In recent years, the number of people using dating apps and websites has increased significantly; the Match Group has seen an increase in subscribers of almost 30% since the COVID-19 pandemic prevented people from meeting in person back in 2019, and this figure is continuing to increase with every quarter. But, unfortunately, many people who turn to these services in their quest to find romance end up caught in the net of a catfish.
Today, fraudsters are taking their romance scams to a new level, turning from catfish—people who lie about their true identity online for deceptive reasons—into catphish. A catphish is someone who uses dating services as a platform to carry out spearphishing attacks, setting up a fraudulent profile in order to con their victim into handing over financial information or other sensitive data, like the login details to their online accounts.
These attacks prey on their targets’ emotional vulnerability and can have a long-term negative impact on their mental health. But the damage doesn’t stop there; romance scams, also known as “sweetheart scams”, cause some of the most severe financial losses compared to other types of online scams. The FBI reported that, last year, sweetheart scams resulted in losses of over $133 million in the U.S. alone.
While it’s important that dating site users know how to spot a Hinge Hustler or a Match.con, dating services themselves should be taking steps to prevent cybercriminals from creating fraudulent accounts in the first place.
We spoke to Identiq’s Uri Arad, VP Product and Co-Founder, and Shmuli Goldberg, Chief Marketing Officer, to find out how dating services can do exactly that. Arad has been combatting con artists for over a decade, working as Head of Analytics and Research at PayPal’s risk department before co-founding Identiq in 2018. He currently manages Identiq’s product and research functions, including their cryptographic, privacy and fraud-related research. Goldberg has spent the last 15 years in the tech space, helping organizations to leverage machine learning and big data, and automate their decisions. A technologist at heart, he now runs Identiq’s marketing operations.
Who are Identiq and how does your platform work?
Arad: At Identiq, we built a company around privacy, and around finding a solution that allows you to validate information and verify identities but, at the same time, guarantee the privacy of consumers and the information that each company holds about their own consumers.
As fraud managers, we answer the question, “Is the person that is acting now—whether opening an account, making a transaction or making a payment—a real person? And are they using their own data or someone else’s data?”
One of the reasons that I joined my partners to found Identiq, was realizing the power of seemingly “innocent” data to reveal a lot of private information about yourself. It’s amazing how much you can learn about someone using just their location data, for example: their age, behavior, where they work, where they live, but also things like their religion, whether they have kids or not, and their political affiliation. It’s always mind-boggling to see how, once you aggregate and start cross-referencing this “innocent” data, you create a huge privacy challenge.
The Identiq network is based on a branch of cryptography called “secure multi-party computation”. That’s part of a larger family of privacy enhancing technologies that allow us to compare two sets of data between two parties, and check whether they match without revealing the data itself.
Goldberg: We have no user data. We are the only people in the industry actually, that don’t want this data at all. We enable companies to work together to validate their users against each other’s databases, but we don’t see, touch, have or hold any data whatsoever. And those companies do not expose data at any point either.
One of the places that people often publicize a lot of that seemingly “innocent” information about themselves, is on online dating platforms. And as Valentine’s Day approaches, a lot of people turn to these services in their quest to find romance, but end up caught in the net of a catfish (or catphish). So, how do sweetheart scams work, and why are they so dangerous?
Goldberg: There are lots of online scams, but the ones that are most successful generally fall under one of two categories. The first of these is playing to a strong emotive force. For example, a telephone scammer will often put a lot of pressure on you in the first minute or two—telling you that something’s urgent and you need to help them, and you have to do it very quickly—because they want that emotive reaction. Because when you’re in a more emotive state, you’re more vulnerable and susceptible to suggestion.
Secondly, there’s a confidence that comes with being a tech-savvy, intelligent person nowadays that means you believe you won’t get caught in such scams, because you think you can see the signs. And that false sense of security often creates a trap which many people fall into, as scammers realize they can take advantage of that confidence.
Catfishing itself is a relatively new term, only about 10 years old, and it started with the online dating industry. Now, it’s a word that we use on a daily basis! Just look at the number of shows coming out on the topic; even this week, there was a new Netflix show about catfish scams. And when you watch these shows, these aren’t poor, defenceless people—they’re intelligent people who are often wealthy, middle class and above, and therefore make the perfect targets for scammers to take advantage of.
The typical scam begins with the scammer building a relationship with you online. It is very easy for a scammer to use Facebook, LinkedIn and Twitter to understand your likes, your interests, or look at your Instagram posts to understand the way you talk so they can build a relationship with you in a very short amount of time. And the ultimate goal is nearly always a financial pact. That might come in the form of requesting help, or blackmail, for example.
