Incognito — February 2025: Dating Apps & Romance Scams

Welcome to the February 2025 issue of Incognito, the monthly newsletter from DeleteMe that keeps you posted on all things privacy and security.

Here’s what we’re talking about this month: 

• Romance. February is the month full of love, so let’s talk about dating apps, romance scams, and sextortion attempts. 
• Recommended reads, including “Mobile Phishing Attack Impersonates USPS.” 
• Q&A: Is there any reason to worry about privacy if collected information is “aggregated”?

Dating Apps Are As Bad As Ever (for Privacy)

If you’re a long-time reader of Incognito, you might remember our online dating issue from 2022. 

What’s changed since then? Sadly, not much. Dating apps are still terrible for your privacy. In fact, they’ve gotten worse.

Last year, the Mozilla Foundation found that: 

• 80% of dating apps share or sell your personal information for advertising. 
• 52% experienced a breach, leak, or hack in the past three years. 
• About 25% collect metadata from your content, and 64% are likely to create “inferences” about you.

It’s not just your data you need to be worried about protecting while on dating apps. It’s also your money. For example, between 2013 and at least mid-2018, 25-30% of Match.com members who registered each day were using the dating site to perpetrate scams. Plus, more than a third of romance scams originate on dating apps. 

Romance Scams Are On the Rise

What would you do if you received a message from Brad Pitt (insert a female celebrity’s name if you’re male)? 

You’d probably think it’s a scam, right? According to a recent news story, so did a 53-year-old French interior designer known as “Anne” – at least initially. But the longer she talked to “Pitt,” the more she grew convinced that he was, in fact, the real deal. 

• The end result? She transferred “Pitt” 830,000 euros (about $855K) for “cancer treatment.” 
• She realized she had been scammed when she saw real photos of Brad Pitt with his current partner. To add insult to injury, after Anne discussed her ordeal on French TV channel TF1, she was mocked and harassed so badly her interview had to be pulled.

This isn’t an isolated incident. Romance scams are on the up. “Keanu Reeves,” for example, conned thousands out of a woman last year. 

Things are getting so bad that banks are issuing statements warning people about these scams. 

Are you “victim” material? In an interview with KSL TV, a former romance scammer said that he mostly used Facebook to find his targets, going for women who posted a lot of photos of themselves with their kids but no men. His favorite ruse was to pretend to be an American soldier on deployment. 

The red flag to watch out for: Your romantic interest (whom you more than likely met on social media or a dating app) asking you for your online banking credentials or a money transfer. 

Of Course, AI Is Making These Scams Worse 

What helped Anne (from the story above) feel that the person she was talking to was actually Brad Pitt was a selfie. 

As you’ve probably guessed, the selfie was AI-generated. 

Besides photos, romance scammers can use AI to create fake videos and simulate voices. At the most basic level, AI can fix spelling and grammar mistakes that might give the scammer away. 

New technique: Scammers are creating fake news videos that mimic reputable news organizations like CNN to blackmail victims. These videos, often featuring AI-generated news anchors and fabricated breaking news, falsely accuse victims of criminal behavior by displaying manipulated images and personal details. The scam usually follows initial romance or sextortion schemes, where the criminals obtain compromising material from their targets. 

The Data Broker Connection 

According to the United States Secret Service, romance scammers spend a ton of time learning about their victims before approaching them.

“They will figure out exactly what makes you happy, what makes you sad, what you need. And they will use that,” said the Head of Berkshire Bank’s Security and Fraud Investigations Unit, Tina Martin.

This kind of research isn’t hard, either. It typically involves going through your social media, but data broker profiles can be a big help, too. Many people search sites even list individuals’ dating profiles.

Personalized Sextortion Can Target Anyone

“You’ve been a bit careless lately, scrolling through those filthy videos and clicking on links, stumbling upon some not so-safe sites.” 

Most people have received a message like that at some point. 

They’re pretty common and always end with the scammer saying they have images or videos of you (or have extracted other information from your device) and that if you don’t pay, they’ll expose you.

Pretty standard. Pretty obvious.

