How to avoid catphishing

Dealing with strangers online has always contained a level of risk. That level heightens in romantic interactions, where scammers can take more than just your money. While plenty of people have found success at online dating, it can be tricky to identify someone’s true intentions. Or, in the case of catphishing, to even identify someone’s true identity. Today I will briefly talk about catphishing, and how to stay off the hook; even when your heart is what’s getting hooked.

Post hero image

Table of contents

See Hoxhunt in action
Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.
Get a Demo

Catphishing is a scam where people present false information about themselves online to lure someone into entering some kind of relationship, usually romantic in nature. Catphishers create  online personas patched together with fake images, names, and personal details in order to dupe victims into a relationship. From there, victims may be manipulated for financial gain, or access to that person’s corporate network, or theft of private data or other valuable stuff.

It’s possible you’ve seen images of yourself or your friends used for catphishing profiles. People  often report that their pictures and names have been used on popular social and dating platforms such as Tinder, Facebook and Instagram. Catphishing is especially common on dating sites, where people are  more emotionally vulnerable and thus easier to target and manipulate. To see if your pictures are being used for catphishing, do a google image search. If you see something shady, report illegal use of your personal information to the platform it’s on!

Catphishing costs are direct, indirect, and sometimes very weird

The costs are substantial. According to the FBI, online romance scams in 2021 bilked 24,000 Americans  of $1 billion. That only includes those who reported losses; there are likely many more who’ve suffered in silence. The FBI reported a new trend in 2021 where people were getting catphished on dating sites or social media platforms and then lured into quasi-romantic crypto investment scams, reported by the FTC to have yielded $139M in stolen funds in the U.S. alone in 2021, five times more than in 2020.

The total costs of catphishing is hard to quantify. Damages can extend well beyond just an individual’s bank account. Costs could potentially involve corporate data theft and recovery, legal and mental health costs, brand and reputational damage, and so on.

One of the weirdest catphishing scams in recent pop culture memory rocked the NFL in 2012. Manti Te’o was finishing his illustrious college career as a Heisman Trophy finalist at Notre Dame when he tugged America’s heartstrings with the announcement that he was playing in honor of his girlfriend, who he said had died of leukemia. It turned out that he’d been catphished by a man in Los Angeles, who Te’o had never met in person but with whom he had become romantically entangled over chats and phone calls in which the man disguised his voice. The ensuing scandal damaged Te’o’s reputation tremendously; his draft stock plummeted and he likely lost significant sums as a result, while dealing with public outcry over whether he'd manufactured the story for PR purposes. The catphish left a lasting stain on his reputation.

Catphishing

Like spearphishing attacks, catphishing attacks typically require a lot of prep time to pull off. People are generally more wary of danger nowadays in online dating, so the attackers need to build a fair amount of trust to overcome the victim’s natural suspicions. Creating a realistic identity takes some planning.

These scams can inflict damage that goes well beyond the individual victims; entire businesses can become compromised. In some cases, the endgame for catphishers is to breach secure data from a certain company, so targeted attacks on employees could be the product of a careful selection process.

Recovering lost funds from a catphishing attack is highly unlikely. And the emotional damage can be difficult to quantify, much less overcome, after trusting someone deeply enough for them to take advantage of you.

Safety tip

A simple and powerful way to stay safe is to use a separate email address for your personal use, protecting your privacy and helping control what data others can find about you online.

Real life example emails

A plain text email catphish, in Finnish

A catphish promising steamy pictures to lure people into clicking a malicious link


  • First is a Finnish language catphish email where the sender is looking forward to meeting the recipient and trying to increase interest with alleged pictures behind the link.
  • Both of these examples are sent from hotmail accounts.
  • Emails have a lot of grammar errors, which make them easy to spot.
  • In the 2nd email, the sender has used a business template for the email body with a malicious link to make it look more legit and to stay hidden from email filters.

Endgame

Phishing is all about knowing what buttons to push to trigger a desired reaction from potential victims. As the above examples show, catphishing is not the most sophisticated or convincing attack method when carried out over email. But catphishes are extremely effective on dating sites, where attackers can socially engineer a campaign built around people’s need for finding new relationships. If the attacker successfully leads a victim to the dating site, possibilities for scamming abound.

The catphisher could come up with a pretense for needing money and make off with a quick payday. Or they could convince the victim to download a file infected with malware to steal information from the victim directly, or from the victim's organization. Stolen data could be used in many ways, from extortion and online bullying to selling on the darknet.

Checklist to stay off the hook

  • The person and their offer sounds too good to be true
  • Person asks for highly personal information in very early stages
  • Sender appears out of nowhere
  • Person would not communicate in video chats
  • Person cancels at last minute meetings
  • Their social media profiles do not have a lot of activity or all the activity has been posted in last couple months
Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this