Catfishing is the creation of a fake digital identity, a person invented from scratch, to deceive a victim and sustain what looks like a genuine relationship with them. The term originated in online dating and romance fraud, but in 2026 it also describes a fully corporate threat vector. When the target stops being a vulnerable individual looking for a partner and becomes an employee with privileged access, an unsuspecting recruiter or an executive with public exposure, catfishing turns into a social engineering tool with a direct impact on the security of the organization.
Key points
- Catfishing is the fabrication of a complete online persona (identity, photos, backstory, behaviour) to earn a victim's trust and exploit it.
- It differs from phishing, vishing, pharming and BEC because it does not forge a single message: it builds and maintains a fake relationship over time.
- In the corporate arena it translates into fake recruiters and candidates on LinkedIn, romance fraud that leads to insider access and extortion, and executive sextortion.
- Video and voice deepfakes have removed the classic "ask for a video call" safeguard, which demands stricter verification protocols.
- Defence combines awareness, reinforced identity verification and the security training obligations of Article 21 of the NIS2 Directive.
What catfishing is
Catfishing means operating under a completely false identity and sustaining it over time. The attacker does not merely impersonate a real person: in most cases they invent someone who does not exist, with a name, photographs (often stolen from third parties or generated by AI), a coherent employment history and a carefully maintained pattern of behaviour. The goal is not an immediate click, but the cultivation of a trusting relationship that can later be monetized or exploited.
That temporal dimension is what sets catfishing apart from the rest of the social engineering family. Where a phishing email seeks an impulsive reaction in seconds, catfishing invests weeks or months. That investment is precisely what makes it dangerous in a professional context: the victim does not perceive an attack, they perceive a relationship.
The psychological mechanics of the deception
Catfishing exploits well documented psychological levers from the social engineering literature. The first is reciprocity: the attacker shares fabricated confidences so the victim lowers their guard and reciprocates. The second is consistency and commitment: once someone has invested emotional time in a relationship, they tend to rationalize warning signs rather than admit the mistake. The third is a manufactured urgency that arrives only at the end: a medical emergency, an investment opportunity or a supposed crisis that demands money or access right now.
The result is a victim who acts convinced they are helping someone they trust, not that they are responding to a stranger. That conviction neutralizes much of the traditional antiphishing training focused on spotting isolated suspicious messages.
Catfishing versus phishing, vishing, pharming and BEC
It helps to place catfishing on the map of impersonation vectors, because they are often confused and defended in different ways.
- Phishing: mass delivery of fraudulent messages, almost always by email, imitating a legitimate entity to steal credentials or deliver malware. It is transactional and single interaction. You can dig into the different types of phishing and their targeted variants.
- Vishing: fraud over the phone channel, where the attacker impersonates technical support, a bank or an executive to trigger a specific action. Vishing is voice based and usually resolves in one or a few calls.
- Pharming: manipulation of DNS resolution or the hosts file to redirect the victim to a fraudulent site with no deceptive link involved. Pharming is a technical attack on infrastructure, not on the relationship.
- BEC (Business Email Compromise): impersonation of an executive or supplier, typically over a compromised account or a look-alike domain, to divert a payment or sensitive data. It leans on authority and urgency, not on a long relationship.
Catfishing is different because its unit of attack is not the message but the bond. It is a vector of sustained identity deception. That is why it can end up enabling any of the above: a trusted fake persona sends a link and the victim opens it without hesitation, because it comes from "someone they know".
The corporate dimension of catfishing
Moved into the enterprise, catfishing stops being a private romance problem and becomes a measurable security risk.
Fake recruiters and candidates on LinkedIn
LinkedIn has become the preferred ground for professional catfishing. Groups aligned with North Korea, grouped under labels such as the actors behind the fake job campaigns, have run fictitious recruiter profiles to lure engineers with job offers, steer them into a "technical assessment" and deliver repositories or PDFs carrying malware. The inverse vector also exists: fake candidates, using synthetic identities, who infiltrate as remote workers to draw salaries and, above all, to obtain legitimate access to internal systems.
Surface verification is not enough. A profile with a professional photo, five hundred connections and coherent experience can be built in an afternoon. The countermeasure is procedural: identity validation off the platform before any sensitive interaction.
Romance fraud as a route to insider access and extortion
The classic romance scam pursues money, but against a privileged employee the prize can be access. An attacker who sustains a fake relationship for months can ask the victim to install an app "so we can talk better", to share a screenshot of their corporate desktop or to run a seemingly harmless action. In its most severe form, the relationship turns into coercion: the victim is threatened with exposure of the relationship or the exchanged content unless they cooperate, moving from victim to enabler of an insider threat.
