On today’s Pentest People TechBites, we will be talking about online dating scams, action fraud is warning people to stay vigilant as romance scams pick up pace as Valentine’s Day is near to discuss this today.

I have our consultant Liam Follin, it’s great to have you back on the Podcast.

Thank you very much for having me.

And joining him today is Kate Watson Marketing Assistant here at Pentest People who will be talking about this alongside him.

Okay, do you have any comments about Valentine’s day approaching?

Valentine’s day is very fast approaching.

There’s obviously a lot of online scams leading up to Valentine’s Day on Valentine’s Day and even a little bit after Valentine’s Day.

So obviously it’s important to raise awareness of these scams and what sort of scams are out there around Valentine’s Day.

So first up, let’s talk Catfishing.

Catfishing is a term used to describe a fake online dating profile that uses unrealistic attractive photos to alert victims into a relationship.

Now the common signs of this are usually the pictures are way too attractive and the person who’s never able to go on video chat or call and I read a really interesting statistic earlier that 20,000 people a year get Catfished and this rose to 23,000 in 2020. So do you think that is down to the pandemic?

I think it would be difficult to say for certain, but it’s definitely, you know, I think it would be churlish to roll it out completely. You know, naturally when Covid 19 pandemic started rolling out globally, there were everyone was forced to go inside and so you’re left with very little to do. People start feeling quite isolated, feeling quite lonely.

And then that could have been compounded by not feeling very good about yourself and then wanting to go and catfish people because you want that attention that you know, these incredibly attractive alluring profiles get you.

I think as well with like the restrictions, like thinking back to that time, the restrictions were very like you can’t go out, bars weren’t open, you couldn’t really go out and meet people and you can like, not even for a walk at one point.

Yeah, absolutely.

I mean, it’s almost a catfish dream, isn’t it?

You’re never going to get caught out.

And you can just say, you know, maybe your internet is on the blink and suddenly after your video calls.

Either it can all be text based.

So if someone was getting published or they were suspicious that maybe someone online that they were talking to was a catfish, what sort of precautions can people take for that?

I mean, the kind of obvious one is try and get people on video calls or try and get them to engage in media that can be easily faked or reused.

so unique videos or videos of them talking saying things in context and of course then video calls as being, being the kind of epitome of that it’s very difficult to, you know, I mean, we do now have the technology to fake those kinds of things, but it takes quite a lot of money and a lot of technical expertise and you can only be so careful otherwise you spend all your time walking around with a tin foil hat on.

And another really interesting statistic that I read was 30% of 25 to 34 year old revealed that they have fallen for a fake profile.

Now to me when I read that, I instantly thought that like naturally I thought that the age groups would be younger.

I didn’t realise that in my head.

I just thought 25 to 34 year olds like that surprised me a bit because it surprised, you know, I think anybody can, Can get kind of caught out by one of these.

I mean, you know, people don’t stop being attracted to attractive people when they like 27 28.

I’m surprised it doesn’t even go older than that.

If I’m being totally honest, that may just be reflective of who is using dating apps though.

Would you say it’s more men are women who are catfishing?

I don’t think we’ll be able to comment on that. I don’t think there be any statistics to back that up or at least I certainly haven’t seen any. I imagine it’s pretty even, you know, anybody, anybody can be a scammer as it were. I don’t think gender necessarily has anything to do with it.

This is nicely leads us into the next top common scam, which is romance scamming. So this is really similar to catfishing, but it normally requires a financial benefit. So more of more about sending money or paying for an emergency or medical emergency. An example of this is Tindler Swindler. Have you guys watched this?

I have, yes, I read, I read up about it a couple of days ago, like he got 10 million off his victims, like $10 million dollars off three victims was coming up with some sob story money.

Yes, he was, he, Yeah, so he kind of purports that there’s emergencies going on.

I mean it’s, it’s pretty standard kind of social engineering technique is the way used is he developed a trust relationship, some social engineering hijacks a trust relationship.

Some social engineering creates a trust relationship, romance, romantic scams like this, create a trust relationship.

You build up a relationship with somebody, a romantic or even social relationship with someone and then that is then exploited. And normally, and with most social engineering, it’s the same premise, it’s some kind of alert or call to action that you, you have to go and do something and it has to be done quite urgently because somebody’s in danger or in everyone’s received the kind of text pretending to be from their boss and they say, oh by me, you know, 600 quid’s worth of Amazon gift cards immediately or else threat there obviously is that you’d lose your job or you’d be disciplined within your workplace.

I think the example of the Tinder swindler, which is, I mean what a name? Right?

He’s not a particularly nice guy. I don’t really want to give him the name that catchy, but here we are, thank you netflix for that one.

The context he used was that somebody was threatening his life and also he only got five months in prison.

I know he’s out now, like in real life.

I thought so yeah, because you never know you could do it again.

I mean, presuming is going to again if you’ve got 10 million quid for five months in prison, that seems like it’s not a great deal unless you like I I think that’s how the documentary ended, isn’t it?

Got out of prison changed some aspect of his identity.

So he’s able to but I think continue to scam people like that is a perfect example of how trust in starting to scare someone that you’re allegedly in a relationship with. You can have this impact. It is like a manipulation of human nature really, because it’s like unnatural instincts really.

But yes, so the key sign of anything romance coming is it often feels like their life is like a bit of a soap opera.

So they have frequent, unexpected emergencies which they can’t afford and they often ask for money for you to, yeah absolutely.

I mean it can feel like a bit of so proper generally they’ll be pretending to live a life that they won they can’t afford and that’s why they need to keep having these emergencies.

They’ll need money because somebody’s chasing them.

I think we go back to the netflix documentary example he was saying somebody was threatening his life and that he’d been locked out of various accounts online or his bank accounts.

So we need somebody to send them money.

And that was how they were they were paying for it all.

And he was living in extremely extravagant life.

Really extravagant.

I think it’s difficult to pick up on in that sense because he was also quite conventionally attractive.

It’s not like he was catfishing them.

He was conventionally attractive And then also was living the life of a kind of a multi multi multimillionaire.

The experts are action fraud.

Say you should be financially safe and refused to send money or share access to your bank account.

You should never agree to take out a loan on somebody’s behalf move our transfer money for someone or receive or send parcels.

Which is exactly what what he did in the show.

So women obviously gave them access to their bank accounts.

Yeah absolutely.

I think it’s important to remember that it’s rarely as simple as as I mean the advice is sound but these are also people there are you know the people that got duped by this.

not a better piece of advice, naturally, you shouldn’t give out access to your bank account, you shouldn’t send money, you shouldn’t accept packages.

But if you if this relationship is feeling quite intense or there is danger involved or repeated danger, you know, fair enough, you may be Duke once.

Okay, well, it’s not ideal, but these things do happen.

You know, we are only human.

If it starts, if there’s a pattern of behavior emerging, please talk to somebody that you’re close to, maybe even contact the police, get out of that cycle as fast as possible.

Because generally those when they’re building that relationship, they’ll be really honest with you very early on.

And that all that builds a very kind of close knit relationships.

People generally aren’t very open very early on.

It takes quite a lot of time.

So somebody’s very honest with you early on it fosters that sense of intimacy, which they are looking to exploit if you can start to break that by getting other people involved.

Talk to your friend, you know, by the way I’ve met this person online and they’re I think they’re a bit of trouble that, you know, that extra perspective can help get it.

It’s kind of kind of break up that cycle and then you can move on to not sending people money, not accepting packages, etcetera, etcetera.

So enough of Tinder swindler and more of a sensitive topic.

The third most common scam around valentine’s day is sextortion and so liam, can you tell us a bit more about this?

Yeah, this is kind of the one of the harder topics to to deal with, because there’s also, there can also be a great sense of shame, not that there should not that anyone should feel ashamed about being duped or being kind of exploited in this manner, but there is occasionally a sense of shame that people feel, which stops them opening up about it because of the intimate nature of the scam, effectively, sextortion is somebody repeats kind of the first couple of steps of the last two scams, which is build a trust relationship that then turned the conversation sexual and they will attempt to elicit sexually explicit content from someone, generally photographic videos of them.

and from there, that person will then use that to extort goods or services or favors from from, from the victim.

It’s, it’s quite difficult to counteract as well because of the fear involved.

