Estimated difficulty: 💜🤍🤍🤍🤍
Welcome to Friday, and Cybersecurity Awareness Month. In October, security professionals spend the month raising awareness about cybersecurity and posting tips on social media about online safety.
I’d originally planned to name this post “Ain’t Talkin’ ‘Bout Love: Romance Scams and Modern Dating” after the Van Halen song – but devastatingly, Eddie Van Halen lost his battle with cancer this week, so I’ve renamed this post out of respect. Music fans among you will know very well how deeply his work influenced other great artists. 💜
This post will focus on romance scams, and on a few popular dating apps and how to report fraud and other illegal or abusive activity on each one.
What is a romance scam?
I touched briefly on romance scams on the quick guide to fraud post I wrote a few months ago – you can read it here. Basically, a romance scam is where a scammer or a fraud (or sometimes a group of people) gets into a relationship with someone with the purpose of extorting them for financial gain. They can range from small-scale fraud to much larger, more damaging situations, as seen in Heartbreakers, with Jennifer Love Hewitt, and more recently in Dirty John on Netflix. Romance scams can evolve to include sextortion or other kinds of blackmail.
You can find out more about the signs of romance fraud here, on the ActionFraud website.
How do scammers do this?
If you work in security, the idea of social engineering probably isn’t new to you. If you don’t work in security, what typically happens is the fraud will create multiple social media accounts across several platforms, and develop a backstory – so that when you do a quick search, it looks like they’re a real person, and you start to trust them a bit more. After they’ve set up their alias, they’ll usually research their targets (OSINT – open source intelligence) by looking you up on social media and other platforms to see if you’re a viable target. Then, they’ll find a way to initiate a connection, and begin building a relationship so they’re able to manipulate their targets. There’s a useful article on the ActionFraud website here that tells you a little more about how a romance scammer pulls this off, with a few tips on how to stay safe.
Which demographics are targeted most often?
Romance scams historically have impacted widows and older women most often, but with the rise of online dating and dating apps (and the increase in use of these during the ongoing pandemic) we’re seeing a rise in this kind of fraud among younger demographics.
In 2018, Action Fraud received reports amounting to nearly £51 million lost to romance fraudsters – averaging over £11000 per victim. The average age of a romance fraud victim is 50, and 63% of victims are women – who usually lose about twice as much money as men. It’s important to note that a lot of people probably don’t report falling victim to this kind of crime, either because of lack of understanding of the sort of help available, or because they’re embarrassed. It’s important to be on your guard about this – but also to look out for your friends or relatives who might be taken advantage of by opportunistic scam artists.
With this in mind, I had a look at a handful of popular dating apps to see what features they had in place for reporting abusive behaviour, with a focus on fraud and helpful resources for vulnerable users and potential victims of fraud. I’ve included some of these apps below, with a bit of commentary on the safety features available and helpful resources for users.
Some of the apps I looked at, loosely ranked from best to worst for safety features, user experience and privacy:
Tinder came out on top for user safety, and helpful resources to third parties. The help centre is easy to find – it’s just under your profile tab.
It has plenty of guides on safe dating – advice on what information you shouldn’t share, where you should meet a match, how to set up a safe first date, and what sort of behaviour to report.
It’s also really easy to report abusive behaviour, harassment, and if a user asks you for money or sends you a suspicious link. This was actually the only app of the ones I looked at that suggested you report suspicious links – Tinder’s reporting feature was pretty comprehensive.
As well as having some really good links to external organisations that help with human trafficking, fraud, domestic violence, and other resources, Tinder also have a bug bounty program on HackerOne. If you’re not in security, this is a vulnerability disclosure program that lets researchers find security flaws in the app and tell the developers about it, so they can improve it.
Hinge (and Bumble) are slightly softer in approach than Tinder, which is widely considered to be more of a “hookup” app than a dating app. Hinge (and Bumble) asks questions about your political alignment, religion, if you smoke and drink, if you have or want children, and a few other things. Their help centre is broadly in the same place as on Tinder – on your profile page, so it’s easy to find. Under “Safety, Security, and Privacy” there’s advice on safe dating, how to report, and a link to an open form email to let you contact Hinge support directly if something happens that isn’t covered by their standard reporting feature.
They even have a video about romance scams, advising users against sending money to people they meet online. Like Tinder, Hinge will let you report a user for bad behaviour both online and offline, which is a really good feature I’d like to see adopted more widely. There’s also a section on what the consequences are for false reports.
