Romance Scam: How It Works, Red Flags, and How to Detect It

**

What is Romance Scam?

Romance scam, also known as pig butchering from the Mandarin criminal slang "sha zhu pan," is a fraud typology in which organized criminal networks build fake emotional relationships with victims online, then manipulate them into transferring money to fraudulent investment platforms or overseas accounts. It falls into the fraud category of financial crime, though the downstream money movement typically involves money mule networks and multi-hop layering structures.

The scale is significant. The FBI's Internet Crime Complaint Center received 19,021 romance scam complaints in 2023, with reported losses of $652 million. The real figure is higher. The Global Anti-Scam Organization (GASO) estimates fewer than 5% of victims report, because shame and disbelief prevent disclosure. The UK's National Fraud Intelligence Bureau recorded parallel trends, with authorized push payment fraud linked to romance scams rising year-on-year.

Victims aren't exclusively elderly or unsophisticated. IC3 data consistently show the highest-loss demographic is 30 to 49. Pig butchering operations specifically target high-income professionals: investors, engineers, and executives hold larger accounts and respond to investment framing.

The criminal operations behind these schemes are large-scale enterprises. Interpol and Europol investigations have confirmed that many call centers operate in Myanmar, Cambodia, and Laos, inside special economic zones with limited law enforcement access. Workers are frequently trafficking victims themselves, recruited under false job offers and held against their will. A victim sending $50,000 abroad isn't sending money to an opportunistic fraudster; they're funding a criminal enterprise with human trafficking at its core.

The financial institution is often the only viable intervention point. By the time a victim reports to law enforcement, funds have already moved through multiple wallets and accounts across several jurisdictions. Early detection at the bank or exchange is the difference between stopping a loss and filing a SAR after the fact.

How does Romance Scam work?

The pattern follows five consistent phases.

Phase 1: Contact. The criminal initiates contact through dating apps, social media, LinkedIn, or a "wrong number" text message. The profile uses stolen or AI-generated photographs and a fabricated identity, typically posing as a successful professional living abroad. Singapore, Hong Kong, and major U.S. cities are the most common cover identities used in Southeast Asia-run operations.

Phase 2: Trust-building. Over days to weeks, the criminal invests in daily conversation, emotional support, and manufactured intimacy. There's no financial ask during this phase. The goal is to migrate the victim off the original platform to WhatsApp or Telegram, where the app's fraud reporting tools don't reach.

Phase 3: The lure. The criminal mentions a high-yield investment opportunity, framed as a family trading secret or insider access to a crypto platform. That platform is controlled by the criminal network. Early "investments" generate visible profits on a fake dashboard, and the victim is encouraged to withdraw a small amount to build confidence.

Phase 4: The slaughter. Persuaded by apparent returns, the victim invests larger sums. They may liquidate savings, take personal loans, or borrow from family. When they try to withdraw, the platform demands "fees," "taxes," or "insurance deposits." These are additional theft. No withdrawal ever happens.

Phase 5: Money movement. Victim funds move rapidly through crypto wallets, often via chain hopping and cryptocurrency mixer laundering, before being converted to fiat in jurisdictions with limited asset tracing capability. The full cycle from victim transfer to clean cash can take under 48 hours.

Illustrative scenario: A retail bank customer aged 42, with a monthly transaction average of $800, begins purchasing cryptocurrency through a linked account. Over six weeks, purchases escalate: $2,000, then $5,000, then $8,000, then $15,000. The customer contacts the fraud team twice to dispute holds, stating the transfers are personal investment decisions. A compliance analyst reviewing the case notes no prior crypto activity, a single new payee at an overseas exchange, and two overridden fraud alerts. The bank files a SAR and contacts the customer directly. By then, $31,000 has left the account.

Red flags and indicators

We've found that no single indicator is conclusive. Detection requires looking at multiple signal types simultaneously.

Transaction-level signals

• Large outbound wire transfers or crypto purchases from accounts with no prior cross-border transfer history
• Transfer amounts escalating over 2-8 weeks, each one larger than the last
• Multiple payment methods funding the same crypto exchange within a short window
• Funds withdrawn from savings or retirement accounts to support outbound transfers

Account-level signals

• Previously dormant account suddenly initiating high-value outbound transfers
• Customer overrides fraud alerts and contacts service teams to explain why the transfer is legitimate
• No prior crypto history, but two or more exchange accounts opened within a few weeks
• All new outbound activity concentrating on a single recently added beneficiary

Network-level signals

• Beneficiary wallets or accounts linked to known romance scam mule infrastructure
• Multiple unrelated customers sending funds to the same wallet address or account
• Receiving accounts that empty and forward funds within hours, consistent with layering
• Beneficiary entity recently incorporated with no visible commercial activity in a high-risk jurisdiction

Behavioral signals

• Customer becomes distressed or evasive when asked about transfer purpose
• Customer mentions an online contact they have never met who introduced an investment opportunity
• Customer service transcripts include phrases: "trading platform," "my friend abroad," "guaranteed returns"
• Repeated attempts to complete a blocked transfer across multiple service channels

Notable real-world cases

FinCEN Alert FIN-2023-Alert005 (2023). The Financial Crimes Enforcement Network issued a specific alert on pig butchering schemes in September 2023, citing FBI IC3 data showing more than $3.3 billion in victim losses in 2022. The alert lists specific red flags and requires financial institutions to file SARs using the keyword "FIN-2023-Alert005" to enable law enforcement aggregation across institutions. FinCEN Alert, September 2023.

DOJ Operation Level Up (2024). The U.S. Department of Justice and Homeland Security Investigations disrupted multiple pig butchering networks and recovered approximately $6 million in victim funds through civil asset forfeiture of seized cryptocurrency wallets. The operation confirmed that criminal call centers in Southeast Asia run these schemes industrially, often staffed by trafficked workers. DOJ press release, 2024.

Europol and Interpol Operation HAECHI-IV (2023). A 34-country operation resulted in 3,500 arrests and the freezing of $82.1 million linked to online fraud, with pig butchering among the primary typologies identified. The operation confirmed that romance scam proceeds move through decentralized finance laundering structures specifically to frustrate cross-border tracing. Europol press release, November 2023.

FBI IC3 2023 Internet Crime Report. The FBI's annual report recorded $652 million in romance scam losses for 2023, with the 30-49 age cohort reporting the highest aggregate losses. The report specifically notes that victims are frequently not identified until after multiple transfers have already cleared. FBI IC3 Annual Report 2023.

How to detect Romance Scam

Detection requires combining transaction monitoring with behavioral and network signals. Victims authorize their transfers willingly, so rules designed to catch unauthorized transactions won't fire here.

Rule-based detection covers the baseline. Threshold alerts should trigger for large outbound wires or crypto purchases from accounts with no prior cross-border transfer history. Velocity checks should flag amounts escalating in a staircase pattern over 30-60 days. A separate rule should alert when multiple customers route funds to the same beneficiary account or wallet address.

Behavioral analytics adds the account-level view. Peer-group comparison models score customers whose transfer behavior deviates sharply from their cohort. A customer with an established domestic spend pattern who suddenly initiates five-figure international wires is a clear anomaly, even if no individual transaction crosses a reporting threshold. Friction-point scoring (how many times a customer bypassed a fraud warning) adds a behavioral risk dimension that doesn't depend on transaction size alone.

Network graph analysis is the most powerful tool for identifying organized criminal infrastructure. When two or more victims route funds to the same wallet or account, the convergence appears in a network graph before any individual transaction triggers a rule. Beneficiary nodes linked to known mule infrastructure escalate automatically. This approach moves investigators from single-victim cases to disrupting the network operating behind dozens of victims simultaneously.

Customer contact monitoring adds a non-transactional layer. Text analytics on service call transcripts, chat logs, and secure messages can surface romance scam keywords before the next transfer clears.

This pattern overlaps substantially with authorized push payment fraud detection. Institutions building APP detection programs should include pig butchering variants explicitly in their scenario library, as the behavioral signals are near-identical.

Which regulations cover Romance Scam

In the United States, romance scam proceeds trigger Bank Secrecy Act reporting obligations under 31 U.S.C. § 5318(g). FinCEN Alert FIN-2023-Alert005 (September 2023) makes the SAR-filing obligation explicit and requires a designated keyword for law enforcement aggregation. FinCEN has cited inadequate SAR programs in recent consent orders against mid-sized banks, so this isn't a theoretical compliance risk.

The EU's Sixth Anti-Money Laundering Directive (AMLD6) requires transaction monitoring covering fraud-linked money laundering. Romance scam proceeds qualify as predicate offense proceeds under AMLD6's expanded list. The 2024 EU AML Package introduces a single EU AML supervisory authority with direct oversight powers, increasing enforcement exposure for institutions with detection gaps.

Under FATF Recommendation 16, financial institutions must verify the stated purpose of international wire transfers. Transfers to overseas accounts linked to romance scams directly trigger this obligation. FATF Recommendation 20 covers the obligation to report suspicious transactions without delay.

In the UK, the Proceeds of Crime Act 2002 (POCA 2002) creates an obligation to file SARs with the National Crime Agency when there is knowledge or suspicion of money laundering. Romance scam proceeds laundered through smurfing and structuring patterns fall squarely within scope. The Payment Systems Regulator's APP fraud reimbursement rules (effective October 2024) add direct financial consequences for banks that fail to detect romance scam transfers before they clear.

How FluxForce detects Romance Scam

FluxForce's Aiden Flux monitors transaction velocity, escalation patterns, and peer-group anomalies in real time. Accounts where outbound crypto or wire activity deviates from a customer's established behavior are flagged for review. Nova Sentinel runs network graph analysis to identify when multiple accounts route funds to the same beneficiary infrastructure. This surfaces the organized criminal network operating behind individual victim cases.

Both agents share risk signals with human review queues, including customer service transcript flags and fraud-alert override counts. Automated SAR drafting reduces analyst time from hours to minutes. Book a demo to see how FluxForce handles romance scam detection across banking, fintech, and crypto environments.

**