Bonus Episode: ‘Catphishing the Catphisher’

(MUSIC INTRO)

[00:00:01] When I'm with you I feel alive. You bring me happiness that no one else ever could. You bring to me a love I've never known before. I really couldn't imagine what my life would be like without you. You've touched my heart in ways no one ever could comprehend. I love being with you and I want to spend the rest of my life with you.

[00:00:19] I am from the United States currently working here in Mexico as a logger. And you?

[00:00:23] I'll be back in two months' time.

[00:00:24] I'm from Copenhagen, Denmark, but moved to Wichita Falls, Texas. I'm currently working in Romania now.

[00:00:30] I'll definitely pay you a visit when I'm done with my contract. Meeting you would mean so much to me. What work do you do?

[00:00:35] I've been in Korea for 8 months now. Just a few weeks to a couple of days as I look forward to retirement and then I'll be backside.

[00:00:42] Can you assist me? Once I get to the States I'll pay you back.

[00:00:45] How can you aff--, how much can you afford? He was asking how much I'm going to pay him, and I don't know how much you can assist.

(MUSIC SEGUE)

[00:00:53] Bob: Welcome back to The Perfect Scam. I'm your host, Bob Sullivan. And this is a special bonus episode of our podcast. Have you ever wondered what it's like to be catfished, to be targeted by a romance scam criminal? Well, today you're going to find out because our guest runs a security company that recently ran a fascinating study. They catfished the catfishers. They set up fake social media profiles, waited for the criminals to connect, and then engaged in conversation with them. The researchers expected the study to take several month, maybe even a year, but well, wait until you hear what happened. I'll let David Etue explain.

(MUSIC SEGUE)

[00:01:36] Bob: What is your title?

[00:01:37] David Etue: I'm the CEO of Nisos.

[00:01:38] Bob: And what does Nisos do?

[00:01:39] David Etue: Nisos provides managed services for cyberthreat intelligence. So we work with companies, top tech platforms. and others to help monitor and investigate adversaries and how they use the internet to create harm.

[00:01:50] Bob: So you're looking after internet bad guys of all kinds?

[00:01:54] David Etue: Right, so all, all kinds.

[00:01:56] Bob: So uh recently you published this report called, " Catphishing the Catphisher," which I was fascinated to read. Before we get into the details of the report, why would a company like Nisos do research like this?

[00:02:08] David Etue: So one of the things that we do as a company is we have a research group, and it's important that, you know, part of our mission is protecting folks from harm. So, and we've seen some activities around online relationships and then we decided that that was an area that we wanted to look further into the adversarial methods to see if there were things that we could share that would, would be helpful.

[00:02:27] Bob: And if you're studying computer hackers, sometimes you go underground and pretend to be a computer hacker to understand the, the bad guys, right?

[00:02:34] David Etue: Yeah.

[00:02:35] Bob: So, to better understand the adversary, in this case would be romance scam criminals, David had his research team set up fake profiles on social media services. Not dating services, mind you, just social media profiles. In general, they created personas with characteristics of older adults, and then had them join specific kinds of groups, groups devoted to social activities, for example, or widow support, or appreciation for the military. The profiles went live February 7th of this year. The plan was to wait a few months and see what happened. That plan went out the window fast.

[00:03:15] Bob: Okay, so you set up profiles, you make it obvious that, that these are people who are single and may be recently single or widowed. Um, they have um, some connection to the US military, and you expect to, to have to put in some hard time, weeks and months just sitting there waiting for an invitation from a criminal but in, in fact, what happened?

[00:03:37] David Etue: We had received messages within you know 24 hours from multiple scammers looking to, you know, to establish online relationships.

[00:03:45] Bob: So these are brand new social media accounts, obviously not with a ton of connections, and criminals find them almost immediately?

[00:03:53] David Etue: Yes.

[00:03:54] Bob: Okay, so the profiles went live February 7th, and by February 8th the sharks had already started to circle. It was so intense the experiment didn't even have to last a month.

