Online dating apps back in 2012 weren’t the torrent of swipes, profiles, bots, and inane hook up lines that they are today, but they did bring us a fascinating new use of social media: a phenomenon called catfishing.
A "catfish" is a person who creates fake personal profiles on social media sites using someone else's pictures and false biographical information to pretend to be someone other than themselves. These "catfish" often try to trick an unsuspecting person or person(s) into falling in love with them, and then extort money, presents, or other favors once enough personal information has been exchanged. Catfishing became such a widespread phenomenon eight years ago because of the uptick in dating sites on the internet that a television show developed around the concept.
On each episode of Catfish, the creators are “tipped off” by a person who is suspicious about their online lover. The show’s creators enact their own mini cyber investigation and create a cyber profile of the exploiter using tools like reviewing their social media profiles and IP location tracing. Their goal is to “out” the catfisher, and expose them on television. I was into the program for the drama, but I did not realize until later that Catfish was my first foray into everyday cybersecurity. Today, most internet natives know about reverse googling an image—I learned it from Catfish. I also learned when I was in college that the average curious person can find out what region, city, and town you are in when you're on the Internet with only your IP address. Most catfishers, at least at the time of the show, did not cover their tracks using VPNs or spoofing IP addresses.
I remember watching the show and thinking, “How could someone be so stupid? Do people really fall for that? How could they have let that go on for so long?” Working at Forcepoint has taught me these are the wrong questions to ask. Human-centric cybersecurity starts with asking the right questions: What is the context? What about human behavior makes us susceptible? What need was the person trying to satisfy? People don’t function like computers. They might be curious, or lonely, or careless, or just having a bad day. Catfish the show never concerned itself with why the victim was vulnerable. Instead, it illustrated that we are all vulnerable—if not to malware, then to other people.
Catfish got something else right: they identified that humans are social creatures, and the tools in use, both by the fish and the bait, must adapt to that framework. Pro catfishers, or, as we would call them in the industry, social engineers, also take advantage of human tendencies. Humans want things to be easy, so they create firewalls with so many policy and port exceptions they are more dangerous than helpful.
It is so important to realize some of the very things that make us most human—including curiosity or looking for love, are what lead to some of the most far-reaching social engineering cyber schemes, at home or in the workplace. It took one impersonation (and one lonely person) to trigger one of the most far reaching spam campaigns: ILOVEYOU, a.k.a. Love Bug. That’s why today’s cyber tools have to approach solving problems differently by being human-centric --because humans are the new perimeter.
Forcepoint’s cybersecurity tools, like Forcepoint Next Generation Firewall’s intrusion protection systems, and Forcepoint’s dynamic data protection and risk adaptive monitoring, are human-centric. They are about applying policies that adapt to the risk level of the individual. Catfish the show may no longer be airing new episodes, and folks are more aware of common entrapment tools, but Forcepoint knows there are still plenty of fish in the sea. And in our world, we don’t catch and release.