Hinge also have a HackerOne bug bounty program – I was pleasantly surprised to find a good portion of the apps I looked at were open to responsible vulnerability disclosure.
Bumble has similar reporting features to Tinder and Hinge, and a free-form reporting field – so you can use this to report romance fraud and other kinds of abuse.
There are some safety articles hidden away under their “Contact & FAQ” section under your profile – they’re a little difficult to find, and there are less external resources for vulnerable users than on Tinder, but it’s still pretty good overall. The “Contact & FAQ” section redirects to their website, and gives you a contact email if you need to get in touch. Bumble also have a HackerOne bug bounty program.
Grindr had decent reporting features – but I couldn’t spot anything else on the app that warned users about fraud, safe dating, or pointed potentially vulnerable people to places for help. Their main concerns seem to be around people using Grindr to sell drugs, or for sex work. They also allow you to report underage users, explicit material, and a few other things.
Grindr don’t currently have a bug bounty program but they will be introducing one after a French researcher discovered a vulnerability in their app recently that allows password resets without access to a user’s inbox. Grindr have also previously disclosed the HIV status of users with two third party companies, and also shared other sensitive user data unencrypted – more information on the link above.
Plenty of Fish
Plenty of Fish was by far the worst of the bunch. The account creation process can’t be cancelled, and collects an inordinate amount of data, including your parents’ marital status, your physical attributes, income bracket and job title, number of siblings and order of birth, how ambitious you think you are, whether you have children, whether you want children, and much more. You can “hide” your profile so you’re not discoverable by potential matches, but you’ll still get notifications that you’re matching with people, so I suspect this feature doesn’t actually work. You can’t report people you match with for bad behaviour – you can only block them, and it doesn’t ask for a reason, which is pretty poor. After about five minutes, a “settings” option appeared for me – if you want to delete your account, it encourages you to hide it instead. If you really want to delete your account, it gives you a URL (not hyperlinked), and you have to manually input this into a browser.
The webpage doesn’t optimise for mobile displays, and the user interface is just generally unfriendly. You’re given a list of reasons for deleting your account, including; “Too Many Jerks” and “I give Up” – but the account deletion page doesn’t actually work, forcing you to search the website for a contact email address to manually request that they delete your account. Given that there are paid users on this platform, Plenty of Fish are also processing financial data, and the general experience on this platform really doesn’t fill me with confidence that they handle your data securely.
There is an initial prompt with some safe dating tips after you create a profile, and it includes a video on romance scams and does point users towards some external resources for help, but the lack inbuilt of reporting features and sheer difficulty in deleting your account suggests this is mostly for show. If you want to submit a report about a user on the app, you have to email their support team.
Plenty of Fish also have a HackerOne bug bounty program – but given the usability of the app and other features in general, I’m not sure how seriously they take submissions, or if they make good use of the program.
What to do if you’re a victim of romance fraud:
Firstly, ActionFraud advises that you immediately cut off all contact with the perpetrator. You should report it to ActionFraud (who’ll give you a crime reference number, in conjunction with the City of London Police), and the National Crime Agency. You should tell your bank too – so their Financial Crime team can keep an eye on your account and monitor anything suspicious. Here are the links to the reporting areas of the ActionFraud and the National Crime Agency websites:
When I started writing this post, I was really just interested in what features were available on common dating apps for fraud prevention – it isn’t the first concern most users have with online dating and user safety, but as demonstrated by Tinder and Hinge, there’s a lot we can do in this space to keep people safe. A lot of the features available for reporting abusive behaviour, resources available on safe dating tips, and so on, have been introduced following bad user experiences on these platforms – but the nature of risk management is that we continuously evolve to protect users from new threats and ways of exploitation.
Some of these platforms stand far above the rest in demonstrating clear consideration for users, and others are painful to use and clearly have little regard for user safety. A notable concern is that younger demographics tend to be attracted toward apps like Tinder, Bumble and Hinge, that have accessible reporting features and safety advice – while older users are likely to frequent platforms like Plenty of Fish. Since older users are probably going to be targeted more often with these sorts of scams, there’s a real need for legacy dating apps to step up their game when it comes to user safety, privacy, and security.
If you’ve used the reporting features on any of these apps to report fraud, I’d love to hear about your experience and what sort of support you received from the makers of the app.
As always, thank you for reading, and stay safe.