[00:04:08] Bob: So you expected to spend months on this research, but in the end you did it all in about a week, right.

[00:04:12] David Etue: We could see, as a company, some, some just horrible things that occur on the internet. And even we were surprised at the, at the speed of engagement. So we ended up changing the, the priority of this in our research process.

[00:04:24] Bob: Within a day criminals were already professing their love for the Nisos fake profiles, and more important, they were already grooming them, vetting them as potential targets. The initial conversations sounded harmless enough, but they were anything but.

[00:04:41] So tell me, do you still have your parents?

[00:04:44] Do you stay alone?

[00:04:45] Do you live in your own house or is it rented?

[00:04:47] What do you do to overcome your economic expense?

[00:04:50] Do you have a house or a car? Can you drive?

[00:04:52] How many houses do you have?

[00:04:53] So are you happily married with kids?

[00:04:56] Do you live alone?

[00:04:57] So what is your occupation and how long have you been working at your current job?

[00:05:01] David Etue: So, I think, you know what we learned is that you know first they, they, you know, they'll, they'll reach out in some ways start a conversation, but they also have a, they, they sneak in sort of a, a vetting process of, so you know, do they, are they financial stable? Do they own their home? Do they live alone or have family close by. So they're, you can see that they, in the questions there's eliciting, they're learning both what, if, you know the, the value of their potential victim.

[00:05:27] Bob: So when they first reach out, um, pretty soon after "Hi, how are you," they ask some things to find out whether or not the person they're talking to might be a good financial target if they have a, a nice home, if they have a, a retirement account, maybe a insurance settlement, something like that, right. So give, give me some specific examples of, of what they subtly ask to find out about their target.

[00:05:50] David Etue: If you can get someone's address in the US, you know, property records are, are generally public and so the ability that for them to understand, you know even something as simple as a zip code can give, can give a lot of information about you know, economic viability, but if you can get someone's, you know someone's home address you can, yeah, you can see property records as to uh you know who owns the, you know who owns the house, uh you know how many names are on the deed, uh, what is the value of the house. And so they'll ask questions, even things as, as you know simple as, oh you, you know, you're retired. How hard did you work to you know to, you know did you work and save uh significantly, you know, so that you're comfortable in retirement. Questions that you, you know, that someone would be very proud to answer like yes, you know, I, I was a, you know, I worked in this profession for 40 years, and, you know I was, you know it was really important to me that I have a great retirement. And so I've uh, you know, I saved diligently in my 401k or 403b, and so it's something you'd be very proud of sharing.

[00:06:44] Bob: The vetting process actually serves two purposes. First, to see if a potential target has a lot of wealth, but second to gather information that might be useful to hack into accounts later on.

[00:06:56] Bob: It's really interesting that they're collecting information as well, something as simple as a pet name might be problematic to share later, why?

[00:07:04] David Etue: So, many banks use knowledge-based authentication or KBA if you're talking to cybersecurity folks. But those, those questions when you sign up for a financial account that, if, you know, if you forget your password or they need to better evaluate who you are, they'll ask, you know, like what was your mother's maiden name, what street did you grow up on, you know, what is the name of your first pet. It's called social engineering, uh where you can elicit uh, those questions and can capture that inventory for future use if you get access to someone's account.

(MUSIC SEGUE)

[00:07:33] Bob: But soon after this vetting process happens, very soon, often within moments, the criminals do their best to take the conversation to a different place, quite literally.

[00:07:44] You're welcome. Please I'm about going offline now, please do you have...

[00:07:48] You're such a nice person. I love the way you talk, and I'm happy to meet you here in this platform. I will like us to know each other more, better. But I don't chat here very often due to the nature of my job. Do you chat on...

[00:08:03] I would love to write you on...

[00:08:06] Do you text on other platforms?

