The Enormous Dating Fraud: Match.com, Plenty of Fish, Tinder and OkCupid

Friday, December 30th, 2016 at 8:15 pm | 10,872 views | trackback url

The Top 4 dating sites out there; Match.com, Plenty of Fish, Tinder and OkCupid are so completely overrun with fraud now, it’s appalling.

Note: Match.com, Plenty of Fish, Tinder and OkCupid are all owned by the same parent company, along with roughly 40 other dating site properties.

I’ve been a free and paid member of these sites for 8 years (with 3 years off in the middle as I was dating someone). I have spent hundreds of hours pouring through profiles, code, APIs, mobile apps and other interactions with these specific sites.

Right from the top, I’m going to stronly suggest you do not give any of these sites your money! Do not subscribe, do not give them a credit card, do not let them bill you, do not give them a single dollar. None.

I’ll break down exactly why below..

Let’s start with the biggest and worst offender: Match.com:

Match.com

Match claims to offer compatibility matching and some other ‘advanced’ features, even more when you subscribe and have the ability to actually send messages to other users.

The biggest problem is… close to 70% of those users are demonstrably fake! Yes, 70%. This is based on my own personal experience reporting hundreds of fraudulent profiles showing up every single day on Match. In the last 3 months of 2016, I have reported no less than 6,500 fake, fraudulent profiles on Match.com alone!

Day after day, the same profiles get reported, the same profiles show back up again the next day, but with slightly different photos, location, age. Sometimes with the same photo, but a different profile name, or a different city or state, but always the same fake profile.

The algorithm they’re using to create their fake profiles is very deterministic and predictable, so I’ve developed my own tools and workflow to find and report them. I’m now reporting anywhere from 400-600 fake profiles on Match every single day!! The faster I report these profiles, the more are created.

Here’s an example of what a search for some of these fraudulent profiles will return:

More and more every day, Match doesn’t seem to care about fraudulent profiles being created

That’s just a quick search for one known-fraudulent username. In previous month before writing this post, I’ve personally reported 2,265 fake profies to Match, over 7,000 for the year. Their system sends a confirmation email back for each profile you report. I have all of these emails sitting in a folder. Thousands of them.

Out of those 2,265 fake profiles that I’ve reported in the last 30 days, they are all collectively referring to 38 separate email addresses, all using Google’s Gmail. I’ve personally reported every one of those 38 emails to Google’s Fraud department as well, to investigate and terminate their email account for fraud and violations of Google’s Terms of Service. Google’s own policies are very strict when it comes to using their services to propagate fraud.

But every day, more of those profiles already reported to Match as fraudulent, will return.

What’s interesting is that the profiles show up as brand new every single day, even when they go unreported for a few days at a time. After a few days, the profile is no longer a “new user”. Curious. I see profiles that get “deleted” (“Profile can no longer be found”) reappear later in a different state, different age, slightly different username, but using the same unique user ID in their system.

I’ve been tracking the UIDs for each fraudulent user I report in a huge spreadsheet, as well as their claimed email addresses to determine if there’s reuse happening here, or internal shenanigans. You can see the patterns emerging when you look at the data in aggregate:

  • The preicse date and time the account was created
  • The visible username on the account
  • Location/city where the profile was created
  • Fraudulent contact info buried in the profile
  • The pseudo-unique UID of the user

This leads me to one of two possible conclusions:

  1. Match.com does not care to actually stop the fraudulent profiles from being created, because it helps drive more traffic to their site, more profile views from human visitors, more deception to encourage free users to “upgrade” to a paid membership to try to contact these people. Since the profiles appear as ‘new’ every single day, a sorted search for “Newest Users” will bring up pages and pages of these fake profiles for their members to view. In other words, they turn a blind eye towards the fraud because it’s making them money to ignore it. Or…
  2. Match.com themselves is creating these fraudulent profiles every day, for the same financial gain: To drive traffic back to the site, to drive new profile views and visits from human members and to inflate their “growing userbase” of profiles and hits.

I’ve personally contacted Match and they claim they take every report seriously, but I can’t believe that’s true, after filing 2,265 of them in the last month alone, only to have another 400-600 new, fake, fraudulent profiles show up the very next day, every day, with the same usernames, the same profile photos, the same email addresses hidden in their profile writeups.

Could Match stop this fraud if they wanted to? (assuming it’s happening externally, and not internally by Match themselves). Absolutely, yes, they could stop it. If I’ve been able to develop my own search algorithm to locate these fake profiles, they can codify these same techniques into their system and stop them as well.

I won’t reveal the system or methods I’m using, because I’m using it to track and feed back the fraud to both Google and more-recently the FTC for their own separate investigations.

Here’s a few methods Match could easily use to stop any external fraud:

  1. Log the source IP address of the person who creates a new profile, and prohibit multiple profiles with the same exact username from that same IP address.
  2. Checksum (sha512) every uploaded photo that goes into a profile. This would stop a number of things:
    1. photo reuse across profiles (eg: stolen photos to create fake profiles elsewhere)
    2. multiple, fake profiles with the same exact photo being created day after day
  3. Use the same search, sort, filter criteria that I use to find these fake profiles, to prevent them from being created in the first place!
  4. Have each profile and each uploaded photo reviewed before posting. These scammers are trying to be smart, and now embedding email addresses in the pixels of the photo itself, even to the point of putting the contact email below the thumbnail margin, so it only shows up when you view the full-size photo, not the gallery of thumbnails.
  5. Implement a CAPTCHA style authentication system, so each new profile created has to validate that they’re a human and not some automated tool or external process.

Based on my personal experience with Match, a human cannot create a new Match profile with an existing email address already used in the system.

This means that if we believe this is happening externally (and not being propagated by Match.com themselves, internally) those 2,265 profiles are using a separate, unique email address to create their profile, and then within the profile, are referring back to the same 38 Gmail addresses to propagate their fraud.

Here’s another great piece of proof that supports my theory that Match is creating these profiles themselves, internally, and that this is not happening externally by malicious parties. These profiles were all created within a 5-minute span. This is not a bug in their system, I find these from time to time, and now that I’ve mentioned it, they’ll probably fix it, but I have more than enough evidence to validate these issues.

Look closely at these two profiles, in different cities:

One of them has a “Who she is looking for” section with blank (0-0 years old, 0-0″ tall) values. The system literally does not even allow you to choose those values in a profile. I can’t save my profile with 0’s in it, and save it. The only way these can get into a profile, is if they’re created by the system itself.

Also notice the missing “About Her” section. That’s not something you can ‘disable’ from a visible profile. Again, this can only happen when a profile is created internally by the system, bypassing the mimimum defaults enforced by the system that members see.

Here’s two more, with an identical set of issues:

Notice too, that the profiles with the ‘0-0 age’ and ‘0-0″‘ height requirements, are showing different icons on the bottom than the “normal” profiles with the correct information. It stands out, and I only see the green, smily wink icon on the profiles that show up with the out-of-band, fake preference information.

For someone to create 400-600 fake profiles every single day, with photos and bio/writeup, takes about 4 minutes, even if you just click “Keep Going >>>” through the new profile setup questions (there are about 23 pages of questions you have to get through to complete a profile).

For 1 person to create these profiles, would take 26 hours for 400 profiles/day, not including the time to upload photos and cut and paste boilerplate text into the profile fields. If there’s a team of 2 people, 13 hours; 4 people, 6.5 hours. That’s a person or team of people creating hundreds of fake profiles, hour after hour, 24×7, 7 days a week. The numbers just don’t add up. Since ALL of the fake profiles get created within a short 2-3 hour span every morning, they’re absolutely not being created by humans on the outside, nor even scripts or tools.

Also, since these profiles reappear roughly every 1-2 hours, with the same username, same/slightly different photos, slightly different area of the coutry, it leaves me with one of two possible conclusions:

  1. This is a massive, coordinated fraud with dozens to hundreds of people across th globe creating hundreds of fake profiles every day, day after day, hour after hour, for one singular purpose or…
  2. Match themselves are creating, re-activating reported/fake profiles, changing photos, age and location and putting them back up online every hour to defraud their users into “upgrading” their memberships for the chance to contact these users.

What seems more-likely?

That there’s a team of people working remotely, for free, to create thousands of fake, fraudulent profiles every month, to lure human members back to contact these women through 38 separate Gmail accounts, to fleece/scam them of their money in some fashion, so they can use the money they scam, to pay this team of profile-creating-users, or… Match is just creating fake profiles to germinate more traffic and hits?

How are these people making money? How are they getting paid as staffers of this big, coordinated, malicious fraud company? It just doesn’t make sense for it to be a For-Profit external enterprise.

After I reported this to Match directly, and via their social media support services, they almost immediately started blocking my ability to do a search on their website for these accounts, but I’ve found a few other ways to get at the same data. They’re now actively blocking specific keywords that are visible in these fake profiles, the same keywords that would reveal these fraudulent accounts, so they can’t be “found” by searching. Well, almost :)

You be the judge, but I know where math and logic puts my conclusions here.

Update: Sunday, January 1 04:09:50 2017: After 1 year of submitting hundreds of daily reports of fake and fraudulent Match.com profiles, only 24 hours after I published this very blog post, there is no longer a single fake or fraudulent profile showing up under all of the accounts we’re using to locate them. This confirms my original assertion about the nature and source of this ongoing fraud. Very interesting, and so very telling.

Update: Tuesday, January 3 11:57:27 EST 2017: That didn’t last long. After a year of daily reports of hundreds of fake profiles, 2 full days without a single visible fake or fraudulent profile. Now they’re all back again, but with even more per-day. There are now roughly ~82% fake/fraudulent profiles, and only 18% of the total membership is “real”. That’s utterly pathetic.

Plenty of Fish

While not as obvious with the fraud as Match, Plenty of Fish has its own… well, fishy… practices with user profiles.

You can create a new profile on POF, mark that profile hidden, and sit back and watch “people” visit your hidden profile, Favorite you, send a “Meet Me” to your profile and so on. This isn’t possible with any normal, human profiles, because you can’t search, view or Favorite hidden profiles, full-stop.

In addition, those same users who Favorite or “Want to meet you…”, will not show up as ever having visited your profile at all. You’ll frequently get emails like this, after not having visited the site in days/weeks (again, with a hidden profile). You’ll also get emails claiming that someone is “interested” in meeting you, and if you visit the link to their profile that you get in the email seconds after you get the email, POF will tell you that no such profile exists.

Plenty of Fish Meet Me email

If you look at the people who have visited your profie, you’ll notice that this person, is never one of them. Often, this person will be in another state entirely, and well outside your age/preference range, so not likely coming up in their searches either.

How can someone who has never even visited your (hidden) profile, click the “Add to Favorites” button located only at the bottom of your visible profile?

Answer: They can’t.

My visible profile will often go weeks without a single visit, which is fine, I’m no longer interested in dating anymore. But I’ll still get emails every few days indicating that “Someone has liked me” and I’ll log in, check my visitors (zero new visitors, including the user who the system claimed viewed me) and immedaitely log back out. An hour later, I’ll get another email, with a different user expressing an interesting me. I log in, they’ve never even seen my profile (or their profile won’t even exist at all). Lather. Rinse. Repeat.

In 7+ years of having an active membership on POF, I’ve probably had a total of 10 emails sent back and forth, and have not ever met a single, human person, live in-person, that I’ve “talked to” on POF.

Avoid it. Treat it like the fish tank at the pet store: Go there, look at all the pretty colors, and then go home… but leave the fish at the store!

Update: Mon Sep 3 10:04:15 EDT 2018: It looks like POF is now overrun with fraud too. If you go to the “New Users” tab on their site, you’ll see pages and pages and pages of prostitutes and fake profiles there.

If you reload, you’ll see those profiles randomly change positions, indicating they’re randomizing their ‘Join’ date to make the list appear different. I reported over 800 fake profiles in an hour, and notified POF via their Twitter account, and they did nothing.

A new, fake profile is created every 2.5 seconds on their site, in my state alone!! I can’t even imagine how many hundreds of thousands of fake profiles must exist across all states and countries. It’s disgusting the overt fraud occurring on these sites.

OkCupid

OkCupid is the only place I’ve actually ever met a real, human person. My last girlfriend and I met on OkCupid, and we were together for 3 years, before ending our relationship. It took 4 years of searching on OkCupid to find her, and now 2+ years later, I still havent’ found another human on the site that actually responds to email to nurture anything more connected than that relationship.

But like I said above, this is all just mechanical, since I’ve given up dating after that relationship ended in mid-2014.

OkCupid has a curious quirk, where it will give you a “Mutual Like” for someone you’ve never even “Liked” at all before. A “Mutual Like” is where you’ve “Liked” someone and they’ve reciprocated by “Liking” you back. So in effect, OkCupid is sending out fake likes from your profile, to other member’s profiles, encouraging those other profiles to give you a reciprocal view/Like back.

A few months ago, after not having been on the site in weeks, I log in and my own profile had about 30 people in the “Who You Like” list; people I’d never even seen before, people I’ve never “Liked”, from all over the Eastern US from Michigan to Florida to Maine. All of these profiles were “Liked” by me (supposedly) on August 28th, but my last visit was sometime in mid-July.

You’d think someone might have stolen or guessed my password, but I can assure you, with a 46-character alphanumeric, complex password, that’s not the case. I would have also received emails about the activity, if someone was using my profile during that time.

It’s curious, and leads me to conclude that OkCupid appears to be randomly issuing “Likes” and photo likes (thumbs-up on photos) to encourage more-active users to click around and visit the site.

Shady. Very shady.

Conclusion

Don’t give any of these sites a single dollar.

Don’t subscribe, don’t pay for a membership unless or until they can address this enormous, rampant fraud that’s propagating and getting worse on each of the sites. I can’t even imagine how bad it is on the other 40+ sites under the same parent corporation.

If they don’t want to clean this up, you shouldn’t fund them or their apathy. I haven’t, and thousands of others who are now waking up and realizing the fraud aren’t either.

Stay safe out there!

Last Modified: Monday, September 3rd, 2018 @ 10:09

Leave a Reply

You must be logged in to post a comment.

Bad Behavior has blocked 1136 access attempts in the last 7 days.