Like it’s, you know, you’re very scared that all your family are going to see yourself in a compromising situation and that can lead to, you know, just going, it’s not as easy as with, say, the romance scamming where if you go to the police, there’s very little repercussion there, you you worried that the person might get hurt, but as soon as you figure out, right, okay, well they’re not actually in danger.

They’re just scamming me or the police figure that out.

Then the worry goes away.

Whereas in this instance, somebody could leak those photographs online.

That’s a very stressful situation.

more advice on how to safely do.

I think it’s called sexting.

There was a Dundee graduate called tear cotton wrote an amazing talk called safe sex, which she does up and down the country and I don’t believe it’s recorded, but I think she also released a game as well, definitely one.

If you ever got an opportunity to see that talk, I’d recommend it.

And the game is available online and it’s just about how to kind of practice how to do that thing kind of safely.

Whereas to minimize harm to yourself.

I mean, a big one is, I mean, the ideal situation is you don’t do it right?

But also it was works off the presumption that that’s not that the life is never actually that simple.

and you know, if that’s something that you enjoy and you want to enjoy creation as long as everybody’s over the age of majority and whatever country operating in and then fair enough knock your socks off as it were.

But she does an excellent job of breaking down exactly how you go about doing it safely, making sure you trust the person, make sure they respect you, making sure that all the legal defenses you have and protections, You have something that I think that’s like, that’s pretty amazing that you’ve done that.

I think a lot of like general advice about sexting and sextortion and all that sort of stuff is genuinely quiet strict in the way that you should be doing it.

And it’s quite like stricter, don’t do it.

But there is a lot of people that do do it.

So like to actually have a talk of being that actually it’s okay to do it to make sure you’re doing it like this.

I think it’s quite helpful for a lot of people.

Yeah, absolutely.

It’s the old kind of catholic school abstinence preaching it, you know, it rarely works.

You know, just telling, telling teenagers to not do something rarely actually results in them not doing it.

And then that tracks through into adulthood as well.

, so do you know anyone, obviously not naming names at all, but do you know anyone that has happened to?

I do, yes.

I know a couple of friends guys actually got really extorted.

They got caught out again, fake profile, Really, really attractive person, sent them some compromising photographs or photographs of them in cells in a compromising situation.

And and for one of the, one of the gentleman, he managed to get it sorted out with the police, which was very positive.

Unfortunately.

The second one had those photographs disseminated to his, his extended family.

It was not a fun day.

Yeah.

Another thing to add is it’s not always an online stranger as well.

It can be an ex partner also when you’ve previously been with, but I’m, to my knowledge that’s more revenge.

Yeah, revenge porn, which we should point out everything we’ve just described is incredibly illegal.

And revenge porn is now treated it very, very seriously.

I believe there was a website that became very famous for revenge porn back in the early 2000s, which was are you are you up?

I think it is, I might be misremembering that and based on the reaction to that arrange porn has been, well one that’s been made illegal, which it always should have been.

and two that they’ve started really clamping down on it, which is really good to see.

So now more than ever, or there are ways and methods to gain the photographs removed from online and whoever did leak them or publish them kind of as a violation of trust.

There is now more and more ability to, for them to face serious repercussions for doing that.

You know, obviously it’s a very disgusting thing to have done to you.

It’s a very disgusting thing for someone to do to another person.

And whilst it won’t make the process any easier, it can be somewhat reassuring to know that they will at least be brought to justice just to be clear for anyone that’s listening and the key signs for sextortion are anyone that tries to encourage your face to be in a nude photographs and this isn’t the only sign, but obviously that’s one of the clear signals as they can later use it against. They promised to send pictures in return.

And yeah they are the two key signs of no, just obviously as somewhat, well hopefully a pertinent reminder to try and stay safe online and if you’re going to be practicing things like sexting, make sure to do it in a safe way, as safe our way as possible.

And so another scam I’ve seen very recently on a lot of social media sites actually have seen this most, most recently out of all of the scams that we’ve discussed today is Cryptocurrency scams and so they’re definitely more recent and more dangerous.

And I’ve seen two sides I’ve seen inside where people have been talking about promoting it and sort of develop a relationship with people to get involved in it.

And I’ve also seen like an actual hack into someone’s social media account, especially on instagram, there’s been a lot of social media accounts being hacked of close friends and then they then promote it on their stories or pictures like I know I’ve seen a lot of my close friends like post weird stuff and I’m like they definitely didn’t post that so how do these work?

