Catphishing or (How an angel with a bow and arrow isn’t always cupid)

Before we start, let’s get a common mistake out of the way.
Apparently, there are two types of catfish related scams in the world. Catfishing and Catphishing. What a stark difference, right? Believe it or not, there is actually quite a substantial difference between the two, even though the spelling may suggest otherwise.

Curious to know the difference? Here’s a brief summary of both concepts:

Catfishing (spelt with an f) is a form of deceptive activity, often categorised as “romance fraud” in which a scammer creates what is called a “sockpuppet” or fake identity online (most notably social media sites such as Facebook or Instagram) for the purpose of luring someone into a relationship—usually a romantic one—in order to get money, gifts, or attention.

This phenomenon received heavy public attention in 2010 when a documentary film by the name of Catfish shined a spotlight on this particular scamming technique and simultaneously thrust the term into the zeitgeist of popular culture.

Catfishing is done to make an emotional bond, though not necessarily maliciously. It’s more of a side effect of a fear of abandonment or other mental and emotional instabilities on the side of the scammer. Of course, catfishing can have devastating consequences, however, more than likely they are of an emotional or romantic nature. You’ll walk away with a broken heart at most.

Catphishing, on the other hand, is specifically intended to harm. As we all know, stolen information in the hands of criminals can be used in many ways—for extortion, for sale on the black market, and in the end, the organisation that was compromised loses integrity, clients, business opportunities, and gets fined if they were found to be non-compliant with security and privacy regulations.

Catphishing (spelt with a “ph”) is similar, however, it is more of a step up in severity or risk of damage rather than a completely different idea. You may have heard of the terms “phishing” or even “spearphishing”- they both refer to attempts by cybercriminals to gain personal information to jeopardise bank accounts or damage reputation.  Phishing is a broader term for wide-reaching non targeted scams, whereas spearphishing targets a particular group of people or even individuals. Catphishing can and does often include elements of phishing and spearphishing to prey on individuals. It is usually done with the intent of gaining rapport and consequently, access to information and/or resources that the unknowing target has rights to. The differing factor between these two scams is the motive and the ultimate purpose of the scam.

Catphishing is dangerous enough that most companies consider it a business threat, which is no wonder since there were 3,889 victims of so-called romance fraud in 2016, who handed over a record £39 million.Furthermore, scammers can then also use the information they gather from individuals to create even more social media profiles and the cycle starts all over again.

To give an example of a catphishing attack causing some serious trouble, we don’t have to look any further than UK’s very own Deloitte. Deloitte is a “Big Four” firm that provides accounting, auditing and consulting services, including advice on mergers and acquisitions. It also runs a cyber security business that helps customers defend their networks and investigate breaches. So you can imagine how hard it must have been for them to announce that in 2016,  they detected a breach of the firm’s global email server via a poorly secured admin email in March of that year.

The attackers most likely had control of the server since November of 2016 according to reports after the incident was announced. Deloitte’s initial statement indicated that only six of their clients were impacted by the breach, but further investigations later revealed to the media that the attack most likely compromised every admin account at the firm.

And how did the aforementioned admin email get compromised? Simple, Mia Ash.
Who is Mia Ash? No one, she doesn’t exist. She never did. But, to one of Deloitte’s senior employees, she was more than real. He’d tell you that she was a beautiful 21-year-old photographer from London, seeking friendship with fellow Londoners.

“Mia Ash” used LinkedIn to contact this employee at Deloitte, stating that the inquiry was part of an exercise to reach out to people around the world. Over the next few days, the individuals exchanged messages about their professions, photography, and travels. Eventually, Mia encouraged the employee to add her as a friend on Facebook and continue their conversation there, stating that it was her preferred social media site.

The correspondence continued via email, WhatsApp, and Facebook until Mia sent a Microsoft Excel document, “Copy of Photography Survey.xlsm,” to the employee’s personal email account. Mia encouraged the victim to open the email at work using their corporate email account so the survey would function properly. The survey contained macros that, once enabled, downloaded malicious software which later cost the entire firm worldwide embarrassment and a temporary loss of trust.

How to protect yourself from catphishing

We suggest the following to prevent you from falling for catphishing scams:


  • Be suspicious of someone who contacts you out of the blue
  • Never ever give your personal information or photos to anybody without knowing them
  • Stick to more reputable dating sites. These sites usually charge a fee, which keeps catphishers at bay
  • Never give anybody you met online any money
  • Stay in control by contacting them the way you prefer like Skype, telephonically or via video chat


By following these simple guidelines and approaching online connections with a level-head, you should be able to steer clear of people who are out to deceive and harm you. For more comprehensive training, which will test your understanding of threats such as catphishing, you may be interested in signing up to our Information Security Modules, especially,


  • Social Media
  • Phishing Fears
  • Identity Theft


All of these modules will provide you with the skills to defend yourself from the threat of Catphishing and other forms of malicious cyber attacks.

Please follow and like us: