Dating Apps are Having an Identity Crisis
Last year, a convicted criminal turned up on Bumble as “Steve, 53.”
The world knows him by another name.
His profile pics were of Hamish McLaren, one of Australia’s most documented serial con men, convicted of defrauding fifteen victims of more than $7.6 million AUD, with global losses estimated at over $70 million by an investigative podcast by The Australian called WHO THE HELL IS HAMISH. When “Steve, 53” appeared on Bumble, Hamish McLaren was in prison. He was twelve months from his parole hearing and, confirmed by authorities, not permitted access to a mobile phone.
The profile had a verification tick.
Real women connected with Steve. Real women were having real conversations. Some were, in all likelihood, planning to meet him.



Ten years ago I met a man by the name of Max Tavita on a different dating app. He was 41. Turns out however he wasn’t Max and he wasn’t 41. He was, in fact, Hamish McLaren and he stole $317,000 AUD from me. He was arrested and sentenced to 12 years in prison for the crimes he committed.
The story I am about to tell you is not an outlier. It is the operating model. I know this because I work in this space every day, as a consumer advocate, as a participant in the Australian Government’s National Anti-Scam Centre Romance Scam Fusion Cell and as someone who speaks to survivors weekly.
The Scale of What We Are Dealing With
The fraud community understands underreporting better than most. You know that the numbers on any given crime typology represent a fraction of truth, that shame and complexity keep victims silent, and that official figures should be read as a floor, not a ceiling.
Romance fraud is among the most severely underreported financial crime categories in existence. With that caveat firmly in place, the reported numbers are already extraordinary.
In the United States, the FTC reported that romance scams cost victims $1.4 billion in a single year. In Australia, reported losses in 2025 reached $140 million AUD, up year on year. In the United Kingdom, £102 million, also rising. In every jurisdiction where this data is collected, the trajectory is the same. This is not a niche crime with a niche victim profile. It is a high-volume, industrialised financial crime category that is growing.
The ACCC’s National Anti-Scam Centre has confirmed that the majority of romance scams begin on dating or social media platforms. A UK study by TSB Bank found 42% of romance scam cases started specifically on dating apps. Norton’s 2026 Global Insights Report found that 34% of current online daters had been targeted by a scam, and of that group, 64% had become victims. A study by global identity technology company GBG found that 61% of online daters in the UK had matched with a fake profile. Not suspected. Matched.
These numbers describe an ecosystem with a structural identity problem. And the industry that built and profits from that ecosystem has, to date, responded with optional safety features and voluntary codes.
How Easy It Is to Be Anyone
I want to tell you about the day I became a 45-year-old woman called Sarah.
Sarah likes hiking, she has a dog and wants a relationship. She is kind-faced, outdoorsy, the sort of woman whose profile suggests she would remember your best friend’s wife’s name and birthday. Her photographs are of me and came from a public social media account. Her bio said she was looking for something real.
I constructed Sarah in under four minutes.
An email address created for the purpose. An invented name. A fake date of birth. A tick to confirm I had read terms and conditions I did not read. And a selfie to verify that Sarah was who she said she was. That was the entire process. Sarah was live, searchable, and available to match with real people who were there in good faith.
I can work my way around a mobile phone but I am no more technically sophisticated than anyone else. I did not need specialist tools or knowledge. I needed four minutes and a willingness to lie. The platform did not ask a single question that a person with harmful intent could not answer falsely.
This is not a bug. It is a design choice. And it is a design choice with consequences.
Photo Verification Is Not Identity Verification
The industry talks about photo verification constantly and I want to be precise about what it actually does, because it is being marketed as a safety solution when it is something considerably more limited than that.
Photo verification works like this. You take a selfie in a specific pose. The system matches that selfie to the photographs on your profile. If they match, you receive a “photo verified” badge. A small symbol that implies, in a significant way, that this person is who they say they are.
It tells you no such thing.
Photo verification confirms that the person holding the phone at the time of the selfie looks like the photographs on the profile. It tells you nothing about their name, their age, their criminal history, or the three other profiles they are running under different names on different platforms.
