Catphishing is a scam where people present false information about themselves online to lure someone into entering some kind of relationship, usually romantic in nature. Catphishers create online personas patched together with fake images, names, and personal details in order to dupe victims into a relationship. From there, victims may be manipulated for financial gain, or access to that person’s corporate network, or theft of private data or other valuable stuff.
It’s possible you’ve seen images of yourself or your friends used for catphishing profiles. People often report that their pictures and names have been used on popular social and dating platforms such as Tinder, Facebook and Instagram. Catphishing is especially common on dating sites, where people are more emotionally vulnerable and thus easier to target and manipulate. To see if your pictures are being used for catphishing, do a google image search. If you see something shady, report illegal use of your personal information to the platform it’s on!
Catphishing costs are direct, indirect, and sometimes very weird
The costs are substantial. According to the FBI, online romance scams in 2021 bilked 24,000 Americans of $1 billion. That only includes those who reported losses; there are likely many more who’ve suffered in silence. The FBI reported a new trend in 2021 where people were getting catphished on dating sites or social media platforms and then lured into quasi-romantic crypto investment scams, reported by the FTC to have yielded $139M in stolen funds in the U.S. alone in 2021, five times more than in 2020.
The total costs of catphishing is hard to quantify. Damages can extend well beyond just an individual’s bank account. Costs could potentially involve corporate data theft and recovery, legal and mental health costs, brand and reputational damage, and so on.
One of the weirdest catphishing scams in recent pop culture memory rocked the NFL in 2012. Manti Te’o was finishing his illustrious college career as a Heisman Trophy finalist at Notre Dame when he tugged America’s heartstrings with the announcement that he was playing in honor of his girlfriend, who he said had died of leukemia. It turned out that he’d been catphished by a man in Los Angeles, who Te’o had never met in person but with whom he had become romantically entangled over chats and phone calls in which the man disguised his voice. The ensuing scandal damaged Te’o’s reputation tremendously; his draft stock plummeted and he likely lost significant sums as a result, while dealing with public outcry over whether he'd manufactured the story for PR purposes. The catphish left a lasting stain on his reputation.
Like spearphishing attacks, catphishing attacks typically require a lot of prep time to pull off. People are generally more wary of danger nowadays in online dating, so the attackers need to build a fair amount of trust to overcome the victim’s natural suspicions. Creating a realistic identity takes some planning.
These scams can inflict damage that goes well beyond the individual victims; entire businesses can become compromised. In some cases, the endgame for catphishers is to breach secure data from a certain company, so targeted attacks on employees could be the product of a careful selection process.
Recovering lost funds from a catphishing attack is highly unlikely. And the emotional damage can be difficult to quantify, much less overcome, after trusting someone deeply enough for them to take advantage of you.
A simple and powerful way to stay safe is to use a separate email address for your personal use, protecting your privacy and helping control what data others can find about you online.
Real life example mails:
- First is a Finnish language catphish email where the sender is looking forward to meeting the recipient and trying to increase interest with alleged pictures behind the link.
- Both of these examples are sent from hotmail accounts.
- Emails have a lot of grammar errors, which make them easy to spot.
- In the 2nd email, the sender has used a business template for the email body with a malicious link to make it look more legit and to stay hidden from email filters.
Phishing is all about knowing what buttons to push to trigger a desired reaction from potential victims. As the above examples show, catphishing is not the most sophisticated or convincing attack method when carried out over email. But catphishes are extremely effective on dating sites, where attackers can socially engineer a campaign built around people’s need for finding new relationships. If the attacker successfully leads a victim to the dating site, possibilities for scamming abound.
The catphisher could come up with a pretense for needing money and make off with a quick payday. Or they could convince the victim to download a file infected with malware to steal information from the victim directly, or from the victim's organization. Stolen data could be used in many ways, from extortion and online bullying to selling on the darknet.
Checklist to stay out of the hook
- The person and their offer sounds too good to be true
- Person asks for highly personal information in very early stages
- Sender appears out of nowhere
- Person would not communicate in video chats
- Person cancels at last minute meetings
- Their social media profiles do not have a lot of activity or all the activity has been posted in last couple months
How did DocuSign integrate Hoxhunt into their award-winning, behavioral science-based approach to security training?
Watch the webinar with Lisa Kubicki, Director of Trust & Security Training & Awareness at DocuSign