Except now, scammers have taken it up a notch. They include your personal information in these emails, and sometimes even images of your home, according to researchers at the cybersecurity company Cofense. 

Suddenly, these messages seem much more believable. 

We’d Love to Hear Your Privacy Stories, Advice and Requests

Do you have any privacy-related dating app experiences you’d like to share? Have you ever been targeted with a romance scam? And how did you spot it for what it was? 

Also, do you have any privacy stories you’d like to share or ideas on what you’d like to see in Incognito going forward? 

Don’t keep them private!

We’d really love to hear from you this year. Drop me a line at laura.martisiute@joindeleteme.com.  

I’m also keen to hear any feedback you have about this newsletter.

Recommended Reads

Our recent favorites to keep you up to date in today’s digital privacy landscape. 

Google Play Store Launches ‘Verified’ Badge for Secure VPN Apps

Google Play Store now features a “Verified” badge highlighting VPN apps meeting strict security and privacy standards. To earn the badge, apps must pass a Mobile Application Security Assessment, have at least 10,000 installs and 250 reviews, and follow rigorous data collection and security protocols. 

Teen Therapy Site Leaks Visitor Data to TikTok, Meta, Snap

A telehealth company providing free online therapy to NYC teens was found to be leaking data from its teen mental health websites via tracking pixels that sent visitor information to platforms like TikTok, Meta, and Snap. Privacy advocates and parent groups raised concerns that these trackers exploited vulnerable teens and potentially violated the city’s contract. 

Mobile Phishing Attack Impersonates USPS

A mobile phishing campaign impersonating USPS, which uses obfuscation techniques to disguise malicious PDFs that steal credentials on mobile devices, has been discovered. The campaign has produced over 630 phishing pages and more than 20 malicious PDFs, targeting organizations in over 50 countries. 

Authorities Shut Down Hacking Forum That Impacted 17 Million Americans 

A hacking website called Cracked.io, where criminals bought and sold stolen login details, was shut down by law enforcement. The site sold stolen logins, malicious software tools, and hacked databases and impacted at least 17 million people from the US. In one case, a hacker used the stolen information to harass a woman online. 

You Asked, We Answered

Here are some of the questions our readers asked us last month.

Q: Is there any reason to worry about privacy if collected information is “aggregated”? I’ve seen this term in a few privacy policies now. 

A: Unfortunately, yes. There is reason to worry, at least a little bit. 

While collecting and using aggregated data is generally seen as alright legally (for example, both the California Consumer Privacy Act and the California Privacy Rights Act allow businesses to collect, use, retain, sell, share, or disclose this kind of data), that doesn’t mean your privacy is 100% guaranteed. 

There is always the risk of re-identification if aggregate data is combined with other data points. 

Each individual data point may not be unique enough to identify someone. However, if you collect several aggregated data points, like age, location, and specific behavioral patterns, the combination of these data points can be unique to an individual. 

For example, a person might be the only 30-year-old in a small town who exercises at a particular time of day. Even though each attribute is non-identifying by itself, together they can pinpoint a single person.

For real-life proof, look to the fitness app Strava. 

In 2023, it was found that despite anonymization efforts, the app’s heatmap feature – which aggregates user data – could, under certain conditions, be exploited to infer personal information. 

Q: Is writing down passwords ever OK?

A: Depends on who you ask. 

Some people say writing down passwords is totally fine for most people. Others say it’s the worst thing you could do. Then some say it’s the best thing you can do. 

So, which is the correct answer? 

I like the advice that Leo of “Ask Leo!” gives. 

He says not to write down passwords. But not because someone could access them. 

Rather, he says that if you have to reach for a piece of paper any time you want to log into an online account and then enter the password while looking at the written copy, you’re much more likely to choose weaker passwords and reuse them. 

The only exception, according to him, is to use a passphrase (we’ve talked about these before, but basically, a passphrase is a string of unrelated words) and keep the piece of paper with it under lock and key. 

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @DeleteMe).

Don’t forget to share! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

Let us know. Are there any specific data privacy topics you’d like us to explore in the upcoming issues of Incognito? 

That’s it for this issue of Incognito. Stay safe, and we’ll see you in your inbox next month.