At the beginning of the year, a spate of very similar mails appeared in my spam-box. Although originating from different addresses (and sent to different recipients), they all appeared to be the opener for the same romance scam campaign.
Romance fraud is increasingly common and campaigns can extort large sums from victims, who are often quite vulnerable and lonely.
If you found this page because you think that you might be being targeted, speak to Crimestoppers or Action Fraud.
When stories of romance fraud hit the news, we often hear that the victim had become extremely attached to the scammer, but very little on how they got engineered into that position.
At it’s heart, romance fraud relies on social engineering and I was curious to see what techniques were actually being used. I’m no particular stranger to scam baiting, so I decided to masquerade as a mark and see how the campaign was run (as well as what, if anything, I could engineer out of the fraudster).
The emails that I’d received were all associated with one persona: “Aidana”, who claimed to be a dentist in Kazakhstan.
This post analyses the scammers approach, systems and material, sharing some of what I was able to learn over the course of a few weeks of back and forth.
And again, a word of caution: leave the baiting to the professionals. It can be really easy to accidentally drop your opsec, and these people are usually being managed by organized crime syndicates that can have more reach than you’d expect.