Undercover Investigations: How AI is Supercharging Romance Scams

As someone that’s been in the industry for over 20 years, I’ve seen my fair share of online scams. But this is the kind of story you hear and can’t quite believe. At the last RSA cybersecurity conference, a colleague of mine–someone who lives and breathes digital security, a CISO–admitted he’d been taken in by an online romance scam. My first thought was, how? How could someone so tuned into risks, who spends his life identifying red flags, and implementing technical controls, know all the classic tricks of the trade ultimately fall for it?

His answer was a wake-up call for all of us. He had done everything by the book, or so he thought. He checked for the usual signs, but the scammer on the other end of the screen had a new, powerful tool in their arsenal: a convincing deepfake video call. That one, brief “live” interaction was enough to build a foundation of trust. What followed was a painful financial loss.

His story made my blood boil. It’s clear the old rulebook is no longer enough. The game has changed. Just as cyber threat actors are “tooling up” with AI technologies, their scammer “brethren” are leveling up with AI too. To figure out just how much, I decided to go underground, create a honeypot profile, see what modern scammers are really up to and what tactics, techniques, and procedures, or “TTPs,” they are using.

Setting the bait

To understand the enemy, you have to walk in their world. I created a profile designed to be irresistible bait: a 40-year-old, muscular, well-educated surfer living the dream in Australia and looking for a meaningful connection. Using my own AI tools, I generated profile pictures and fine-tuned the bio to attract as many scammers as possible on major international dating sites (typical local “hook-up” sites excluded).

The results were immediate and eye-opening. What I found was a mix of the same old bag of tricks, now supercharged with new technology and a cascade of AI “slop.”

The classic red flags are still waving

First, let’s be crystal clear: the old-school tactics haven’t disappeared. They are the foundation of nearly every scam. In my experiment, the low hanging fruits were universal.

Out of 12 direct scammer interactions, every single one:

Mirrored my profile’s bio: They expertly tailored their conversations to match my fabricated interests and desires, creating a “too good to be true” connection. It’s the oldest trick in the book: making you feel like you’ve found your soulmate.
Tried to move the chat off the dating app: This is a massive red flag. All 12 scammers wanted to quickly shift to less secure, more anonymous messaging apps. The most popular were WhatsApp (used by 6 of the 12), followed by Telegram, Signal, Discord, Zangi, Google Chat, and email. This move is designed to isolate you from the dating platform’s security and reporting features and pushes you further into their world.
Subtly mined for personal information: The conversations were a masterclass in social engineering. They weren’t just asking about my day; they were probing for details about family members, my job, location, and my life that could be used against me;building a profile they could reuse if they chose to steal my identity or coercing me into making direct payments for some sham.

Until this point, it should be noted that the behaviours can all be explained away as also being classic and understandable tells for someone who is simply and honestly trying to find a soul mate. But they became less acceptable:

Got aggressive when challenged: When I started pushing back or questioning their stories, their demeanor would flip. They would try to argue, guilt-trip, and manipulate my emotions to regain control.
Refused or excused direct verification: the classic refusal to verify their identity was a common thread (except in two instances explored below). Most would make endless excuses to avoid a video call or refuse a simple, unique request like sending an in the moment selfie while touching their nose or striking a unique pose.

The new arsenal: AI-powered deception

Here’s where things get scary. Scammers are now using AI to make their cons more believable and scalable. This isn’t science fiction; it’s happening right now. Let’s take a closer look:

AI-generated conversations: In my experiment, a staggering 11 out of 12 scammers used AI, like ChatGPT, to write their messages and make it possible that they could scale out to their targets in the masses. The conversations felt natural, engaging, and emotionally intelligent because they were all attuned by a sophisticated language model. Pro Tip: You can fight fire with fire. If a conversation feels a little too perfect, copy and paste the text into an AI writing detection tool like phrasly.ai. It can help you spot if you’re talking to a person, bot or LLM.
AI-generated photos for verification: When I pushed one scammer to take a unique selfie, they didn’t just refuse. They sent back a picture that, at first glance, looked legitimate. But upon closer inspection, it was a clear AI-generated image, likely a composite of stolen photos mashed together to fulfill my request. Pro Tip: They are actively using AI to bypass the very “proof of life” tests we’ve been taught to rely on, but there are tools online you can upload too to validate that pictures haven’t been AI mashed too, such as WasItAI or Decopy AI.
Deepfake video calls: This is the game-changer that tricked my colleague: one of the scammers I engaged with agreed to a video call. For about 20 seconds, I saw a person who perfectly matched the profile pictures. Their face was near perfectly deepfaked. The video was laggy, and they quickly blamed a “poor connection” before hanging up, but those few seconds were incredibly convincing and it’s understandable that they could go a long way in building up trust. Pro Tip: The technology is here, and it’s being used to shatter our last line of defense: visual verification. But, it needs to be further refined. There are some checks to do: look at eye movement, shape shudders on screen, unnatural blinking, flickering around the eyes, and odd lighting or shadows.

The inevitable ask: Your money, not your heart.

No matter the method, the endgame is always the same. Every scammer eventually spun a sob story designed to pull at the heartstrings and open the wallet. The requests varied, but the themes were consistent:

A “can’t miss” cryptocurrency investment opportunity: an invitation to leverage OnaChain and share their mining pool for a DefiFund.
Help them pay for rent to avoid eviction.
Urgent funds needed for a sick or dying family member in the hospital.
A request to buy Apple gift cards.
Using common one-time Crypto (Conbase) payments for BookingID scams.

How to protect yourself or others in the age of AI

The rise of online dating combined with accessible AI is creating a perfect storm. It’s catching everyone off guard, from the general public to tech-savvy professionals. We need a new layer of education outside the classics.

Do not trust until you have fully verified: Don’t take anything at face value. A short, laggy video call is no longer proof of anything. Insist on a longer, clearer call. Ask them to do something unpredictable on camera, like writing your name on a piece of paper, touch their face to penetrate deep fake AI’s masking, whilst being conscious that even these verification methods still have flaws. Ultimately, AI tools will quickly make any digital test easier to pass (unless you are going to start using government-sponsored MFA services in your dating life) so verifying identity in a real-world offline situation is likely to become evermore important.
Use AI detectors: If the conversation feels flawless and ‘too to the point’, run their messages through an AI text detection tool. It’s a simple check that can reveal the truth, or a bot on the other end in use.
Ask hyper-specific questions: AI ‘slop’ generated replies from foreign scammers often trip up on niche, local knowledge. The scammer who claimed to love snowboarding in Canada but named Miami, Florida, as their favorite resort is a perfect example. Ask them about a local coffee shop, a specific street, or a regional event.
Watch for the classics: The old red flags are still your first line of defense. Never move the conversation off the platform immediately, never share detailed personal information, and never, ever send money to someone you have not met and do not have a real-world relationship with.
Ask them to meet in person: tell them that you are in town (in their location) and ask them to meet in person. This usually forces the hand and puts them in a position of awkwardness and quick rebuttal (see above).
Use your own AI to do “deep research”: conducting your own AI OSINT on the information you have from the person (be it breadcrumbs or names and places that you have picked up online) helps weed out legitimate users from the chaff. Gemini’s “deep research” functionality was pretty good at playing detective on an individual, digging deep through multiple sites, public registrars and records, and various community posts all through a series of well crafted prompts.
Use independent social catfish firms when still not 100% certain: if all else fails there’s a bunch of independent firms out there that conduct third-party verifications (for a fee) against known catfish databases of profiles and other measures. What price is true love?

AI has made the world of romance scams more complex, but it hasn’t made them unbeatable. By staying informed and vigilant, learning the new TTPs, and leveraging AI to counter AI-fuelled scams, we can learn to spot the “ghost in the machine” and protect our hearts and our wallets.

By sharing my colleague’s experience and the lessons learned, I hope to raise awareness about the dangers of AI-powered romance scams and empower you to protect yourself and your loved ones. Stay safe online!

If you’d like to learn more about how malicious actors can prey on romance-related vulnerabilities, check out the blog How Vulnerability Can Make You a Victim on Valentine’s Day