The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Romance scammers are ready to ruin Valentine’s Day

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! Fun fact: Those chalky candy hearts exchanged today nearly disappeared after the company that produces them went out of business in 2018. The maker of Dum Dum lollipops bought and revived the brand

Below: A Missouri prosecutor won't charge a journalist accused by the governor of hacking, and CISA wants to delay releasing a report on vulnerabilities in Georgia's voting machines. 

Romance scams have more than doubled from two years ago

This Valentine’s Day, there has never been a more precarious time to look for love online. 

Romance scams — in which fraudsters prey on people looking for relationships on the Internet and bilk them out of money — have skyrocketed in recent years, resulting in heartache and massive financial losses. 

The scams represent one of the ugliest forms of Internet crime — targeting vulnerable individuals rather than companies and victimizing their hearts in addition to their pocketbooks. The victims are often elderly and lonely, devastated by both the emotional and the financial damage. 

“Victims at the end of a romance scam can feel manipulated. Families, relationships, marriages can be torn apart and the toll that one of these scams can take is devastating,” FBI Supervisory Special Agent Keith Custer said in an FBI education campaign on the topic. 

The damage:

  • The Federal Trade Commission (FTC) received 56,000 reports about romance scams in 2021 from victims who were conned out of nearly $550 million.
  • That’s more than double the 25,000 complaints and $200 million lost to romance scams in 2019 — a growth that was probably spurred by the increasing isolation of the pandemic and a shift to looking for connections online.

Victims lost about $2,400 to such scams on average, but the financial toll can be far greater. Here’s an interview the FBI's Baltimore field office conducted with Angie Kennard, whose father was scammed out of roughly $700,000, effectively wiping out his savings. 

Romance scams have traditionally been pretty simple. 

The fraudster meets his or her victim on a dating or social media app, typically using a fake identity and phony photos. The fraudster gets the victim to fall for him or her, often by using some Internet sleuthing to find out what traits the victim will find most appealing — all while offering seemingly plausible reasons they can’t meet in person. 

Eventually, the fraudster begins asking for money because of health or financial setbacks or to overcome some bureaucratic hurdle. 

  • One example: Cindy Browne, who shared her story with the Canadian Broadcasting Corp. before Valentine’s Day, fell for a man who claimed to be a pilot based in Jordan. He claimed he was sending her an expensive gift that required her to pay $1,500 in duties to a courier service. 
  • By the time Browne got wise, he had conned her out of $26,000. 

More recently, romance scammers have started branching out. 

In 2021, many scammers duped their love interest into investing in bogus business opportunities or cryptocurrency, the FTC said. 

Because of anonymity built into the cryptocurrency system, it’s much harder for law enforcement to trace or recover those funds.

Roughly $139 million of the money victims reported paying to romance scammers in 2021 was in cryptocurrency, the FTC said. That’s five times the amount reported in 2020 and 25 times the amount reported in 2019.

On the brighter side: I asked on Twitter for any cyber love stories to offset the depressing stuff on Valentine's Day. 

Erica Lonergan (nee Borghard), an assistant professor at the Army Cyber Institute at West Point, shared the story of meeting her husband, Shawn Lonergan, who was then an active-duty military officer focused on cyber operations and now a senior director in the cyber practice at PwC. 

Their relationship began professionally when they were both teaching at West Point and began collaborating on articles. “There was this really interesting synergy between his experiences in offensive cyber and my research on how states work in ambiguous, plausibly deniable relationships with nonstate actors to achieve strategic ends,” she wrote.

After their relationship turned romantic, they continued to collaborate professionally, including stints working together at U.S. Cyber Command and as staff members on the Cyberspace Solarium Commission

“Cyber is so intertwined in our relationship that Shawn proposed to me at the Naval War College in the summer of 2019 during a cyber war game that we are both participating in,” Erica wrote. “And we had our (tiny, outdoor) Covid wedding at West Point in October 2020, taking us full circle back to where we first started to work together.” 

Here’s another cyber love story from Daniel Hückmann, a Portland, Ore.-based cyber pro:

And from Nicole Perlroth, a cyber consultant and former New York Times cybersecurity reporter: 

The keys

A prosecutor declined to charge a Missouri journalist whom the governor accused of hacking

Prosecutor Locke Thompson (R) effectively said it would be a waste of taxpayer money to prosecute St. Louis Post-Dispatch journalist Josh Renaud for potentially breaking Missouri hacking laws. 

Renaud discovered a flaw in a state website that exposed the Social Security numbers of more than 100,000 teachers. The newspaper notified state officials and gave them time to fix it before publishing a story, which is common practice for cyber pros. State officials initially planned to thank Renaud for alerting them about the vulnerability, but Missouri Gov. Mike Parson (R) switched course in October, accusing Renaud of “hacking” the site. 

Thompson noted that there was “an argument to be made that there was a violation of law,” the Post-Dispatch’s Kurt Erickson reports. The decision ends a months-long ordeal for Renaud, who called it “a political persecution of a journalist.” 