Now, when you’re doing online dating, you tend to go from chatting to 10 people to five people to just one, but scammers are the exact inverse of that; they’ll be chatting to tens or hundreds of people at the same time, ultimately trying to get to their pay day as quickly as possible and gain as high a price as possible.
And these scams are so dangerous simply because they play to a fundamental desire that we have to be loved, to be accepted, to feel wanted, and every other emotion that comes along with that.
It’s important for users to be aware of catfishing, but that’s not always enough to stop them being lured into a romance scam. So, how can dating services themselves help prevent fraudsters from creating an account in the first place?
Goldberg: In a nutshell, what we offer is a platform that allows companies—including dating companies—to work together to make sure that, when they see someone for the first time, that person is a real person and the person that they are speaking to actually is that person.
I’ll give you an example of this. Let’s say you wanted to sign up for a dating site. So, you go to eHarmony, for example, and you put in your details. Now, eHarmony—or any other dating service—has a huge problem: they’ve never seen you before, so they don’t know if you’re real.
But you could be new just to eHarmony; there may be hundreds of sites out there that know you. And we’d expect a user of a dating site to be using other services and apps that know them very well. So just for example, if you were to sign up for eHarmony, and they could ask Uber, Netflix, Amazon or anyone else, “Hey, do you know this user? Have you seen them before?” then a real user would have a lot of companies vouching for them.
The vast majority of legitimate users out there online are already known and trusted by tens, if not hundreds of other companies. So, we enable companies to validate that the identities of new users are known and trusted already by a wide range of companies all across the internet.
What are some of the challenges faced by dating services looking to authenticate and verify the identities of new users?
Arad: One of the challenges that many of these companies have is really about striking the balance between the user experience, and user trust and safety. On one hand, these companies—dating services, eCommerce websites, social networks, etc.—must make it easy for you to sign up and be part of their community. On the other hand, they must preserve user privacy.
Many of these services are large international companies that may want to employ other techniques to validate user information, but it’s often really hard to do that on a global scale. Because the type of information you may have in the U.S. might not exist in the U.K., and what you have in the UK will not exist in Germany, etc. So, it becomes a challenge to standardize that.
Goldberg: It’s critical for this industry to preserve absolute privacy and not share any consumer data, business data, or sensitive information during this process. With Identiq, the dating service never gives your name or email address to anyone; nobody out there learns that it’s you who’s being asked about.
We essentially have been able to solve the two biggest challenges facing these companies today, which are ensuring the security of their users, and ensuring the absolute privacy of their data. Most people wouldn’t be comfortable using a tool if they suspected their data would be shared with a third party. But unfortunately, many dating companies today are forced to validate users and are therefore forced to share that data.
But we’ve effectively created a network that allows them to make sure the person they’re speaking to is exactly who they say they are—ensuring the safety and trust of their users—while maintaining absolute privacy of their end users’ data.
How can Identiq’s platform help dating sites—and other businesses that require users to create an account—protect genuine users against sweetheart scams and other types of fraud?
Arad: The Identiq solution doesn’t require these businesses to make any significant changes to what they already do today. They need to collect some basic profile information—like an email, a phone number, a name—and accompany that with information that allows them to connect that data to the person who’s now creating the account. This could be IP and device information.
On top of that, when collecting information like email addresses and phone numbers, it’s critical that they verify that data using something like a one-time password sent either to the email or to the phone number.
Once they have those data points, the Identiq network is able to take this basic information about who a user is, and also some of the other data points that I mentioned, and look to see whether there’s strong evidence of that person having already been active for very significant period of time over the internet, and whether they’ve been active in multiple services. And just to be clear, we do this without any personal user data being shared with any company on the network. Even Identiq doesn’t see that personal user info.
This allows us to verify that this isn’t an identity that someone created yesterday like a burner phone, because, if it were, those data points would either be invalid or they’d be what we consider “young” data points. This means they don’t carry a lot of weight in our network. Only when we see that someone is behaving and existing consistently for a long period of time, can we give the thumbs up about that person being a real person and actually being who they claim to be.
We can also prevent someone with bad intent from repeatedly committing a scam. Scammers usually don’t use their own real details, but our platform forces them to do just that. An illegitimate user could open a new account if they used their own real identity, and then it might take some time for them to be detected. But once they’re caught, you have the real details of that scammer, so you can engage immediately with law enforcement.
That raises the stakes for them. And if they decide to use their own personal details in order to commit a scam, once they’re caught, it’s done. The account is blocked and it becomes extremely hard for them to open a new account, because any new data that they try to use—a new email address or phone number, for example—won’t have the history and internet presence required to validate.
Thank you to Uri Arad and Shmuli Goldberg for taking part in this interview. You can find out more about Identiq and their user verification platform via their website.
Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.