Banking Exchange Magazine Logo

Love still stinks

Beware of new twist on “sweetheart scam”

  • |
  • Written by  Craig Priess, Guardian Analytics
Love still stinks

The Sweetheart Scam, one of the oldest schemes ever for defrauding someone of their money, is seeing a resurgence in popularity, thanks to new banking technologies.

It is a sad but familiar story for fraud investigators to hear poor lovesick victims describe how they were romanced online; received deposits from and forwarded cash to their new best friend; and, once the transaction was complete, never heard from their fake paramour again.

A promise of payment may sometimes be offered, turning the initially love-struck victim into a willing accomplice. However in most romance-related scams, promises of love and a new life together often substitute for any monetary gain by these victimized mules.

Overview of the scam

Victims are romanced on online dating sites or social media networks.

Once the scammer has hooked a lonely-heart, they ask the victim to help with completing a financial transaction exploiting online banking and newer technologies such as mobile banking and remote deposit capture (RDC).

These seductive scammers often use a contrived set of circumstances to explain why they need access to the victim’s account. Victims receive stolen funds deposited into their legitimate bank account, and then forward them to an account controlled by the criminal. Fraud investigators have noted that this is a worldwide fraud scheme, originating in countries across the globe.

Details of a sweetheart fraud

Here are the steps by which the new age Sweetheart Scam targets an unsuspecting victim:

1. The criminal forms a relationship with the unwitting accomplice-to-be via an online dating site or social network.

While anyone can be victimized, these schemes typically target the elderly or the young, who are more trusting.

2. Once winning the confidence of the victim, the fake paramour asks for online banking access, using a sob story or simply asking for help (e.g. needing to pay a business for goods received).

In some cases, instead of providing access to their existing account, the victims open a new account at a financial institution specified by the criminal.

3. The criminal sets up mobile banking for the account, typically including the ability to use a mobile device for remote deposit capture.

If he is unsuccessful, he asks the victim to set up the new services, providing guidance as needed to ensure the victim is successful with this important step of the scheme.

4. The scammer moves the money into the victim’s account.

He might use RDC to make a deposit, often using stolen, counterfeit, or cashier’s checks, or sends a check via overnight delivery. Another tactic is to have the victim add “the sweetheart’s account”—actually yet another victim’s compromised account—and then have the victim use online banking to transfer funds from this new account into their own account.

5. Wait for the check to clear.

The criminal uses online banking to check the account to see when the deposit has cleared, often checking frequently so that he can quickly complete the scam.

6. There are three variations for getting the money out.

• The criminal asks the victim to send him a debit card, enabling the scammer to cash out at an ATM and eliminating the need for the victim’s handling of any money. This variation may be harder to detect because the victim likely is unaware of how the criminal is using the compromised account.

• The criminal asks the victim to send him the deposited money, usually via a wire transfer or by using their ATM or debit card to retrieve the cash and send it to the fraudster using a third-party money transfer service.

• Either the criminal or the victim uses online banking to transfer funds into an account controlled by the scammer.

Observations and trends

This scheme is an example of how proven fraud schemes never disappear; they get reinvented with new variations or, in this case, new technologies.

While still preying on people’s loneliness, the modern Sweetheart Scam weaves together online dating, social media, online banking, mobile banking, and remote deposit capture to create a successful scheme that can be executed from anywhere in the world.

As financial institutions continue to add innovative banking capabilities, they must also revisit fraud prevention systems, knowing that the criminals will always find creative ways to turn the new services against them.

How to stop the Sweetheart Scam

Here are some guidelines for detecting and preventing the Sweetheart Scam:

Scrutinize users of any new service.

First-time use of a new service such as RDC or mobile banking, by even legitimate account holders, is worthy of closer scrutiny. This especially is true for users whose profile doesn’t conform to the typical user of the service. Examples include the elderly customer suddenly needing mobile capability or younger users with infrequent deposits suddenly requiring RDC.

Monitor the source of RDC activity.

In this scheme, the criminal uses RDC to make the deposits, so the location from which the deposits are made and the IP address will likely be inconsistent with what is typical for the victim.

Flag any unusual deposit patterns.

Established banking customers usually will have a routine pattern for the timing and amounts of their deposits. Take a closer look at sudden increases in the number of deposits, deposit activity with unusual timing, or deposits totaling unusual amounts.

Monitor new mobile accounts with immediate activity.

The Sweetheart Scam relies on the participation of the victims to act as money mules—unwitting or otherwise. In many cases new accounts are established expressly for the purpose of moving fraudulent funds. Look for quick-turn transactions both in and out of new accounts.

Look for anomalous online banking activity.

How and when the criminal accesses the account and his online activity may be inconsistent with victims’ typical behavior. Look for a different IP address, an unusual time of day, or accessing via a new ISP, and unusual activity, such as setting up new features like RDC, frequently checking account balances, and initiating transfers.

Review new account openings.

Look for new accounts opened by existing account holders, with no obvious reason for needing the new account, followed by substantial deposits.

Go beyond a simple confirmation of the transaction.

When speaking to account holders about these suspicious activities, ask questions that will help uncover if the client is being victimized without their knowledge. For example, ask where the funds are going, for whom, and for what purpose.

About the author

Craig Priess is founder and vice-president, products, at Guardian Analytics.

back to top


About Us

Connect With Us



Belt and Suspenders

Date/Time: October 19, 2:00 CT / 3:00 ET

How Multiple Layers of Defenses Work Together to Keep Your Bank Covered

Cyber threats and attack vectors are ever-changing, especially due to the current geopolitical climate and distribution of data. Financial institutions remain attractive targets for cyber criminals due to the amount of sensitive data they hold. Join CSI’s Director of Product Strategy, Sean Martin, for his insight into why and how institutions should embrace a holistic cybersecurity approach to strengthen their defenses against these evolving threats. You’ll learn: 


This webinar is brought to you by:
OneSpan logo