A catfish is a wonderful thing when it’s dished up at a Southern restaurant, but not so much when you encounter it online. The digital form of “catfishing,” or creating a false persona online, is a rather nasty deception at best and an outright scam at worst.
Over the past few years a newer form of that deception, called “catphishing” — with a “ph,” instead of the usual “f” — has also become common. It’s worth learning about because it incorporates phishing techniques to take the basic concept to another, more dangerous level.
How Catfishing Works
A lot of people shade the truth a bit online, especially on dating sites. It’s natural to want to put your best foot forward, although still using that profile pic from 2003 is probably pushing things a bit. Catfishing takes that practice a step further, from being a better-than-real-life version of yourself to being someone else entirely.
A catfisher creates an entirely fake persona, typically built around photos cribbed from social media or even stock photo sites. At its most innocent it’s just the desire to be someone else for a while, like we do at Halloween. There’s a darker side, though: Often catfishing is the first step in a romance scam, which can end in a broken heart (if you’re lucky) or a significant financial loss (if you’re not).
Some catfishers may only be looking for attention and to vicariously enjoy some of the romance that has eluded them in real life. Far too often, though, money or tangible gifts such as jewelry, consumer goods or gift cards become a central part of these online-only “relationships.”
Phishing Is a Different, and Darker, Thing
Phishing is another common form of online scam. It also relies on deception, but in this case that deception doesn’t come wrapped in a charming package. The main purpose of phishing attacks is to either gain access to your devices through the use of malicious apps and websites or to steal information from you — like account information, usernames and passwords, or even your social security number — which can then be used for identity theft or other nefarious purposes.
Phishing attacks typically come in the form of bogus links for you to click or attachments for you to open. Often they appear to come from someone you know or do business with, from friends and family to your bank or even the IRS or Social Security Administration. There’s usually a message to alarm or unsettle you, encouraging you to click without thinking (“Your account has been frozen…”).
Phishing attacks vary in sophistication. Some are easy to spot because of their clumsiness and poor writing, while others are very skillful and use multiple techniques to appear legitimate, even — in some cases — loading up a perfect clone of a legitimate company’s login page if you click their link. It’s one thing to know intellectually that these things happen; it’s quite another to stop and think before clicking a link “from a friend” who has sent you things many times before. That’s why this kind of attack still works.
Catfishing + Phishing = “Catphishing”
If you’ve read this far, it’s not hard to put the pieces together. The biggest challenge in phishing attacks is to get the target to perform the target action, usually clicking on a link or attachment. Catfishing is all about using a fake persona to gain someone’s confidence (that’s literally where the “con” in “con man” comes from), which makes it the ideal preliminary to a successful phishing attack. Catphishing, then, is the use of catfishing to drive a phishing attack.
In a straight-up catfishing scam, the target is you. In catphishing, you may only be a means to an end (which is, perhaps, even more deflating). A successful catphishing attack, for example, might let the scammer into your work network. Now your company’s resources, not just yours, are susceptible. Does your company store information about individual consumers, or business customers, or suppliers? Does it supply services or products to the government or the military?
Every breach yields information that can empower new attacks, so it potentially opens the door for sophisticated attackers to engage in all manner of mischief, from large-scale fraud to industrial espionage to actual nation-state espionage. In one attention-getting 2016 case, for example, suspected Iranian hackers successfully used a fake persona to catphish someone with significant network access at heavyweight consulting firm Deloitte. Deloitte’s in-house security measures were up to the task, as it turned out, but less-sophisticated companies would have been badly compromised.
How To Protect Against Catphishing
The fundamentals of protecting yourself against catphishing are the same as for regular ol’ catfishing and conventional phishing attacks. Mostly they boil down to being aware of the risks and being vigilant. Learn how to identify emails that are “spoofed,” or sent from faked accounts, and don’t click a link or open an attachment until you’re sure it’s legit. If necessary, call the purported sender directly to make sure.
Do appropriate diligence when you’re connecting with people. A lot of very plausible fake personas begin with stolen photos, so make it a routine to run your new acquaintances’ photos through Google’s reverse image lookup. If that new “follow” turns out to be a stock image, or stolen from a Slovenian sausage vendor’s Instagram story about his great day at the Dalmatian coast, you’ll know there’s something shady going on. Similarly, you can (and should) use Spokeo’s people search tools to verify who’s really behind the name, phone number or email address you know. That’s how they do it on the popular MTV show “Catfish.”
Protect Your Business, as Well as Your Heart
One important point to remember about catphishing versus catfishing is that catphishers won’t necessarily target your heart (or libido) with their fake persona. Instead of a potential romance, the catphish might ostensibly be a business contact.
Scammers have been known to spin up fake LinkedIn profiles in volume, with a number of personas created simply as followers for the main two or three personas. A fake with a few hundred equally fake followers then connects with real industry figures and eventually with intended targets (people like you). They might pose as potential suppliers, sales prospects — who won’t go the extra mile to make a good sale? — or even as security consultants (“Download my free white paper on implementing ‘zero-trust’ in your network…”).
The same rules apply to protecting yourself against these potential catphishers, but if they’re pretending to be in business you have a few extra tools. For example, the central internet domain-name registry can tell you if the page or link you’ve been sent is in fact owned by the company you’re supposedly reaching out to. You can also search the appropriate registries to find the owners of an LLC or the major shareholders in a publicly traded company. If those people don’t correspond to the names you have, or if the name is right but the image is wrong, that’s a big red flag.
The Bottom Line on Catphishing
There’s nothing new about catphishing. It’s an example of the natural — perhaps inevitable — way that criminals and scammers continually strengthen their game, to everyone else’s detriment.
That shouldn’t frighten you, but it should serve as a warning that your own security game has to be strong as well. If you stay informed about current scams, maintain a healthy (but not excessive) skepticism about the people you meet online, and use all of the tools available to you — including Spokeo’s — you can effectively limit your vulnerability to fraud.
- Forbes – Fear These Three Types of Phish: “Catphishing” Enterprise Targets
- Google Search Help – Search With an Image on Google
- Internet Corporation for Assigned Names and Numbers (ICANN) – Domain Name Registration Data Lookup
- Upcounsel – How To Find an LLC Owner: Everything You Need To Know
- University of Minnesota Libraries – FAQ: Where Can I Find Major Shareholders of Public Companies