Ah, Valentine’s Day—you either love it, or you hate it. And hackers definitely love it. Cybercriminals are notorious for attacking in times of uncertainty and when people are at their most vulnerable, as this makes their targets easier to manipulate. Recent research from antivirus software company ESET found that 52% of people feel lonely around Valentine’s Day. Unfortunately, this means that Valentine’s Day presents attackers with the perfect opportunity to cast their phishing nets.
In recent years, the world has seen a significant increase in the number of people using dating apps and their popularity is only continuing to grow, giving attackers a huge pool of users to choose from. And when only 29% of people using dating apps carry out basic background searches on people they’re interested in (ESET), most of those users looking for love make pretty easy targets.
The danger of sweetheart scams caused the FBI to issue a warning to people using dating apps: be careful who you trust online. They say that dating scams cause some of the most severe financial losses when compared to other types of online scams, with 24,000 victims in 2020 reporting losses exceeding $605,000,000. Just recently a man in Baltimore was scammed out of $15,000 in a scam lasting over 5 years.
And catphish don’t just put you at risk of a broken heart. Increasingly, businesses are being targeted, with sophisticated cybercriminals using sweetheart scams to trick people into handing over sensitive information about their workplace, which they can then use as an entry point to carry out cyberattacks.
But how exactly are catphish targeting people this Valentine’s Day, and what can do you to protect yourself—and your organization—from these sweetheart scams?
To answer that, we need to talk about phishing.
What Is A Catphish?
Catphishing is a combination of two separate concepts: spearphishing and catfishing. Spearphishing is a type of cybercrime based on email fraud: a bad actor emails their unsuspecting victim whilst posing as a friend, colleague, or other trusted source. In their email, they try and convince their victim to hand over sensitive information, such as login credentials, or to click on a link or open an attachment that will download malware onto their victim’s machine.
Catfishing is a term coined by TV host and producer Yaniv “Nev” Schulman, in his 2010 documentary, Catfish. In the documentary, Schulman tells the story of how he built a romantic relationship with someone he met online, only to discover that the person behind the keyboard had tricked him, and wasn’t who they’d led him to believe. Since then, the term “catfish” has been used to describe people who present false information about themselves on the internet for fraudulent or deceptive reasons.
If you link these two concepts together, you get a catphish: a person who sets up a fraudulent profile on a social networking or dating site in order to gain access to, or information from, a business. The cybercrime carried out by a catphish is also known as a sweetheart scam.
How Real Is The Threat?
You might think that sweetheart scams are few and far between but, unfortunately, people are falling for them every day, putting both their personal lives and their workplaces at risk. This is because some of those phish are really good at tricking even the most tech-savvy victims into falling for their manipulation—particularly when they prey on their victims’ emotional vulnerability.
One of the most surprising examples of a successful catphishing attempt took place four years ago, when consulting and advisory firm Deloitte announced a data breach connected to a poorly secured company email address. Around the time that the attack originated, a member of the company’s cybersecurity staff had opened a malicious Excel file sent to him by a female friend he’d met online a few months before. The fictional femme was actually a member of a known Iranian Advanced Persistent Threat (APT) group trying to steal corporate data.
Thankfully, Deloitte was able to shut down the attack before any significant damage was done, but other organizations may not be so lucky.
More recently, a man was arrested for laundering the proceeds of a catphishing campaign that targeted victims in North Carolina. US Attorney Robert J. Higdon, who made the announcement, describes sweetheart scams as being “among the most prolific and despicable crimes of the digital age” due to the way that the criminals behind the scams prey on those who are vulnerable and innocently seeking companionship.
Catphishing can have long-term negative effects on the victim’s emotional and metal health, but the damage doesn’t stop there. In 2019, romance scams generated over $475 million of reported losses.
Don’t Get Reeled In: How To Spot A Catphish
If you’re feeling just about ready to purge your cell phone of any dating apps, hold your horses: there are some simple ways to protect yourself against catphishing attempts. Here are our top tips on how to spot a catphish:
- They ask a lot of personal questions early on. This is a huge red flag, especially if those personal questions involve your employment and financial situations.
- They start “love bombing”—showering you with excessive displays of love and affection. Love bombing is a classic method that catphish use to create a false sense of intimacy and manipulate their victims into trusting them.
- They don’t want to meet you face-to-face. This one is fairly self-explanatory: it’s much easier to pretend to be someone else when you can’t see one another. If you’re unable to meet someone in person for any reason, you should still video call the person you’re talking to as a means of verifying their identity.
- They want to get in touch via other means, such as texting or emailing. While communicating on dating apps can be a pain, it’s also much safer than texting or emailing someone you don’t know. If you do exchange phone numbers or email addresses with someone you meet online, don’t open any links or files that they send you without sandboxing them first. A romantic E-card could turn out to be a vessel for malware that allows your “date” to log your keystrokes and steal your login credentials, or infect other machines connected to the same network.
- Their email address doesn’t match their name. The same goes for their WhatsApp profile—if the person is using multiple names, they could be impersonating someone else in order to gain your trust.
If some of these signs are sounding uncomfortably familiar, there’s a pretty high chance that your new love interest isn’t who they say they are. But what should you do if you think you’re being catphished?
How To Respond To Sweetheart Scams
If you think that the person you’ve been messaging isn’t who they say they are, the first thing you need to do is stop talking to them. The more information you give them, the more likely their attack will be successful—be it in this instance, or in a month’s time under a different name.
If you’ve paid the person with a gift card or voucher, contact the company that issued the card and explain the situation. They may be able to refund your money.
Once you’ve done this, you need to report the attack to your local fraud investigation authority. In the US, you can report fraud to the FTC; in the UK, report it to Action Fraud.
Once you’ve reported the attack to your local authority, you also need to make the website or app on which you met the person aware of their activity, so that they can block that person from using the service and prevent them from targeting other users.
Finally, you should make your close friends, family, and colleagues aware of the sweetheart scam—your catphish could use the information they’ve gained from you to target those close to you.
Before you give your new romantic interest any personal information such as your phone number or email address—including a company one—ask yourself if you can be certain that they are who they say they are.
Even then, we recommend that every organization implements a level of email security to help prevent potential attackers from infiltrating their corporate data through unsuspecting employees looking for love. To help you choose the right solution, we’ve put together a guide to the top phishing protection solutions for businesses.
Stay safe out there, and remember—there are plenty of phish in the sea.