{"id":10157,"date":"2026-01-27T04:03:33","date_gmt":"2026-01-27T04:03:33","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/01\/27\/32650\/"},"modified":"2026-01-27T04:03:33","modified_gmt":"2026-01-27T04:03:33","slug":"32650","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/01\/27\/32650\/","title":{"rendered":"Initial Stages of Romance Scams [Guest Diary], (Tue, Jan 27th)"},"content":{"rendered":"\n
Initial Stages of Romance Scams [Guest Diary], (Tue, Jan 27th)<\/div>\n

\t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

[This is a Guest Diary by Fares\u00a0Azhari, an ISC intern as part of the SANS.edu\u00a0BACS<\/a>\u00a0program]<\/p>\n

Romance scams are a form of social-engineering fraud that causes both financial and emotional harm. They vary in technique and platform, but most follow the same high-level roadmap: initial contact, relationship building, financial exploitation. In this blog post I focus on the initial stages of the romance scam ? how scammers make contact, build rapport, and prime victims for later financial requests.<\/p>\n

I was contacted by two separate romance scammers on WhatsApp. I acted like a victim falling for their scam and spent around two weeks texting each one. This allowed me to observe the first few phases, which we discuss below. I was not able to reach the monetization phase, as that often takes months and I could not maintain the daily time investment needed to convince the scammers I was fully falling for it.<\/p>\n

The scammers claimed to be called ?Chloe? and ?Verna?. We use these names throughout to differentiate their messages. Snippets from each are included to illustrate the phases, along with my precursor or response messages.<\/p>\n

Phase 1: Initial contact<\/h2>\n

Both conversations began the same way ? the sender claimed they had messaged the wrong person.<\/p>\n

Verna:<\/strong><\/p>\n

\"\"<\/p>\n

Chloe:<\/strong><\/p>\n

\"\"<\/p>\n

That ?wrong-number? ruse is low effort and high reward. It gives the out-of-the-blue message a plausible reason, invites a short helpful reply, and lowers suspicion. Two small but useful fingerprints appear immediately: random capitalization and awkward grammar. These recur later and help identify when different operators are involved.<\/p>\n

Phase 2: The immediate hook<\/h2>\n

If you reply politely, the scammer usually responds with an over-the-top compliment:<\/p>\n

Verna:<\/strong><\/p>\n

\"\"<\/p>\n

Chloe:<\/strong><\/p>\n

\"\"<\/p>\n

These short flattering lines serve as rapid rapport builders ? they feel personal and disarming.<\/p>\n

Phase 3: Establishing identity and credibility<\/h2>\n

After a few messages, both claimed to be foreigners working in the UK:<\/p>\n

Verna:<\/strong><\/p>\n

\"\"<\/p>\n

When asked what she does for a living:<\/em><\/p>\n

\"\"<\/p>\n

When asked to explain her job:<\/em><\/p>\n

\"\"<\/p>\n

Chloe:<\/strong><\/p>\n

\"\"<\/p>\n

When asked how COVID affected her life:<\/em><\/p>\n

\"\"<\/p>\n

When asked about her job:<\/em><\/p>\n

\"\"<\/p>\n

When asked what made her choose business:<\/em><\/p>\n

\"\"<\/p>\n

Both claim the same job ? Business Analyst<\/strong> ? which later supports credibility when discussing investments. Claiming to be foreigners explains grammatical errors and factual mistakes about the UK. Notably, job descriptions are long and well-written, lacking earlier quirks ? suggesting prewritten, copy-pasted content. This points to a playbook: flatter the target, establish credibility with occupation and location cover, then use scripted replies where legitimacy matters.<\/p>\n

Phase 4: The hand-off<\/h2>\n

After a few days of texting, both explained they were using a business number and asked to move to a ?personal? one:<\/p>\n

Verna:<\/strong><\/p>\n

\"\"<\/p>\n

After I said it didn?t bother me to switch:<\/em><\/p>\n

\"\"<\/p>\n

Chloe:<\/strong><\/p>\n

\"\"<\/p>\n

After the switch:<\/em><\/p>\n

\"\"<\/p>\n

The excuse is plausible and low-friction. Once texting the new number, writing style often changes ? a strong sign of a hand-off to a different operator or team focused on long-term grooming.<\/p>\n

Phase 5: The grooming phase (signs of a different operator)<\/h2>\n

The writing style shift is clear on the new numbers:<\/p>\n

Verna:<\/strong><\/p>\n

When asked if she made friends at work:<\/em><\/p>\n

\"\"<\/p>\n

When asked to share a steak recipe:<\/em><\/p>\n

\"\"<\/p>\n

Chloe:<\/strong><\/p>\n

When asked what languages she speaks:<\/em><\/p>\n

\"\"<\/p>\n

When asked about her studies:<\/em><\/p>\n

\"\"<\/p>\n

When asked about work stress:<\/em><\/p>\n

\"\"<\/p>\n

Responses show weaker English: more basic grammar errors, shorter sentences, quicker replies, daily ?Good morning? routines, and frequent (likely stolen or AI-generated) photos. These changes strongly indicate a hand-off.<\/p>\n

Phase 6: Credibility building<\/h2>\n

By the second week both began describing financial success and sent images of cars, apartments, gym visits, and meals to build trust:<\/p>\n

Verna:<\/strong><\/p>\n

Pictures sent when asked about her side hustle:<\/em><\/p>\n

\"\" \"\"<\/p>\n

When asked if investments are high risk:<\/em><\/p>\n

\"\"<\/p>\n

When asked how she chooses investments:<\/em><\/p>\n

\"\"<\/p>\n

Photo sent saying she finished work (face covered):<\/em><\/p>\n

\"\"<\/p>\n

Chloe:<\/strong><\/p>\n

When asked about plans for her 30s:<\/em><\/p>\n

\"\"<\/p>\n

When asked about foundations\/programs:<\/em><\/p>\n

\"\"<\/p>\n

Property photo (Australia):<\/em><\/p>\n

\"\"<\/p>\n

Both positioned themselves as successful investors with diversified portfolios ? building trust for future proposals. The wealth, charity, and expertise narratives emotionally prime the target. Direct money requests usually come much later, after deep emotional commitment.<\/p>\n

Practical advice for readers<\/h2>\n