What compliance gaps are relevant to this scam type?

These scams exploit the human factor, bypassing technical protections and highlighting the need for ongoing security awareness and behavior-based controls aligned to social engineering risks.

Can such scams be prevented?

User education, vigilance for red flags like urgent requests and off-platform contact, and verifying identities through live calls are key to prevention.

How 2024 Romance Scams Use WhatsApp Social Engineering: An Inside Look

Explore the latest WhatsApp romance scam playbook—see how scammers establish contact, build trust, and prepare for eventual financial fraud using clever psychological tactics.

Published: January 27, 2026

Share this on:

Executive Summary

In early 2024, security researchers investigated the initial phases of romance scams conducted over WhatsApp, where attackers use social engineering tactics to engage targets. Scammers made initial contact using 'wrong number' messages, then rapidly built rapport through flattering responses and fabricated personal stories. Over the span of several weeks, operators established credibility by sharing career details, transitioning conversations to new phone numbers, and sharing lifestyle photos to lay groundwork for future financial scams. The observed campaigns were early-stage but designed to emotionally manipulate victims for eventual financial exploitation.

This incident spotlights the refined playbooks, multi-operator approaches, and psychological grooming now typical in romance scams. With surges in digital-first communication and persistent threat actor innovation, such social engineering exploits pose a significant and evolving risk to individuals and businesses alike.

Why This Matters Now

Romance scams have escalated in sophistication, leveraging multi-step playbooks and persistent communication to evade suspicion and compliance controls. As social engineering-driven fraud increases globally, organizations and individuals must update awareness trainings and monitoring to detect behavioral red flags early, preventing financial loss and reputational damage.

Attack Path Analysis

The adversary initiated contact through a social engineering ruse, building trust over time via messaging. While no technical compromise or system privilege escalation was evident, the scammer transitioned communication to less monitored platforms and attempted to establish persistent communication channels. Attempts to exfiltrate sensitive or financial information were in a preparatory phase but not completed. The intended impact was emotional and financial loss to the victim, representing the final goal of the romance scam.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Mediuminferred

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

Lowinferred

Impact

Mediuminferred

Initial Compromise

Description

Attacker made initial contact through a 'wrong number' message, exploiting social engineering tactics to begin engagement.

Confidence:

High

MITRE ATT&CK® Techniques

Initial Access

T1566

Phishing

Initial Access

T1598.003

Spearphishing via Service

Command and Control

T1071.001

Application Layer Protocol: Web Protocols

Execution

T1204

User Execution

Reconnaissance

T1589

Gather Victim Identity Information

Persistence

T1601

Modify System Image

Impact

T1656

Data Manipulation

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Security Awareness Education

Control ID: 12.6

Failure to train personnel to detect and appropriately handle social engineering or phishing attacks increases risk of credential compromise and data loss.

NYDFS 23 NYCRR 500 – Security Awareness and Training

Control ID: 500.14(b)

Inadequate mechanisms to educate staff about social engineering, pretexting, and deceptive contact exposes covered entities to operational and financial threats.

DORA (Digital Operational Resilience Act) – ICT Security Awareness and Training

Control ID: Art. 13(6)

Insufficient user awareness and resilience practices against human-centric manipulations can undermine financial sector operational continuity.

CISA Zero Trust Maturity Model 2.0 – User Training and Social Engineering Defense

Control ID: User: Awareness and Training

Social engineering vectors exploiting user trust highlight the need for regular, targeted training aligned to zero trust principles.

NIS2 Directive – Security Awareness and Training

Control ID: Art. 21(2)(e)

Organizations are required to ensure staff are aware of threats such as phishing and social engineering, as failure exposes the essential services to cyber risk.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Banking/Mortgage

Romance scam social engineering tactics exploit customer trust relationships, requiring enhanced identity verification and encrypted communications to prevent financial fraud and data exfiltration.

Financial Services

Multi-stage social engineering attacks target investment credibility building phases, necessitating zero trust segmentation and anomaly detection for unauthorized financial transaction prevention.

Dating/Personal Services

Platform-based romance scams leverage communication hand-offs and identity spoofing, demanding egress security controls and threat detection capabilities to protect user interactions.

Telecommunications

Cross-platform communication vectors enable scammer operations through encrypted traffic channels, requiring east-west traffic security and multicloud visibility for comprehensive monitoring protection.

Sources

Initial Stages of Romance Scams [Guest Diary], (Tue, Jan 27th)https://isc.sans.edu/diary/rss/32650
Verified

FTC Data Show Romance Scams Hit Record High; $547 Million Reported Lost in 2021https://www.ftc.gov/news-events/news/press-releases/2022/02/ftc-data-show-romance-scams-hit-record-high-547-million-reported-lost-2021

Verified

Malwarebytes Research Reveals 10% of Romance Scam Victims Lose More Than $10,000https://www.malwarebytes.com/press/2024/09/25/malwarebytes-research-reveals-10-of-romance-scam-victims-lose-more-than-10000

Verified

Romance Scams Cost Americans $697.3M Last Yearhttps://www.infosecurity-magazine.com/news/romance-scams-cost-americans/

Verified

Frequently Asked Questions

Romance scams often start with an unsolicited message using a 'wrong number' pretext, followed by rapid rapport-building and requests to move conversations off-platform.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Zero Trust segmentation, egress policy enforcement, and multicloud visibility would have constrained the attacker's ability to move laterally, persist communication, and exfiltrate data by limiting unauthorized outbound flows and ensuring stricter workload-to-workload trust boundaries. Although the attack was primarily social engineering, appropriate CNSF controls reduce the risk of subsequent technical exploitation or data loss.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: Attempts to exploit shadow IT or leverage unauthorized shadow AI tools are detected.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Identity-based segmentation minimizes expanded access.

Lateral Movement

Control: East-West Traffic Security

Mitigation: Internal flow restrictions prevent lateral pivoting to additional resources or environments.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: Anomalous external communications are detected and investigated.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Unauthorized data exfiltration attempts are blocked or isolated.

Impact (Mitigations)

Exploit traffic or malicious payload delivery is detected and blocked if attempted.

Impact at a Glance

Affected Business Functions

Operational Disruption

Estimated downtime: n/a days

Financial Impact

Estimated loss: $547,000,000

Data Exposure

n/a

Recommended Actions

• Enforce Zero Trust Segmentation to block unnecessary lateral movement across workloads and user environments.
• Implement egress filtering and policy enforcement to restrict outbound communications to approved domains or services only.
• Enhance multicloud visibility and anomaly detection to identify suspicious communication patterns characteristic of social engineering campaigns.
• Regularly update and tune inline IPS signatures to catch known exploit and payload delivery attempts during all phases.
• Educate users on advanced social engineering tactics and enforce default least privilege policies to minimize social-driven risk.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

How 2024 Romance Scams Use WhatsApp Social Engineering: An Inside Look

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Phishing

Spearphishing via Service

Application Layer Protocol: Web Protocols

User Execution

Gather Victim Identity Information

Modify System Image

Data Manipulation

Potential Compliance Exposure

PCI DSS 4.0 – Security Awareness Education

NYDFS 23 NYCRR 500 – Security Awareness and Training

DORA (Digital Operational Resilience Act) – ICT Security Awareness and Training

CISA Zero Trust Maturity Model 2.0 – User Training and Social Engineering Defense

NIS2 Directive – Security Awareness and Training

Sector Implications

Banking/Mortgage

Financial Services

Dating/Personal Services

Telecommunications

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads