Executive Summary
In early 2024, security researchers investigated the initial phases of romance scams conducted over WhatsApp, where attackers use social engineering tactics to engage targets. Scammers made initial contact using 'wrong number' messages, then rapidly built rapport through flattering responses and fabricated personal stories. Over the span of several weeks, operators established credibility by sharing career details, transitioning conversations to new phone numbers, and sharing lifestyle photos to lay groundwork for future financial scams. The observed campaigns were early-stage but designed to emotionally manipulate victims for eventual financial exploitation.
This incident spotlights the refined playbooks, multi-operator approaches, and psychological grooming now typical in romance scams. With surges in digital-first communication and persistent threat actor innovation, such social engineering exploits pose a significant and evolving risk to individuals and businesses alike.
Why This Matters Now
Romance scams have escalated in sophistication, leveraging multi-step playbooks and persistent communication to evade suspicion and compliance controls. As social engineering-driven fraud increases globally, organizations and individuals must update awareness trainings and monitoring to detect behavioral red flags early, preventing financial loss and reputational damage.
Attack Path Analysis
The adversary initiated contact through a social engineering ruse, building trust over time via messaging. While no technical compromise or system privilege escalation was evident, the scammer transitioned communication to less monitored platforms and attempted to establish persistent communication channels. Attempts to exfiltrate sensitive or financial information were in a preparatory phase but not completed. The intended impact was emotional and financial loss to the victim, representing the final goal of the romance scam.
Kill Chain Progression
Initial Compromise
Description
Attacker made initial contact through a 'wrong number' message, exploiting social engineering tactics to begin engagement.
MITRE ATT&CK® Techniques
Techniques mapped primarily target social engineering and user manipulation; further mapping may expand TTP coverage during deep incident analysis.
Phishing
Spearphishing via Service
Application Layer Protocol: Web Protocols
User Execution
Gather Victim Identity Information
Modify System Image
Data Manipulation
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security Awareness Education
Control ID: 12.6
NYDFS 23 NYCRR 500 – Security Awareness and Training
Control ID: 500.14(b)
DORA (Digital Operational Resilience Act) – ICT Security Awareness and Training
Control ID: Art. 13(6)
CISA Zero Trust Maturity Model 2.0 – User Training and Social Engineering Defense
Control ID: User: Awareness and Training
NIS2 Directive – Security Awareness and Training
Control ID: Art. 21(2)(e)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Romance scam social engineering tactics exploit customer trust relationships, requiring enhanced identity verification and encrypted communications to prevent financial fraud and data exfiltration.
Financial Services
Multi-stage social engineering attacks target investment credibility building phases, necessitating zero trust segmentation and anomaly detection for unauthorized financial transaction prevention.
Dating/Personal Services
Platform-based romance scams leverage communication hand-offs and identity spoofing, demanding egress security controls and threat detection capabilities to protect user interactions.
Telecommunications
Cross-platform communication vectors enable scammer operations through encrypted traffic channels, requiring east-west traffic security and multicloud visibility for comprehensive monitoring protection.
Sources
- Initial Stages of Romance Scams [Guest Diary], (Tue, Jan 27th)https://isc.sans.edu/diary/rss/32650Verified
- FTC Data Show Romance Scams Hit Record High; $547 Million Reported Lost in 2021https://www.ftc.gov/news-events/news/press-releases/2022/02/ftc-data-show-romance-scams-hit-record-high-547-million-reported-lost-2021Verified
- Malwarebytes Research Reveals 10% of Romance Scam Victims Lose More Than $10,000https://www.malwarebytes.com/press/2024/09/25/malwarebytes-research-reveals-10-of-romance-scam-victims-lose-more-than-10000Verified
- Romance Scams Cost Americans $697.3M Last Yearhttps://www.infosecurity-magazine.com/news/romance-scams-cost-americans/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, egress policy enforcement, and multicloud visibility would have constrained the attacker's ability to move laterally, persist communication, and exfiltrate data by limiting unauthorized outbound flows and ensuring stricter workload-to-workload trust boundaries. Although the attack was primarily social engineering, appropriate CNSF controls reduce the risk of subsequent technical exploitation or data loss.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Attempts to exploit shadow IT or leverage unauthorized shadow AI tools are detected.
Control: Zero Trust Segmentation
Mitigation: Identity-based segmentation minimizes expanded access.
Control: East-West Traffic Security
Mitigation: Internal flow restrictions prevent lateral pivoting to additional resources or environments.
Control: Multicloud Visibility & Control
Mitigation: Anomalous external communications are detected and investigated.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized data exfiltration attempts are blocked or isolated.
Exploit traffic or malicious payload delivery is detected and blocked if attempted.
Impact at a Glance
Affected Business Functions
- n/a
Estimated downtime: n/a days
Estimated loss: $547,000,000
n/a
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust Segmentation to block unnecessary lateral movement across workloads and user environments.
- • Implement egress filtering and policy enforcement to restrict outbound communications to approved domains or services only.
- • Enhance multicloud visibility and anomaly detection to identify suspicious communication patterns characteristic of social engineering campaigns.
- • Regularly update and tune inline IPS signatures to catch known exploit and payload delivery attempts during all phases.
- • Educate users on advanced social engineering tactics and enforce default least privilege policies to minimize social-driven risk.