The case has highlighted how outdated computer laws can criminalize innocuous behavior. Although Thompson decided not to bring charges, the episode could have a “chilling effect” on those who find software vulnerabilities in the state, Renaud said, arguing that he is “concerned that the governor’s actions have left the state more vulnerable to future bad actors.” 

Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly praised Renaud:

Israel’s spy agency used Pegasus spyware

Officials from the Mossad asked NSO employees to hack phone numbers for them, NSO employees told Haaretz’s Chaim Levinson. It’s not clear why the spy agency — which has its own hacking tools — would choose to use NSO spyware.

“One possibility is that the Mossad was having trouble hacking a particular phone with its own tools for some reason,” Levinson writes. “Another is that it was engaged in unofficial intelligence gathering.”

Former Mossad director Yossi Cohen’s subordinates “displayed great interest” in NSO’s hacking capabilities, Levinson writes. After Cohen retired in June, Mossad Director David Barnea “distanced the agency from the company and curtailed the Mossad’s involvement in regional intrigues,” Levinson writes.

Mossad officials also attended meetings between NSO and officials from Saudi Arabia and Angola, Levinson reports. At the meetings, NSO spyware was offered as a “sweetener” in exchange for an improvement in the countries’ diplomatic relations with Israel, he reports.

More NSO news: Prosecutors told a court this past weekend that Israeli police found no illegal use of hacking tools against witnesses in the corruption trial against former prime minister Benjamin Netanyahu, the Associated Press reports. Netanyahu’s son and a key witness in the trial were targeted with the spyware, the Israeli newspaper Calcalist reported

Another investigation: Prosecutors in Bulgaria are looking into whether Pegasus was illegally used to hack Bulgarian citizens, they said. NSO, which has an office in Bulgaria, has received product licenses from authorities in the country, as well as Cyprus and Israel. Bulgaria is a member of the European Union, whose European Parliament is set to launch an investigation into NSO as early as this week.

CISA asked a judge to withhold a report on voting machine flaws

The cybersecurity agency is reviewing the report and wants time to investigate and mitigate the “multiple severe security flaws” that University of Michigan professor J. Alex Halderman says he found on Dominion voting machines used in Georgia, the Associated Press’s Kate Brumback reports

The report was created as part of a years-long lawsuit that argues Georgia’s electronic voting machines should be scrapped in favor of hand-marked paper ballots, which are preferred by many cybersecurity advocates. 

Premature disclosure of the report could “assist malicious actors and thereby undermine election security,” CISA said in a court filing.

That could delay when the report is shared publicly. “Plaintiffs in the case, who are election security advocates and individual voters, have for months called for the release of a redacted version of the report and urged that it be shared with state and federal election security officials,” Brumback writes. “Lawyers for the state had repeatedly objected to those requests,” but last month, Secretary of State Brad Raffensperger (R) called for its release.

Chat room

The San Francisco 49ers are the latest ransomware victim, the Record’s Catalin Cimpanu reports. The timing of the hack — on Super Bowl weekend — didn’t go unnoticed. The Record’s Andrea Peterson:

Jeremy Miller, executive director of enterprise architecture at the Kentucky Community and Technical College System:

SearchSecurity’s Shaun Nichols:

Government scan

Mueller declined to charge Trump Jr. with misdemeanor hacking offense

Donald Trump Jr. used a password shared by WikiLeaks to access a website without authorization, a likely violation of the Computer Fraud and Abuse Act, according to a newly unredacted portion of Robert Mueller’s report obtained by BuzzFeed News’s Jason Leopold and Anthony Cormier. 

Mueller opted against charging the former president’s son. He cited the fact that “Trump Jr. did not himself initiate the plan to access the website or guess the password, the absence of evidence that his acts caused any damage to the website or obtained valuable information, the technical nature of the violation and the minimal punishment that a misdemeanor conviction could be expected to carry in these circumstances.”

The IRS directed 7 million Americans to sign up with face-scan service, according to congressional letter (By Cat Zakrzewski)

National security watch

C.I.A. is collecting in bulk certain data affecting Americans, senators warn (New York Times)

Global cyberspace

Pegasus scandal: Experts say ‘90 percent chance’ phones of ex-finance ministry officials hacked (Haaretz)

The Canadian ‘Freedom Convoy’ is backed by a Bangladeshi marketing firm and right-wing fringe groups (Grid)

Industry report

Former spy chief urges UK to ‘strain every sinew’ to keep Arm in London (Financial Times)

Cyber insecurity

Meet the ‘Crocodile of Wall Street’ rapper accused of laundering billions of dollars in crypto (María Luisa Paúl)


  • Cybersecurity firm Dragos hosts a webinar with NSA and CISA officials to discuss industrial control system cybersecurity today at 1 p.m.
  • The R Street Institute holds an event on Black professionals in the cybersecurity workforce on Wednesday at 1 p.m.
  • The Institute for Critical Infrastructure Technology hosts a webinar on critical infrastructure technological recommendations on Wednesday at 5 p.m.
  • The U.S.-China Economic and Security Review Commission meets to discuss China’s cyber capabilities on Thursday at 9 a.m.

Secure log off

Thanks for reading. See you tomorrow.