From catfishing to catphishing: The evolution of a romance scam

So long as you’re at least a pescetarian, some nice hot catfish with a squeeze of lemon and a side of hush puppies can be a wonderful thing—way less so when you encounter the online version of catfishing which starts equally hot but ends up with you feeling a whole different kind of heartburn. Catfishing, or creating a false persona online, has been around for ages, but it’s still a nasty deception at best and an outright scam at worst. 

On the scammy front, catphishing scams—with a “ph,” instead of the usual “f”—happen when the grift goes from messing with your heart to messing with your identity, and ultimately, your bank account. And if that’s a world you don’t want scammers casting their lines into, Spokeo has the lowdown. 

How Catfishing Works

The term “catfishing” was coined as early as 2010, from the title of the documentary “Catfish“ (whose producers went on to create the still-running MTV reality show of the same name). Just like the story the doc recounts—wherein a young man is deceived by an online romantic interest claiming to be someone she’s not—catfishing is the act of using falsified info and images to create a fake persona in order to trick, harass, or scam someone. 

In a catfishing scam, the catfisher creates an entirely fake, entirely online identity, typically built around photos cribbed from social media, Google Images, stock pics, or nowadays, generative AI. At its most innocent (“innocence” being a relative term), it stems from the desire to be someone else for a while, or even from a psychological impulse that takes pleasure in manipulating someone. There’s a darker side, though: Often catfishing is the first step in a romance scam, which can end in a broken heart (if you’re lucky) or a significant financial loss (if you’re not). 

Catfishing scams run deep, with scammers often doing diligent research to appeal to their victims, like researching their hobbies and interests to personally connect with them, or using photos to create detailed, relatable narratives (“here’s a photo of my art,” “pics from my trip to Japan”). Of course, part of that web of lies inevitably involves detailed excuses as to why they can’t video chat or meet in person. 

Some catfishers may only be looking for attention, or to vicariously experience romance that has eluded them in real life. Far too often, though, money or tangible gifts such as jewelry, consumer goods, or gift cards become a central part of these online-only “relationships.”

Phishing Is a Different, and Darker, Thing

Phishing is another common variety of online scam that relies entirely on deception, but in this case, the grift doesn’t always come wrapped in a charming package. The main purpose of phishing attacks is to either gain access to your devices through the use of malicious apps and websites or to steal information from you—like bank account information, usernames, and passwords, or your social security number—which can then be used for identity theft or other nefarious purposes. Typically, as you might guess, to illegally extract money from victims. 

Phishing attacks usually come in the form of bogus links for you to click or attachments for you to open. Often, they appear to come from businesses, organizations, or people you might be familiar with, from friends and family to your bank or even the IRS or Social Security Administration. There’s commonly a message to alarm or unsettle you (“Your account has been frozen…”), or something to otherwise usher you into action (“click here for your invoice,” “visit this link to claim your reward”)—and that action might just include a click or tap that takes you straight to data-stealing malware, or a bespoke website for you to willfully enter your private information. 

Phishing attacks vary in sophistication. Some are easy to spot thanks to clumsiness or poor writing, while others are very skillful and use multiple techniques to appear legitimate. In some cases, they even load up a perfect clone of a legitimate company’s login page if you click their link. It’s one thing to know intellectually that these things happen; it’s a whole other thing to stop and think before clicking a link “from a friend.” Which is exactly why this kind of attack, which predates even catfishing scams, still works.

Catphishing Meaning: Catfishing + Phishing = Catphishing

Bet you’ve already put this one together, haven’t you? The biggest challenge phishers have is to get the target to perform the desired action, usually clicking on a link or attachment, or otherwise divulging private info. Catfishing is all about using a fake persona to gain someone’s confidence (that’s literally where the “con” in “con artist” comes from—it’s a confidence game), which makes it the ideal preliminary to a successful phishing attack. Catphishing, then, is the use of catfishing to drive a phishing attack. 

In a straight-up catfishing scam, the target is you. In catphishing, meaning a phishing attack that uses catfishing tactics, you may only be a means to an end (which is, perhaps, even more deflating). A successful catphishing attack, for example, might let the scammer into your work network. Now your company’s resources, not just yours, are susceptible. Does your company store information about individual consumers, business customers, or suppliers? Does it supply services or products to the government or the military? Catphishing can compromise your personal bank account, or it can compromise all of the above. 

The Current State of Catphishing

With so much crossover between them, it can be hard to keep track of how many people have fallen victim to regular old catfishing scams or more dangerous catphishing attacks. What we do know is that both of these loathsome varieties are alive and well.

• In 2023, 36% of all U.S. data breaches were phishing attacks, making them the second costliest source of compromised credentials
• Phishing scams encompass roughly 5 million unique (phony) websites, and targeted 1,339 brands in Q4 2023 alone
• Phishing losses exceeded $10.3 billion in 2022
• That same year, the FTC reported that 70,000 people reported romance scams, with financial losses of $1.3 billion—that’s a median loss of $4,400 per victim
• 40% of romance scams with financial targets originate on social media

The goopy, copyright-infringing rise of generative AI in recent years has only provided a boon to catphishing and catfishing scams, enabling con artists to generate bespoke images to round out their fake profiles, and in some cases, even automate the process of contacting victims using chatbots. In America alone, the amount of deepfakes more than doubled from 2022 to the first quarter of 2023, per Electronics Payments International. 

Protect Your Heart and Your Bank Account

One important point to remember about catphishing versus catfishing is that catphishers won’t necessarily target your heart (or libido) with their fake persona. Instead of a potential romance, the catphish might ostensibly be a business contact. 

Scammers have been known to spin up fake LinkedIn profiles in volume, with a number of personas created simply as followers for the main two or three personas (again, something made much easier with genAI). A fake with a few hundred equally fake followers then connects with real industry figures and eventually with intended targets: someone like you. They might pose as potential suppliers, sales prospects—who won’t go the extra mile to make a good sale?—or even as security consultants (“Download my free white paper on implementing ‘zero-trust’ in your network…”). 

Whether the cons are business or personal (or a little bit of both), some basic rules of thumb can help protect you from catfishing scams, catphishing, and phishing in general:

• Ask potential catfishers for a video chat. Consistent delays and excuses should raise an eyebrow.
• Look for signs of generative AI in social profiles. Messed-up fingers, off-kilter details, and that overly plasticine look are dead giveaways.
• On that note, if a profile—especially a romantic interest—or an offer seems too good to be true, it probably is. Your parents were right about that one. 
• Be wary of sob stories—this is a common tactic catfishers use to pull at your heartstrings before they start pulling at your purse strings. 
• Never share private information online unless you’re certain it’s going to the place you think it is. Keep an eye out for fishy URLs and strange email addresses—if they don’t match up with the official sources’, that’s a red flag. 
• Always, always, verify identity. 

Catch Catfish (and Catphish) 

As social engineering scams, both catfishing and catphishing wholly rely on bogus personas, whether handcrafted (or hand-stolen) or AI-generated (also stolen, but that’s another article). And that’s where you have power: As soon as you can verify that a suspicious contact’s identity is false, the whole grift falls apart. 

You can do that by having a keen eye and practicing the aforementioned tactics, and a reverse Google Image search can help you catch stolen images. There’s nothing new about catphishing, but don’t let that turn you into a scaredy cat—just consider it a sign that it’s time to level up your security game.

This story was produced by Spokeo and reviewed and distributed by Stacker.