[00:08:10] David Etue: One of the common things that we saw was a request to move to other types of chat platforms. And so they may have a preferred platform where they believe they uh, they have internet encryption or other ways that uh they aren't monitored. Um, so you know after the conversations will start, they'll often invite someone to you know turn their platform and you know and in some cases you know they're, they're, even selling it, so talking to the potential victim as, oh, I think, you know the chat here is better and it's easier for you and so you know, motivating them to a place that they may uh, you know that, that less monitoring may be prevalent. I think right that's, for the audience, that's a, a, a really important red flag that if, if someone's, you know, looking to move you to a different, uh a different platform to engage in chat, that's a key warning sign.

[00:08:58] Bob: Why do that? Why move to a different chat tool? Because criminals regularly get reported and thrown off big tech platforms, so they entice victims to move to a more secretive place where they can't be monitored, and they're unlikely to get kicked out. And then, once the conversation has been moved to this more private chat tool, the storytelling really starts to accelerate. There's almost always a plea for sympathy right away, like this one.

[00:09:29] David Etue: "My childhood wasn't really fun though. My mother died giving birth to me, so I never really experienced a mother's love. My dad was so strict, he wanted the best and nothing but the best from me. You know, he would take me to school and back, so I never really got the opportunity to make friends. At first I was angry with him, but then I realized that he was still dealing with the pain of the loss of my mother." It's a, you know these, these, you know this very sad stories, you know which then, you know, are often followed by you know like, I don't know how this one played out, but you know, "We never had the financial means, and now you know, I finished school, um, but I can't get a job. Must have these things," and you know, "could you send me some Target gift cards so I could buy a suit for my interview," uh so you can see the, the beginnings of laying the framework um, for, for a fraud.

[00:10:15] Bob: And so often at the end of that plea for sympathy is a request for a gift card.

[00:10:22] Bob: There's a lot of chatting that goes back and forth, but eventually there's the ask, right, and, and what is a typical ask?

[00:10:27] David Etue: What we've continually seen is that gift cards are a very popular request. In the digital world, you no longer need to hand someone a physical card, you know, that is has a, the number and then the, you know you scratch off the safety, you know the, the validation number. Uh, if you have that, they're very fungible and so can, can be used online very easily. So we, we see a lot, a lot of requests um, for gift cards.

[00:10:52] Bob: It's not only gift cards though. Criminals increasingly ask for cryptocurrency, or sometimes just ask for cash, perhaps mailed in some disguised form like inside a book, and sometimes all they ask for is a special delivery.

[00:11:10] I don't want us to rush into traveling. We must consider each other's timing and availability. I'm a military personnel, and without an authorized withdrawal I can't leave here. My portfolio is still here, and it contains all my important work documents, but if I want to go for a withdrawal right now I have to get my portfolio shipped down to the States where it can be taken to the Pentagon for signing; only then can I even have enough time spent with you. If you don't mind, I can contact the diplomatic company here on how they can ship my portfolio down to the States, and then you can receive it for me if that's okay with you. And then we can spend time together immediately the process is done and I'm back to the States.

(MUSIC SEGUE)

[00:11:46] Bob: This is an example of money mule grooming. In this kind of scam, the criminal doesn't ask directly for payment from the victim. Instead the criminal asks merely that a potential romance partner receive a package on their behalf and then send it along to someone else. That helps criminals evade tools designed to catch illegal movement of money. In this diplomatic portfolio example something illegal will be sent in that package, and it's likely that criminal is working with multiple victims simultaneously getting payments from one victim, using another victim to send the cash overseas, and so on. In fact, many criminals are now connected to a network, a gang which lets them steal even more efficiently. And they learn from each other which is why they seem to come armed with answers for everything. For example, it's natural to ask a potential romantic partner for a video chat after a while. A video chat would likely expose a criminal, but they have a ready-made answer for that request.

[00:12:51] David Etue: They will come up with a number of incredibly creative ways, really excuses, for why they can't meet you in person or that they can't invade--, engage in a video call, and one of the common reasons that would be is that you know they're, they're out of the country for work, you know either as a member of the US military or you know a contractor supporting the military. There's always an excuse of, oh, you know, I'm at the military base and they block FaceTime or Zoom or uh, I'm on a oil rig and we have very low bandwidth.

