What a well-coordinated cross-industry focus on stopping romance and investment scams should look like.
Last year romance and investment scams escalated exponentially, signaling we should batten the hatches for 2024. These scams are effective because the bad actor has researched and learned over time which populations are most vulnerable and then hyper targets them, using well-crafted manipulation to engender deep trust with their victims.
The FTC’s 2023 Sentinel report came out in February 2024, explaining that over $10 billion in fraud and scam losses occurred in 2023. Within the $10 billion number, there were 64,000 reported romance scams at $1.1 billion in losses. Reported investment scam losses, including some of the combination romance/investment scam losses (sometimes called financial grooming or ‘pig butchering’) were 108,000 events at $4.6 billion in losses. We need to remember that only maybe 5-10% of individuals report these types of scams. In fact Gallup thinks “the estimate of the percentage of scam victims who reported the incident to the FTC in 2022 from “barely 10%” to “only a small fraction.”
So, the real numbers in the U.S. for romance scams could be more than $10-20 billion per year or higher and investment scams could be over $40-80 billion per year or higher. These scams occur around the world, but there is limited reporting in other countries. The U.S. numbers would be indicative of large losses as well in other countries. These scams are so effective because the scammer creates trust with the victim.
The reality is that 2024 romance and investment scam losses will really grow, with the advent of generative AI (GenAI) scamming capabilities. Why do I say that? We are either seeing some of the following GenAI capabilities or expect to see them within 12 months:
- The ability to translate easily from one language to many other languages.
- The ability to ask a GenAI app to write text in a language that looks very proper and focused to the scam at hand.
- The ability to write text and then translate it and use a picture of a person to be transformed into a video where the person is speaking in a different language using the translated text. Accents and facial expressions match the words spoken in the language spoken.
- The ability to create a 60 second video with just the picture of a person. The video could show a person walking down the Champs Elysees in Paris.
- The ability for the fraudster to interactively communicate with the victim in the victim’s own language, while the fraudster uses an effective talking head to speak to the victim. Accents and facial expressions match the words spoken in the language spoken.
The scammer abuses GenAI to look like a real person., which will significantly increase the trust in the relationship. Plus, with all of the stolen PII and other customer information, the fraudster can target specific people (e.g. 70-80 single/widowed individuals) for scams.
How do the scammers reach out to victims? The FTC 2023 Sentinel report shows the following ways of contact. Text messages, social media and dating sites are primary ways for romance and investment scams to begin (see chart 1 below) A text message can be as simple as “It’s been months last time we met. How have you been?” or “Good afternoon my friend! How has your day been?” A helpful person responds that the text was mis-sent. The person may also make a connection on Facebook or on a dating site. These actions lead to the start of a long con over several months, a year, or more that eventually extracts money, and sometimes large amounts, from the victims.
Solutions to Stop Romance and Investment scams
We know the con begins with a text message on your phone or within a messaging app, or within Facebook or a dating site. As fast as possible, the fraudster wants to move the conversation to another platform, such as Telegram, WhatsApp or maybe Signal. These messaging platforms have both text message and video capability. So, to be successful, we have to stop/prevent the attack before it moves to these other platforms. Or, once they move the victim to one of these other platforms, we have to stop the money movement.
There are five areas to focus on to stop these scams.
#1 Text messages
First is at the telco text message level. The telco companies and the regulators have been trying to reduce scam text messages. It has been like whack-a-mole. These text messages can be sent from international locations or from within a domestic mobile carrier (e.g. using a SIM Card farm).
In the U.S., the FCC and telco providers (mobile carriers and vendors that deliver text messages in bulk) have tried to reduce scam messages, but progress has been slow. Some of the best improvement has been in Australia. Since 2022, the Australian Communications and Media Authority (ACMA) has required “telcos to identify, trace and block SMS scams.” In fourth quarter 2023, telcos reported “blocking over 106 million scam SMS in the quarter.” It looks like the Australian regulator, ACMA, and the telco vendors are working together to make a difference. And the ACMA is fining telco providers that fail to stop scam messages.
In Europe, telco expert Eric Priezkalns reports: “there is an emerging trend among European countries willing to amend privacy laws to permit the automated scanning of SMS messages so telcos can identify content associated with consumer scams, such as the URL of a phishing website or a sequence of words that is designed to deceive.”
#2 Phone calls
Second are the actual phone calls that take place during the scam. These will typically be done via Skype, Signal, Telegram or similar apps. Currently technology exists that can detect if a caller is using Gen AI. It is used for inbound calls to a call center. But a solution like this could be made available via a mobile app on a cell phone to analyze a call from a mobile carrier or from one of the mobile apps above. Or maybe the mobile phone manufacturers would be the ones to offer this solution. There could be privacy issues involved in scanning voice calls. In fact, as I was writing this blog, a major tech vendor announced a solution “which analyzes (phone) conversations in real time and can alert the user if the call seems suspicious”.
#3 Internet platform
Third is at the Internet platform level (Facebook, Bumble, etc.). Apart from the ‘erroneous’ text/SMS message, the initial interactions occur on these platforms.
