Naked Security Naked Security

Match knowingly puts people at risk from scammers, FTC charges

Match.com allegedly put users on its free version at risk - by not filtering out communications that it knew were from fake accounts.

Did you know that between 2013 and at least mid-2018, between 25% and 30% of profiles on dating site Match.com were reportedly fake?

As in, those “people” weren’t looking for love – they were looking to shake down legitimate subscribers, signing up just so they could run romance scams, phish people’s personal information, push dubious or unlawful products or services, or run extortion scams…?

Well, Match.com – the biggest online dating site in the US – most certainly knew, the Federal Trade Commission (FTC) alleges in a lawsuit it filed on Wednesday.

According to the complaint, in some months between 2013 and 2016, more than half of the IMs and favorites that consumers received came from accounts that Match had identified as phony.

Match used those fake dates to lure non-subscribers into signing up, the complaint alleges. As it is, anybody can sign up for free, including con artists, but you have to pay to respond to messages from other users who hit you up with likes, favorites, IMs or emails.

How can you resist? Who doesn’t want to be able to respond to some yummy looking thing who bothered to reach out to you?

Millions of messages from predators

The (big) problem, the FTC alleges: Match knew the messages were coming from scammers. Match filtered out messages from bogus accounts that were sent to paying subscribers, the regulator says, but it let those tantalizing, and risk-filled, messages fly free when they were sent to non-subscribers.

So not only was it luring non-subscribers into ponying up for a subscription, it was also needlessly putting them at risk of being victimized, the FTC claims:

Millions of contacts that generated Match’s ‘You caught his eye’ notices came from accounts the company had already flagged as likely to be fraudulent. By contrast, Match prevented existing subscribers from receiving email communications from a suspected fraudulent account.

Hundreds of thousands paid to get in touch with scammers

As the FTC complaint tells it, hundreds of thousands of people signed up to Match.com shortly after receiving communications from these fake profiles. From the court document:

From June 2016 to May 2018, for example, [Match’s own] analysis found that consumers purchased 499,691 subscriptions within 24 hours of receiving an advertisement touting a fraudulent communication.

When people subscribed in order to read these messages, one of two things would happen, neither of them good, the complaint said: either they’d get into a conversation with a scammer’s bogus profile, or they’d receive a notification saying that the profile that messaged them was “unavailable.”

That outcome depended on whether somebody subscribed before or after Match completed its fraud review process. If it was before, then the new subscriber got to see the scammer’s communication. If it was after the fraud review, the profile was listed as “unavailable.”

However, the FTC alleges, many times, Match hasn’t bothered to let people know that the Match.com users contacting them had their profiles yanked because there was a high likelihood that those users were fraudsters.

“Dating” for dollars

It would be nice to assume that anybody who’s using online dating these days knows that they’re targets. Unfortunately, that’s far from accurate: many people fall prey to scammers on dating sites.

Last month, for example, the US Department of Justice (DOJ) unsealed a 252-count, 145-page federal indictment charging 80 defendants with conspiring to steal millions of dollars through online frauds (including romance scams) that targeted businesses, the elderly and women.

Romance scams were just one of the swindles that the criminal network used, but they were one of the most profitable. In one case, a Japanese woman was bled of hundreds of thousands of dollars after meeting a fraudster who told her they were a captain in the US Army who wanted her to help smuggle diamonds out of Syria.

These type of romance scams are surging, the FBI has warned. In August 2019, the FBI’s online crime division – the Internet Crime Complaint Center (IC3) – issued a warning about the rising number of faux lover-boys and -girls who are turning to online dating sites to run romance or confidence frauds. Besides talking marks into sending money, a rising trend for these con artists is to try to talk them into becoming money mules or drug runners, the FBI said.

We’ve seen plenty of these scams in past years: FBI numbers show that in 2018 the number of people who filed complaints with the IC3, alleging that they were victims of romance/confidence frauds was more than 18,000 and reported losses of more than $362 million, making it the second costliest type of scam.

Selective fraud-flagging?

In spite of how very real the danger is, and how very effective the scams are, Match let these convincing, conniving crooks through, the FTC alleges. Selectively, that is.

The complaint says that between 2013 and mid-2018, Match delivered email communications from fraud-flagged users to non-subscribers while filtering them to keep them away from subscribers until the site finished its fraud review:

If, for example, a user [Match] flagged as potentially fraudulent had sent three emails to subscribers and three emails to nonsubscribers, [Match] would have withheld the three emails sent to subscribers until its fraud review was complete while allowing the three emails sent to nonsubscribers to reach their recipients.

Without this practice, the vast majority of these fraud-flagged Match.com users would never have been able to contact their intended recipients: between June 2016 and the beginning of May 2018, for example, approximately 87.8 percent of accounts whose messages [Match] withheld were later confirmed … to be fraudulent.

Not the first lawsuit

This isn’t the first we’ve heard of these allegations. In May 2018, a class action lawsuit was filed against Match parent company Match Group LLC, alleging that more than half of Match.com profiles are fake and are used to entice new members.

The FTC’s suit is seeking permanent injunctive relief, for the company’s contracts to be redone or rescinded, and for people to get their money back.

Match: The FTC’s making “outrageous claims”

The Verge reports that Match.com CEO Hesam Hosseini sent an internal email to executives on Wednesday morning that rejected the FTC’s allegations. From that email:

The FTC will likely make outrageous allegations that ignore all of Match’s efforts to prioritize the customer experience, including our efforts to combat fraud.

In the email, Hosseini said what the company went on to say in a statement in response to the lawsuit: that the company catches and neutralizes 85% of fraudulent accounts wthin the first 4 hours of their creation, “typically before they are even active on the site,” and that 96% of improper accounts are ferreted out within a day.

Match also maintains that the FTC has “misrepresented” internal emails and relied on “cherry-picked data” to make “outrageous claims.”

Hosseini also argued in the internal email that the accounts that the FTC defines as fraudulent aren’t related to scams but rather are the product of bots, spam, and people trying to sell a service on the dating site.

I believe the FTC has fundamentally misunderstood our work here, and we intend to fight any allegations.

Other complaints from the lawsuit

The FTC is also alleging that Match deceived people into subscribing by promising them a free six-month subscription if they didn’t “meet someone special.” It neglected to tell customers that they had to jump through a few hoops to get that free six months, though, the complaint says.

The FTC also claims that Match made canceling subscriptions very tough: it requires more than six clicks, according to the complaint. The company also allegedly locked people out of their accounts after they disputed charges, even if they lost their dispute and had time remaining in their subscription.

Watch “Romance scams” on Naked Security Live

(Watch directly on YouTube if the video won’t play here.)