Romance Fraudsters Have Found a New Target: Your Home Equity

Valentine's Day 2026 is approaching, and while most Americans are planning romantic dinners or flower deliveries, fraudsters in "Yahoo Boys" Telegram channels are planning something else: how to convince romance scam victims to borrow hundreds of thousands of dollars against their homes.

We have been tracking these channels for four months, and the chatter about exploiting Home Equity Lines of Credit, or "HELOC," has intensified dramatically. The fraudsters don't call their targets "victims." They call them "clients." They don't talk about stealing. They talk about "closing deals" on homeowners with 750+ credit scores. And they're succeeding at scale.

Between September and December 2025, we observed a 161% surge in suspicious HELOC applications tied to romance fraud and identity theft. This isn't an opportunistic crime. It's a professionalized operation targeting the single largest asset most Americans own: their home.

The mechanics are straightforward but devastating. Fraudsters spend weeks or months building emotional relationships with victims online. Once trust is established, they manipulate victims into either sharing enough personal information to apply for a HELOC in their name, or convince victims to apply for the HELOC themselves and wire the money away for some fabricated emergency. Either way, the victim ends up with six-figure debt secured by their home while the fraudster disappears with the cash.

What is a HELOC loan?

A HELOC is a type of loan that lets homeowners borrow money using the equity in their home as collateral. Instead of getting one lump sum all at once, a HELOC works more like a credit card: you’re approved for a maximum amount and can draw from it as needed during a set “draw period,” usually paying interest only on what you actually use. After that, the loan typically enters a “repayment period,” where you pay back both principal and interest. Because it’s tied to your home’s value, a HELOC often has lower interest rates than unsecured loans—but it also comes with risk, since failing to repay can put the home at risk of foreclosure.

Once you’re approved for a HELOC, the lender opens your line of credit and gives you a set limit based on your home’s equity, and you can begin accessing funds during the draw period. Rather than receiving the full amount upfront, you withdraw only what you need, when you need it, and the money is typically deposited directly into your bank account (or accessed through checks or a linked card). You then make monthly payments based on the amount you’ve actually borrowed, and later the HELOC shifts into the repayment period, when borrowing stops and you begin paying back both the principal and interest.

The HELOC heist

Fraudsters can use stolen personal information to impersonate a real homeowner, apply for a HELOC in that person’s name, and gain access to the equity tied to the victim’s home. Once approved, they draw funds from the line of credit and direct the money into bank accounts they’ve opened using the same stolen identity details. From there, the money can be quickly moved again through transfers, withdrawals, or other accounts, making it harder to trace and leaving the real homeowner stuck dealing with the financial and legal fallout.

Fraudsters can also use online romance scams to pull off HELOC fraud by first building trust with a victim over weeks or months, then manipulating them into sharing sensitive personal details -- like their full name, date of birth, Social Security number, bank information, or even photos of their driver’s license. In some cases, the scammer convinces the victim to “prove their identity,” “help with paperwork,” or “open an account for a shared future,” and that information is later used to apply for a HELOC in the victim’s name. Once the loan is approved, the fraudster pressures the victim to transfer the funds to a “safe” account, or they route the money into new bank accounts they opened using the same stolen identity, allowing them to cash out quickly while the victim is left responsible for a loan they never truly intended to take out.

Upstream signals of rising fraudster interest in HELOC loans

Over the past four months, we've seen a noticeable increase in chatter within Yahoo Boys–linked Telegram channels about exploiting HELOC loans. The Yahoo Boys are Nigerian internet fraudsters who run elaborate online scams, typically romance or business email schemes, to extract money from victims around the world. In my review of screenshots from a Telegram channel this group uses, I found what appears to be an openly advertised HELOC exploitation pipeline: fraudsters recruiting people to bring them homeowners with strong credit who can then be pressured into taking out Home Equity Lines of Credit (HELOCs). The language used in these posts is especially telling, because it frames the scheme as organized, repeatable, and transactional—more like a business process than a one-off scam.

The fraudsters describe their ideal “target” in blunt terms: a homeowner with a 750+ credit score and a loan amount between $50,000 and $1,000,000. They repeatedly refer to victims as “clients,” and instruct accomplices to ask which bank the mortgage is linked to, funnel victims directly to a Telegram handler, and push HELOC applications as if they’re routine, harmless, and risk-free. The goal isn’t just to deceive -- it’s to streamline the victim’s path into signing away access to their home equity.

In other posts they go even further, discussing payments for “verified ID.me + bank” access, calling it “data money,” and offering cash incentives for sending multiple verified identities. This isn’t just “scamming.” It’s the weaponization of home equity, turning a victim’s largest asset into an extraction tool, and using social engineering and identity infrastructure to cash out at scale.

Telegram screenshot showing an online group chat used by repeat scammers to coordinate HELOC fraud

Telegram screenshot showing an online group encouraging HELOC fraud

The YouTube clip below (also available here) adds another layer of upstream evidence: it appears to have been posted by a Yahoo Boy specifically to educate other fraudsters on how HELOCs work and how to exploit them. Rather than warning consumers, the video functions more like a tutorial—breaking down the basics of HELOC loans, how funds are accessed after approval, and why home equity can be an attractive target. In effect, it frames HELOCs as a repeatable cash-out mechanism, helping would-be scammers understand the steps needed to move from a victim with strong credit to an approved line of credit and ultimately to stolen funds.

