scammer.
So I don’t think the Report goes far enough in gender diversity, and I’m here to tell you about scams vs. women and the fascinating parallel between the world of the Enterprise scam and the individual scam in methodology. The ISTR details 2013’s increase in watering-hole style attacks, with spear phishing as a launch point. Here’s how the parallel works for the internet’s second-most-lucrative scam:
The victim is chosen carefully, just like for spear phishing. Women over 40 are statistically established as being more vulnerable to online scams than other demographics. Opening communication is established. They call girls angel and beautiful, wild with the compliments and effusive with the praise very quickly. The English is often dodgy, but it’s getting better. (You’d think this would inspire more people on dating and social media sites to use better English, but that’s a rant for another venue.)
The Romeo will be a professional, someone who travels a lot. He may be moving to the area. In either case, he’ll be intense quickly. The conversation will, as quickly as possible, move off the dating site. (Dating sites are now starting to do more content monitoring for the right reasons. Hurray!) Once the hook is set, the lines are delivered, and the scam really gets underway. Why do I call this a watering hole attack? I do because in a lot of ways a dating site is very like the analogy of the watering hole. The lion lies in wait, the gazelle innocently thinking a nice drink of water would be great.
I’ve gotten good at catching them in the act, and here’s a couple of tells I’ve found that I haven’t seen anyone else cover.
The perp may not have even looked at your profile individually. They often use the criteria selectors in the system to target women of the right demographics, which can include age and income. I recommend putting your income setting to “I prefer not to say” immediately. It cut my scammer rate by over 30% within a month. If you get a romantic note, take the moment to make sure that they actually read your profile.
Of course, when I confirmed this was a method they were using to find me, I immediately put my income back up to over a million so I could go back to playing with them. I mentioned evil geek, right? I left out evil? Ah well. I like playing Sherlock and then messing with them right back again.
Second – you can’t judge a man entirely by his writing, despite what the warning sites above tell you. But what you CAN do is judge it by his profile information, and check if it all matches. I saw one instance where the personal info said my scammer was 5’7”, and his picture next to a car showed a man over 6’0”. I’ve met very few blond hair, blue-eyed Rashids. If a man has a PhD, the odds of him writing at a sixth grade level of grammar and spelling is unlikely. If they’re a marine biologist or military officer, their activities and such ought to be of that nature.
Investigate your potential dates, ladies! Ask questions about where they went to school, where they work, who they work for, what they do. Professional men tend to be on LinkedIn. Once your scammer has given you a name and any of this information, you can do a quick LinkedIn search to see if you can find him, or at the very least Spokeo (aka Stalker’s Paradise.) It’s good to investigate the basic truth of the claims of your would-be suitors! Try the google image search suggested in one of those links on his pictures – are they stock photos?
Keep writing to them. The more they write, the more likely it is that their stories will get messed up. Don’t forget, your scammer is hitting tens (possibly hundreds) of women at once. The odds he’ll be able to keep everything he’s written straight with you are diminishing rapidly. I love the combination of “My wife died/left me, I’m all alone with no family, I have 2 kids I love with all my heart and soul, and I travel constantly for work in a way I can’t take my kids with me.” Sure, I can posit such a scenario in a Series of Unfortunate Events, but if something sounds too much like a Lemony Snickett novel I look hard at other details.
Once I’m pretty sure they’re a scammer using these and other methods below, I generally tend to point out that I’m a computer security specialist (true), that their activity is illegal (true) and that I have their source IP and plan to report them to the FBI (false but fun) if they don’t remove their account immediately. Usually they disappear that very day. Once only a scammer tried to brazen it out, so I flagged the account for investigation and it took a whole day to disappear.
It makes me mad. I dislike that women are being victimized, especially in a place where we are most vulnerable: In the heart. I did a quick tour of the internet to see who else was talking about it. I’m reassured that there are actually some good materials out there for spotting scams.
2 good Informational sites:
And my personal favorite from down under:
Let’s stop the flow of money to the bad guys. Also girls – for the love of little blue fishes, learn to recognize a real cashier’s check/money order/registered check , and in any case always wait for it to clear in your bank before doing anything foolish even if your sainted mother sends it to you. That line around the outside edges? Get a magnifying glass. Those are supposed to be numbers, not lines. You’re welcome.