It is at this third level that I think these platforms can really make a difference by thinking like banks in protecting new customer account opening. Banks don’t want fraudsters as customers and neither should these platforms. In a previous blog, I talked about the sophistication of automated bot transaction activity. So, detecting and removing bot account opening and other bot transaction activity, after an account has been established, is so important. Not only can bots be used to open new accounts on these platforms, I think they will soon be used for interactive conversation with customers/victims on these platforms. Frank Teruel, CFO at Arkose Labs, recently told Scripps News that the company’s threat research group observed more than a 2,000% YoY increase in attacks on dating sites, January 2024 compared to January 2023.
Proper bot detection/removal should help mitigate this problem. Bots have characteristics that can be identified. In that same blog I mentioned before, I provide many more controls around account opening to be considered.
What will help push new controls at the platform level are some of the upcoming voluntary and mandatory regulatory controls. In the UK, the government and several internet providers signed the voluntary Online Fraud Charter. The purpose of this charter is to attack online fraud. Some of the proposed controls:
- Have effective processes to identify and remove fraudulent content and accounts.
- Remove fraudulent content immediately.
- Deploy verification measures for new advertisers
- For dating sites, give users choice to verify accounts and develop warnings when users are contacted by unknown accounts and warn users about suspicious contacts.
In Australia, the government issued the Scams Code Framework consultancy in November 2023. The purpose of this consultancy was to engage digital communications platforms, telco providers and financial institutions to help reduce financial scams. For digital communication platform providers, the consultancy recommended:
- Detect, block and prevent scams from initiating contact with customers.
- Prevent misuse of its services by scammers.
- Implement anti-scam systems.
- Detect high risk interactions and alert customers, block or disrupt the interaction to reduce scam activity.
- Implement processes to authenticate and verify identity and legitimacy of business users and advertisers.
- Have solutions in place to prevent user accounts from being hacked and have processes to restore hacked user accounts.
The UK and Australian controls identify the need for these platforms to know who their customers are, eliminate fraudulent accounts and identify and block fraudulent interactions. Later this year, the Australian government will finalize its mandates and possibly include financial penalties for failure to meet the mandates.
#4 Bank teller/customer service
Fourth is the bank teller or customer service person. These folks need to be trained to identify the red flags associated with investment and romance scams. For the scam to work, the money has to move from the FI. One of the ways is cash withdrawal at the branch. Effectively talking to the victim at this point may be one of the most persuasive ways to stop the scam. The issue is, though, scammers tend to advise victims what to say to the Financial Institution (essentially to lie) as part of moving the money, making it more difficult for the customer service person to detect a scam is afoot. A hopeful story emerged from Australia in early 2024. A National Australia Bank (NAB) customer advisor stayed persistent and staved off an AUS$40,000 investment loss. "It sounded like an investment scam and I was concerned this couple could lose their life savings,” said the plucky Erin Bugg. And stop the scam she did!
#5 Bank transaction
Fifth is at the bank transaction level. FIs need to have the ability to detect romance and investment scam transactions. Banks can use various forms of anomaly detection to alert on digital transactions. This can include behavioral biometrics and analyzing the transaction amount and type of transaction and much more if you have additional contextual data. With an alert, the bank can ‘add sand to the gears’ to slow the transaction down and real-time interact with the victim.
Banks also need to have a money mule detection/removal program. If every bank had such a program, it would become much more difficult for the scammer to receive the money. Many banks in the UK go even further and limit/prohibit the transfer of funds to cryptocurrency exchanges, because so many transactions to cryptocurrency exchanges were scam transactions.
In the UK, regulations exist for FIs to detect scam transactions and to have a money mule detection/removal program.
Summary
The pain that people suffer from romance and investment scams is outright palpable for us all. Some lose their life savings, their houses and sometimes their lives. As fraud practitioners, we need to really understand this. Plus, we need to understand why people become victims of these trust relationships. It is a massive organized crime attack vector. Remember two key points I have seen in the past 12 months:
- The newspapers and TV stations are covering these romance and investment scams, especially the $600,000-$2M pig butchering scams.
- Many of these scams hit the elderly. The good news is that elder care state regulations exist and new regulations are being proposed to safeguard anyone over 55 years old. The UK already has regulations for protecting this particular vulnerable population.
These two points can lead to the start of more regulatory action. Remember 2005-6 when online fraud losses were heavily reported? And in 2022, when unreimbursed Zelle losses made the papers and TV?
There are literally 100,000’s of scammers attacking people in the US, UK, Australia, China and many more countries. As with any attack, solutions are available to minimize the attacks. It will, however, take a coordinated effort of banks, telco providers, and platform providers to make it happen. And in several countries already, the FI regulators, along with telco and Internet regulators, are ready to provide a heavy nudge, with penalties and the scam reimbursement stick to make sure everyone listens and helps. Bottomline, we can’t let the scammers take over banking, telcos and the platforms. So, look at the controls and determine which ones you can start to deploy in the next six months.