So unfortunately met the parent company of facebook instagram a couple of places.

Their password policy is really strange in the if you have a little look at their responsible disclosure program you’ll notice right nestled at the bottom that they accept the capslock version of any password.

Which means that in order to brute force it you basically just take 26 possible variations 26 characters out of the character pool which means it’s a little bit easier to get in.

Especially when you people have leaked passwords online.

There’s then user name enumeration in almost all of these services which is unfortunately it’s a usability feature.

There’s arguments the security community argue against having it.

But then again kind of engineers or will tell you that it’s actually quite useful to have in.

And the security impact is not limited.

But not egregious enough to warrant removing in such a key feature.

and once they get in them again it’s like this is hijacking a trust relationship as opposed to building one.

going back to what I was saying at the beginning you’re you’re hijacking the trust relationship that a person has with their friends.

So for example on instagram.

So many posts a link on on their story.

Now naturally you work in a security company so you’re horribly paranoid all the time.

Which is good.

That’s kind of what we what we train train our staff to be.

That’s that’s their jobs but if you say weren’t that paranoid or you weren’t that clued up on phishing and scams like this, you might be tempted to click it.

You know, you know, my mate Sarah has a you know has posted all these all these links and they looked really exciting so you might click on it and and get involved in that.

That’s kind of how those scams scams function.

Often as well these scammers do normally portray that they’ve got some specialty skill set.

Normally the leader of it is often portrayed that they withhold some special knowledge about these sort of scams or Cryptocurrency scams, anything like that.

And they’re bringing on to last and final on phishing and malware infected sites which is obviously more common one.

And it’s usually by email, I mean we’ve all been targeted by this.

Like everybody has received an email that is not from who it says it is and it can be in the form of a text message and it’s usually either a brand you like where you let’s say for example you shop at or linked to a delivery of the parcel and so just quickly what makes a successful phishing campaign, Oh, it’s gonna be from an ethical point of view.

Oh right, yes, of course.

Sorry.

So from an ethical point of view because we, you know, we dabble in ethics here, we’re from an ethical point of view, a good good social engineering campaign is one that bill immediately builds trust.

So normally because we’re trying to do it ethically we can’t actually build the trust relationship because again generally that involves like pretending to have a romantic relationship with somebody.

I mean it doesn’t necessarily have to be you can pretend to be like a colleague or a recruiter or something like that.

But again it all gets a little bit gray area and we like to stay away from that.

So generally we’re hijacking a trust relationships would be purporting to be from someone in.

If it’s targeting people more personally be reporting to be a local maybe walk the dog and you have a local dog walking group would be the dog walking group or anything information.

We can pick up your social media profile and then we just send you an email pretending to be them.

Like click here for cool and interesting rewards.

And as soon as they click the link obviously we steal all their lovely data.

And how has this happened?

Quite a lot.

Like what sort of racial people for this.

What I think people have gotten a lot more aware of it and people have gotten a lot more kind of their ability to notice these sorts of scams has got a lot higher, which is good, which is great.

All this security training don’t click on links stuff is clearly working clearly working yes, try not to click the phishing link and regular fish and training and things like that.

So it’s going down.

People still do it.

Generally it’s more elderly people that fall for it now, which is always a shame because then people have ended up losing life savings and things like that. So to wrap up last piece of advice, what 3 pieces of advice would you give to people this valentine’s day?

I think the best pieces of advice I can give is to remain vigilant.

I know it’s an obvious one, but these scams are hard to spot and it does take a little bit of detective work most of the time.

Don’t send money to people.

I know it can be really hard or quite heartbreaking, especially if somebody’s, you know, pretending to be or they’re in danger or they’re scared.

Don’t send the money and I think the last one is if you are going to be doing their, you know, practicing sexting, then make sure you do it in a safe manner once you’re over the age of majority in whichever jurisdiction.

I think you have both mentioned great points today regarding online scams. If you are listening to this tech bite, be careful what you post and make public online.

If you suspect a scam, stop all communication with the person never send money to someone.

You have only communicated online or by phone, thank you both for joining me on today’s tech bite.

Thank you, Thank you, Thank you for our listeners for tuning in, join me next week on another tech bite.