Youtube screenshot showing an online tutorial by a “Yahoo boy” explaining HELOC fraud

Downstream signals of rising fraudster interest in HELOC loans

In parallel to the signals I was tracking across social media platforms used by Yahoo Boys, we observed a related trend emerging in onboarding applications tied to our partners in the HELOC ecosystem. Specifically, we identified a pattern suggesting coordinated activity in which the same stolen identity was used to simultaneously engage multiple financial institutions, often in an effort to open a checking account while also applying for a HELOC using the same victim’s information.

What stood out was the timing. In many cases, the identity theft attempts were clustered tightly together -- either occurring on the same day or within just a few days of one another. This suggests the fraudsters weren’t acting opportunistically, but instead executing a structured playbook designed to set up both the funding destination and the credit product in parallel.

In some instances, the behavior appeared even more aggressive: the same victim identity was used to apply with multiple HELOC providers at once, sometimes simultaneously. This kind of burst activity is consistent with a scaled fraud operation that tests multiple lenders for weak points, racing approval timelines, and increasing the odds of successfully extracting funds before the victim or institutions can detect and disrupt the scheme.

To assess whether this pattern was increasing at scale, we evaluated a sample of HELOC loan applications observed in our system between January 1 and December 31, 2025, where the applicant was 55 years or older at the time of application. This resulted in a dataset of approximately 87,000 HELOC applications.

Based on the working assumption that fraudsters often create drop accounts at other financial institutions using the victim’s identity to funnel HELOC proceeds, we then applied a velocity-based filter. Specifically, we isolated identities associated with at least three unique partner applications submitted within a seven-day window prior to the HELOC application attempt. Applying this filter reduced the dataset to 761 applications, each exhibiting a velocity of three or more application attempts within seven days, a pattern consistent with coordinated identity misuse rather than legitimate consumer behavior.

Investigation of the number of fraudulent HELOC applications we observed on a monthly basis over 2025 indicates a clear and accelerating trend over the course of the year. In January, only 28 HELOC applications met this threshold. That number rose steadily through the spring, reaching 98 in May, before dropping back to 53 in June. From there, activity began climbing again through the summer and early fall, moving from 64 in July to 76 in September. The most notable shift occurred in the final quarter of the year: October jumped sharply to 140, November held elevated at 113, and December surged to a year-high of 199. This late-year acceleration is consistent with a scaled fraud playbook, where stolen identities are used in rapid succession across multiple institutions to set up both the HELOC application and the downstream “drop” accounts needed to receive and move funds.

Overall, the month-over-month growth—especially the dramatic Q4 spike—suggests this behavior is not random noise, but an increasingly operationalized tactic, aligning with the broader upstream signals observed in fraudster Telegram ecosystems.

Monthly volume of high-risk HELOC onboarding applications (2025)

In addition to quantifying the trend, we also enriched these HELOC application attempts with network and device intelligence. Specifically, we pulled IP metadata from Subscriber Identity and Behavior (SIAB) signals and ran the originating IP addresses through a cutting edge tool that detects VPNs, residential proxies and bots, to better understand the infrastructure behind the activity. The results suggest that a large portion of these applications are associated with high-risk VPN usage, consistent with efforts to mask location and evade fraud controls. That said, we also observed a meaningful subset of applications coming from residential or local IP addresses, which may indicate either more sophisticated operational security (e.g., use of compromised devices) or cases where the victim is being manipulated into completing steps themselves.

We also saw variation in the methods used to pass identity verification. In some cases, the behavior is consistent with fraudsters attempting to use deepfakes or synthetic media to impersonate the victim during verification flows. In other cases, the signals suggest something even more concerning: the real victim appears to be interacting directly with the bank, likely under coercion or manipulation, consistent with the romance fraud and social engineering patterns described earlier.

Taken together, these findings reinforce that HELOC exploitation is not a single technique, but a flexible playbook. Fraudsters appear to be mixing infrastructure obfuscation (VPNs), identity laundering (multi-partner onboarding velocity), and increasingly sophisticated impersonation tactics while also, at times, relying on victims themselves as unwitting participants in the fraud.

Consumer takeaway

Taken together, these findings point to a troubling shift in how online fraud is evolving. What once centered on draining savings accounts is now increasingly targeting home equity, often through HELOCs that victims are manipulated into opening themselves. Our analysis shows a sharp late-2025 surge in HELOC activity tied to high-velocity identity usage, coinciding with explicit fraudster coordination in Yahoo Boys Telegram channels and instructional content designed to operationalize HELOC exploitation at scale. This is not incidental fraud: it reflects a deliberate strategy to convert a victim’s largest and most stable asset into liquid cash.

The tactics are flexible but consistent: fraudsters build trust through romance or social engineering, push victims toward HELOCs by downplaying risk, and then rapidly move funds through newly created or compromised bank accounts. In some cases, criminals impersonate victims using stolen identities or deepfakes; in others, they rely on the victims themselves—coerced, manipulated, or emotionally invested—to interact directly with banks. The result is the same: the victim is left holding long-term debt secured by their home, while the fraudsters disappear with the proceeds.

For consumers, the warning signs are critical to recognize early. No legitimate romantic partner, business associate, or “trusted contact” should ever ask you to borrow against your home, open new financial accounts on their behalf, or move money quickly for secrecy or “safety.” HELOCs are powerful financial tools; but precisely because they are tied to your home, they should only be used after careful, independent consideration. If anyone pressures you to rush a HELOC application, discourages you from talking to family or your bank, or asks you to transfer funds immediately after approval, stop and seek help. Talk directly to your financial institution, consult a trusted advisor, and remember: urgency, secrecy, and emotional manipulation are almost always signs of fraud.