[00:13:18] Bob: And while the criminals are reluctant to get in front of the camera, they ask their targets to share a lot of photos and for a reason you might not have guessed.

[00:13:31] Are you for real? Can I see a picture of you?

[00:13:33] I can't take my eyes off your lovely smile. Can I get another picture of you?

[00:13:38] Can I have a full picture of you?

[00:13:39] I want you to do nude for me.

[00:13:41] Bob: Well one of things that surprised me about your report is that early on in the relationship, scammers ask for a lot of photos of their potential victims. Why do they do that?

[00:13:52] David Etue: So, these scammers want to make sure they're not engaged with another scammer or a law enforcement, you know, using similar tools.

[00:13:59] Bob: I, what's funny about that is it gives me the feeling it must, must be such a cesspool of criminals that they're bumping into each other while looking for victims.

[00:14:07] David Etue: I'd say yes.

[00:14:08] Bob: They also sometimes use specific language to see if they're dealing with a potential victim or an undercover cop or they're accidentally trying to scam other criminals.

[00:14:20] David Etue: There's a term, “Alaye” which is a Yoruba language term that means younger brother. And interestingly, it has been you know repurposed by the scamming community to determine if they're speaking to another scammer.

[00:14:33] Bob: So it's almost like a code name between them to indicate, are you, which team are you on?

[00:14:38] David Etue: It is, yes it's...

[00:14:39] Bob: Already I'm sure you've spotted what could be potential red flags from these interactions. But the most helpful part of the Nisos study is a whole set of other indicators you might not have considered, so let's talk about them. Here's one I found fascinating: talking with a romance criminal can feel frustrating in the same way that chatting with a customer service agent can feel frustrating. Many of them are cutting and pasting the same stock answers the way customer service agents do, and they're often talking to multiple people at once, so there are these awkward pauses.

[00:15:15] David Etue: If you think of how when you interact with tech support, that the person who's helping you may be helping two other people at the same time, the scammers are working the same way. They may be chatting with many, many personas.

[00:15:25] Bob: And they might say things that don't quite fit in with the conversation because they're pulling from prewritten scripts.

[00:15:34] David Etue: They can have a lot of inconsistencies so that as they're cutting and pasting, this conversation goes over days, they don't appear to have the discipline to go back and review each chat for what they've, they've seen, and so the, the stories may change, and those, those inconsistencies are a red flag.

[00:15:50] Bob: I think that's really interesting. I'm sorry to inter--, interrupt you, but the idea that that sort of vague frustration you have when talking to customer service and you know you're not quite getting their full attention in that chat, if you have that same experience, that could be an indication you're talking to a criminal.

[00:16:05] David Etue: Very much so. Yes.

[00:16:07] Bob: So, if you get the sense that a potential romance partner is carrying on multiple chats at once, and their answers don't quite fit the questions, and you get that little adrenaline rush you do when a customer service agent is frustrating you, well listen to that. In a similar way, non sequiturs can also be a red flag.

[00:16:27] David Etue: There is, you know, a lot of random questions like, you know, do you have a car, like is that, you know is that really relevant to the conversation, like looking at the flow of the conversation, does what they're asking for you know make sense, and it's like if you're talking about you know, sports, and all of a sudden there's like, well, you know, what's your pet's name? Those jumps in conversations.

[00:16:47] Bob: So after spending all this time having these sometimes awkward conversations with romance criminals, David has some suggestions about how to protect yourself from scams.