When I contacted Bumble to report the “Steve, 53” profile and asked how a profile using Hamish McLaren’s photographs had received a verification tick, I was told that “moderation mistakes can happen.”
A moderation mistake. For one of the most documented con men in Australian history. On a platform used by millions of people who trust that a tick means something.
Photo verification is the appearance of safety. And the appearance of safety may be more dangerous than no safety claim at all, because it tells users they can lower their guard.
Bumble launched genuine government-issued ID verification in March 2025, developed with identity provider Veriff. It is a real check. It is also voluntary. Users may choose to verify. Or they may not. The people who pose the greatest risk to others are precisely the people least likely to opt in.
Mandatory and available are not the same thing. Available is a feature. Mandatory is a standard.
What the Platforms’ Own Data Admits
In accordance with Australia’s Voluntary Online Dating Code of Conduct, platforms are required to publish annual transparency reports.
The biggest issues cited across the board were not nudity, bullying or identity based hate. The categories were scams & theft, inauthentic profiles and platform manipulation (ban evasion).
One alarming figure was 16,105 member reports citing inauthentic profiles – contrasted with 2,220 for adult nudity, 1,218 for bullying and abuse and 313 for identity based hate.
I could go through all the numbers, but best if you take a look yourself. This is just what has been reported in one jurisdiction, in one year.
US Senators Marsha Blackburn and Maggie Hassan wrote to Match Group’s CEO citing internal employees who described removing scammers as not “a real priority backed up by resources,” and noting that the CEO had publicly stated that Tinder’s selfie verification process was “pretty simple for a human to pass.”
An 18-month investigation by journalists working with The Markup found that users banned from Tinder could quickly create new accounts using the exact same name, birthday, and profile photographs. They could move across to Hinge and other Match Group apps without changing any of those details. One platform ban. Immediate recreation. No cross-platform consequence.
The same investigation found that after a user was reported for assault on Match Group apps, he was later featured as a “standout” date on Hinge. The platform’s algorithm actively promoted his profile to women looking for matches. Not despite the reports lodged against him. After them.
This is the system operating as designed.
The Human Architecture of the Fraud
Understanding romance fraud requires understanding that it does not begin with a request for money. That would be too easy to refuse. Too obvious. To many red flags. It begins with something far more powerful: the feeling of being genuinely seen.
Jade is a university-educated single mother of three from Queensland, Australia. In early 2025 she matched with a man called Niko on Hinge. He was French, a civil engineer working in Brisbane. He was warm, attentive, and curious about her life. He remembered things she mentioned in passing. He shared cautiously about himself, his divorce, his hope that the right person was still out there.
Over months, a relationship was built. A real one, from Jade’s perspective. The emotional investment she made was genuine. The feelings were real. They were also the product of a system that had studied human attachment and was deploying it with precision.
What Jade did not and could not have known is that Niko almost certainly did not exist. The person writing to her may have been sitting in a compound in Myanmar or Cambodia, working a shift under supervision, managing multiple conversations simultaneously, under threat of violence if his targets did not convert.
This is the industrial reality behind what is called pig butchering, or romance baiting. The UN Office on Drugs and Crime has documented hundreds of thousands of people trafficked into scam operations across Southeast Asia, many arriving on the promise of legitimate employment and finding their passports confiscated on arrival. The people perpetrating these frauds against people like Jade are, in many cases, victims themselves, coerced through force into conducting the fraud or facing severe consequences.
By the time Jade understood what had happened, $840,000 AUD was gone.
The tools used in romance fraud are not the blunt instruments of opportunistic thieves. They are precision weapons designed specifically to defeat rational judgement. The psychological scaffolding, the reciprocity, the manufactured intimacy, the strategic exploitation of our most fundamental need for connection, is engineered to bypass our defences.
And Hinge made the introduction.
The Regulatory Gap
For those working in fraud who engage with legislative and regulatory frameworks, what follows will be relevant.
In Australia, the Online Safety Act 2021 contains no provision for financial harm caused by fraud originating on a dating platform. The Act defines online safety as the capacity to use digital services in a safe manner. Financial safety does not appear in that definition. A victim whose life savings are stolen through a fake relationship on a dating app falls outside the Act’s harm framework entirely.
The Act does reference psychological harm, but defines serious harm to mental health in a way that explicitly excludes “mere ordinary emotional reactions such as distress, grief, fear or anger.” The grief, shame, depression, and loss of self that characterise recovery from romance fraud do not clear that legal bar.
The Scams Prevention Framework, Australia’s primary legislative instrument for scam harm, does not currently cover dating platforms. Section 7(3)(j) of the SPF Designation 2026 expressly carves out dating and matchmaking services from the definition of designated social media services.
The voluntary Online Dating Code of Practice, introduced in Australia in 2025, does not cover financial harm. I raised this formally in October 2025 and was told it would be considered alongside broader regulatory developments.
What this means in practice is that the digital infrastructure generating romance fraud at industrial scale has no legal obligation to verify who is using it, no requirement to share information about banned accounts across platforms, and no enforceable standard for responding when fraud is reported through its systems.
When I reported the “Steve, 53” profile to Bumble, I was directed to a webform. I am not a Bumble member. I was a person reporting that a convicted criminal’s photographs were being used on their platform to deceive real women. The response was a webform.
Between July 7 and July 10, 2025, I contacted multiple senior Trust, Safety, and Law Enforcement executives at Bumble via LinkedIn. I was told they could not assist me directly. The generic webform was the only escalation pathway for one of the most documented serial con men in Australian history.
That is what voluntary looks like in practice.
What Safety by Design Actually Requires
The phrase “safety by design” has become common in platform regulation discussions. It sounds good. The reality is that on most dating platforms, safety is not by design. It is by addition. It is applied after the product has been built for growth and made optional where it introduces friction.
Safety by design means identity verification is not a badge a user can choose to display. It means a person cannot operate an account without being bound to a verified, real identity. It means the architecture structurally excludes fake accounts at scale, because every account costs something real to create.
The technology to do this exists. Australian company Securely Group has developed a patent for an identity certification system that confirms, that an account is bound to a verified, accountable person, without storing personal data. Biometric deduplication means one person, one certified identity. Running four aliases across four platforms becomes structurally impossible. An incarcerated person fails recertification. The profile goes dark. Not because a tip-off was processed through a webform three weeks later. Because the architecture prevented it.
Think about the last time you were required to prove who you are. At a bank. At a pharmacy purchasing restricted medication. Registering a SIM card. Signing a lease. Getting a job. Checking into a hotel. Every single one of those transactions, from the routine to the consequential, required verified identity.
To access an app that places you in private, intimate, unsupervised contact with a complete stranger, often in your own home, often after dark, you need an email address and a selfie you took yourself.
Australia has already demonstrated the political will to mandate safety standards in digital environments. The minimum age requirement for social media. The age assurance framework for online content. These are examples of government deciding that a harm is serious enough that voluntary compliance is insufficient. The world watched and followed.
Hamish McLaren is due for parole release on July 10, 2026. His parole conditions include bans on certain suburbs and prohibitions on managing money or assets. There is no condition requiring him to disclose dating profiles he creates or uses. There is no condition prohibiting him from presenting a false name or identity online.
The internet has no exclusion zones.
Sign the Petition
I have launched a petition calling on the Australian Government to mandate robust, government-issued identity verification on Australian dating platforms as a condition of operation, not a feature, not an option, not a voluntary commitment reviewed annually by the same industry it is meant to constrain.
The argument is simple. We verify identity before every other transaction that involves trust between strangers at scale. Dating apps are the one significant exception, and the fraud statistics tell us exactly what that exception costs.
If this issue sits within your professional focus, if you work in fraud prevention, financial crime, consumer protection, or platform safety, I am asking you to add your voice to this campaign.
Sign the petition here:
Australia is setting the precedent. Mandatory identity verification on dating platforms, if legislated here, will be watched and followed, exactly as our age assurance framework has been. The global fraud prevention community has credibility, data, and reach that consumer advocates working alone do not. Your voice on this issue matters.
Swipe carefully. But more importantly, help us build a system where careful swiping is no longer the primary defence available.
Image Credit: Australian Financial Review
| Tagged with: | Woman in Fraud, fraud, scam |
| Posted in: | AF Education, Latest News |