Executive sextortion
Sextortion aimed at executives combines catfishing and blackmail. The attacker cultivates a relationship, induces the exchange of compromising material and then demands a payment or information in return for silence. The public exposure of the role, which makes it easier to gather material and context, and the fear of reputational damage make executive profiles a profitable target. Much of this material ends up traded on underground forums, something that can be detected with dark web monitoring.
Deepfake-enhanced catfishing
For years the standard advice against a suspicious identity was simple: "ask for a video call". Real-time video and voice deepfakes have eroded that safeguard. An attacker can now appear on a call with a synthetic face and voice convincing enough to pass an informal check. This forces intuitive verification to be replaced by verifiable controls: context questions only the real person could answer, verification through a second known channel and, for critical operations, out-of-band confirmation.
Red flags and OSINT verification
Early detection relies on OSINT techniques available to any security team. These are the most useful signals and checks.
- Reverse image search: run the profile photos through Google Images, TinEye, Yandex or PimEyes. An image that appears associated with other names, or a stock photo, is an immediate red flag.
- Profile age and activity: accounts created a few weeks ago, with scarce or sudden activity, connections inconsistent with the stated career, or generic posts point to a fabricated identity.
- Verifiable inconsistencies: cross-check the company, role and dates against independent sources. An employer that does not recognize the person, or a degree that does not add up, are solid indicators.
- Systematic refusal of live verification: recurring excuses to avoid a video call, or calls of deliberately degraded quality, remain a warning sign even in the deepfake era.
- Accelerated emotional pattern followed by a request: intimacy disproportionate to the time elapsed that ends in a request for money, credentials or software installation is the canonical fraud pattern.
Defence: awareness, identity verification and NIS2
Effective defence against catfishing is organizational before it is technological, because the attack exploits human trust.
The first pillar is specific awareness. Conventional antiphishing programmes do not cover sustained deception well, so it is worth adding fake-relationship, fraudulent-recruitment and sextortion scenarios to training. A simulation and awareness exercise adapted to these vectors measurably improves the workforce's ability to recognize and report them without fear of punishment.
The second pillar is reinforced identity verification. Every sensitive interaction (hiring, access, movement of funds, supplier onboarding) must be validated through an independent, verifiable channel, not inside the same platform where the contact started. For critical operations, out-of-band confirmation must be mandatory and calibrated by amount or access level.
The third pillar is the compliance framework. Article 21 of the NIS2 Directive requires essential and important entities to adopt risk-management measures that explicitly include staff training and cyber hygiene. A programme that addresses relational social engineering is not just good practice: it fits the obligations that the NIS2 regulation places on the organization's management, which is accountable for its implementation.
Frequently asked questions
How does catfishing differ from phishing?
Phishing is a transactional, mass attack, usually a single message imitating a legitimate entity to trigger a click. Catfishing builds a fake relationship maintained over time to earn trust and exploit it later. Phishing seeks a reaction in seconds, catfishing invests weeks or months.
Is catfishing a real problem for companies?
Yes. It goes far beyond private romance fraud. It includes fake recruiters and candidates on LinkedIn, infiltration of remote workers using synthetic identities, romance fraud that leads to insider access and extortion, and executive sextortion. All of them have a direct impact on corporate security.
How can I verify whether a profile is fake?
Combine several OSINT checks: reverse image search of the photos (Google Images, TinEye, Yandex, PimEyes), review of the profile's age and coherence, cross-checking of the employer and role against independent sources, and attention to any refusal of live verification or to an accelerated intimacy pattern followed by a request.
Is asking for a video call enough to rule out catfishing?
Less and less on its own. Real-time video and voice deepfakes make it possible to pass an informal check. The video call should be complemented with context questions only the real person would know and with confirmation through a second, previously known channel.
What does NIS2 require against social engineering?
Article 21 of NIS2 requires risk-management measures that include training and basic cyber-hygiene practices for staff, with explicit accountability for management bodies. An awareness programme that covers catfishing and identity deception fits directly within those obligations.
Related resources
- What is social engineering
- What is vishing: voice attacks against business
- What is a deepfake: business threats in 2026
- Types of phishing
- What is pharming
- What is OSINT
Catfishing prevention with Secra
At Secra we help organizations reduce their exposure to identity deception: design of out-of-band verification protocols calibrated per operation, awareness programmes with fraudulent-recruitment, romance-fraud and sextortion scenarios, identity-validation procedures for HR and procurement, and brand and dark web monitoring for the early detection of fake profiles and compromised material. We work from real documented incidents and align the programme with the obligations of the NIS2 Directive.
Request an initial assessment and plan with us a catfishing defence strategy adapted to your organization.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.