[00:16:57] David Etue: First is you know, social media privacy settings, uh are really important that um, you know that the information that you choose to share uh that um, you know one, be cognizant of what you're sharing, but also you know, make sure that you're sharing it in a controlled and private fashion. A lot of people, you know, will accidentally uh share you know their things like dates of birth, you know, photos, friends, um, and, and that's information that is, is very useful uh, to a potential scammer. Look at the different platforms you're involved in and, and, and what you share and make sure that it's um, you know it's, it's turned to, you know, the, the minimum settings. Uh, even things like, you know, most social media platforms, the profile photo you choose, you know you're required to share that uh publicly. And so you know to being cognizant of, of what's uh you know what is in that photo, uh compared to, so, so the privacy settings are, are the first. You know the second is, is around friend requests. Be diligent about the, the friend requests you accept. And part of the reason that's dating in general and particularly uh, you know senior dating, uh, is, is a target, is because, it creates an environment where accepting a request or conversation from someone you don't, uh is, is a prerequisite uh to discovering, you know, a, a new potential mate. Uh, but being, you know, being careful uh with um, with the, the requests you accept and vetting them is, is uh is important. Before we talked about I think it was, if someone asks to move platforms, uh in in chat, uh particularly very early uh in a relationship, that is very often a red flag, uh, that uh if, if you've chosen the platform to engage uh and they want to move somewhere else you're, um, they're likely doing that for um, for malicious reasons. If you see activity that you know is concerning, uh, you can block them so that they can no longer interact with you, but also report them. You know reporting folks that have attempted to, to you know fraud or scam or precursors of them, is, is really helpful to the platforms because you know that they're, while they may not be looking at every individual account, uh that they can understand the activities and behaviors associated with accounts that are blocked and uh they can use that to improve the trust and safety and uh security of, of their own platforms.

[00:19:07] Bob: So report any interactions you have with criminals. And not just to the social media company you're using.

[00:19:14] David Etue: Beyond just reporting to the platforms, uh, you know, if, if things are at a point where they, you know, are, are concerning from a, you know, from a legal perspective, you know, you can uh, you know, contact and report to your law enforcement, and there's also a number of things, uh, like you know, AARP has a great reporting network, and, you know, there's also elder abuse hotlines which can also be, be great resources.

[00:19:31] Bob: And in the appendix of the report which you can read online, there are a couple of helpful lists. First, here are items of personal information that might seem natural to share, but they can also make things easier for a criminal, so be very reluctant to share them. Things like: family member names, nicknames and ages, names of pets, personal images, including explicit or compromising photos. Images of family members. Any physical address. An email address or a phone number. Common valuable assets like if you own a car, income or net worth. Technological capabilities such as a bitcoin wallet. Living status like proximity to children or roommates. Information related to your age such as things like favorite artists or musicians which you might not think of. Employment status and work experience. And former schools and mascots. And here is a full list of red flags to be on the lookout for: Urgency and obtaining personal information. Impatience or guilt-inducing tactics if you're delayed in responding. Requests to email or message additional accounts with personal information. Requests to send money to their company or to fund a leave trip. Demands for receipts alongside sending money. Requests for gift cards. Requests to change social media or chat platforms. Inability to video chat. Attempts to elicit sympathy. Texts that appear generic, particularly of a flattering nature, or a background story that could indicate copying and pasting. Inconsistent details in someone's story. Military impersonators or other individuals claiming to be US citizens working in a foreign country. Use of unfamiliar terms of inconsistent grammar. The presence of images on social media accounts with different names. You can do a reverse Google image search to find that out. Seemingly random questions such as whether or not you know how to drive or have access to a vehicle. For The Perfect Scam, I'm Bob Sullivan.

(MUSIC OUTRO)

[00:21:53] Bob: If you have been targeted by a scam or fraud, you are not alone. Call the AARP Fraud Watch Network Helpline at 877-908-3360. Their trained fraud specialists can provide you with free support and guidance on what to do next. Thank you to our team of scambusters; Associate Producer, Annalea Embree; Researcher, Sarah Binney; Executive Producer, Julie Getz; and our Audio Engineer and Sound Designer, Julio Gonzalez. Be sure to find us on Apple Podcasts, Spotify, or wherever you listen to podcasts. For AARP's The Perfect Scam, I'm Bob Sullivan.

END OF TRANSCRIPT