We’re a new publication dedicated to reporting on how the most important trends, challenges and opportunities of the day connect to one another – and require connected solutions. Learn more.
Get the best of Grid in your inbox
Though morally dubious, a lot of catfishing is technically legal.
If you’ve spent time on the internet, chances are you’ve been the target of a catfishing scam. And if you took the bait, you certainly weren’t the only one. Last year, in the U.S. alone, 24,000 people reported losing collectively $1 billion to romance catfishing scams, according to FBI data; that doesn’t account for the cases that weren’t reported and the many other categories of catfishing schemes.
Netflix recently highlighted what may be the most famous case of catfishing to date in “Untold: The Girlfriend Who Didn’t Exist,” a documentary about the Notre Dame football star Manti Te’o who fell for who he thought was a woman named Lennay Kekua online. Instead, Te’o was the victim of a scheme by a trans woman named Naya Tuiasosopo, who began the relationship before her transition.
But internet catfish live in murky waters, and catching, charging and convicting them is difficult at best and most often just not possible. Law enforcement doesn’t have the time or resources to track down catfishers who are quite often separated from their victims by states or even countries — meaning jurisdiction gets in the way as well. Add to that, not all catfishing behavior is illegal.
“The hardest part of dealing with a catfishing issue is that it’s often very difficult to see the full picture,” said Edward McAndrew, a long-tenured cybercrime prosecutor formerly at the Department of Justice. “You see little bits and pieces at different times. It’s like looking at an iceberg if you think about it from all these different perspectives, and unless you somehow could see both above water and underwater and all around, and 360 degrees, you really can’t understand the full scope of that iceberg and that catfish.”
Grid spoke to McAndrew, currently a cybersecurity and litigation partner at BakerHostetler, about the point when catfishing turns illegal, what it takes to take down a catfish and who is legally responsible for preventing it from happening (and stopping it when it does).
When considering the murky waters of the internet and catfishing, McAndrew often recalls a viral illustration: Two dogs sitting in front of a computer, one saying to the other: “On the Internet, nobody knows you’re a dog.”
This principle is surprisingly resonant when defining catfishing, which has no one specific legal definition. “I generally think of it as I think most people do: misrepresenting one’s identity for some purpose that is illegal,” McAndrew said.
But there is a large caveat that separates how many small-time internet scammers operate — those who set up fake dating profiles for their own amusement or use burner accounts on social media.
“It’s not illegal in and of itself to misrepresent your identity on the internet,” McAndrew said.
The line is crossed with what McAndrew calls “criminal intent” and “proscribed action” — evidence of premeditated deception using an element of false identification and following through to, most often, steal from, extort, exploit or otherwise injure someone.
According to McAndrew, though the term “catfishing” doesn’t appear in name in any federal laws, its practice is described — and considered illegal — in conjunction with several crimes.
The majority involve money-scamming: identity theft, financial fraud and intellectual property infringement. In committing these crimes, a perpetrator is likely to misrepresent some combination of their name, Social Security number, photo ID, infringement on someone else’s copyright or trademark, biometric identifier or even an email address or social media account.
These common elements of catfishing can be grounds for prosecution, so long as there is criminal intent and a proscribed act. For this reason, hacking — including through the misuse of personal usernames or passwords and against individuals, small companies or large corporations — also can fall under the catfishing umbrella. “Almost all hacks have, as one of their components, the misuse of an account, which is someone’s identification.”
But the most concerning forms of catfishing are undertaken with darker intentions, in association with violent or more malicious crimes. One of the first suicides attributed to the internet — the Megan Meier case — McAndrew recalled, was the result of an adult using a fake profile to emotionally manipulate a young student. The practice of creating fake accounts and threatening to publish private and/or hurtful information of journalists, public figures or any person often may satisfy the intent and “proscribed act” needed to prosecute under different criminal laws.
Cyberstalking, McAndrew said, has become one of the most common crimes that harness catfishing. Under federal law, according to McAndrew, cyberstalking includes using the internet to engage in a course of conduct with “an intent to kill, injure, harass, intimidate, or spy on another person” and a “prescribed result” — causing emotional distress or a reasonable fear of death or serious injury to a person or to that person’s family member, romantic partner, pet or emotional support animal.
That means “catfishing” that targets a person’s pet catfish can violate the federal cyberstalking law.
The explosion of social media has made it easier to commit crimes on the internet, McAndrew said, but it has also helped in catching perpetrators. As has been popularized on shows such as “To Catch a Predator,” law enforcement has certain liberties when it comes to reverse-catfishing, he said.
“There’s the legal side of catfishing and the illegal side of catfishing,” he said. “The best witnesses we have now are devices, apps and the data that they collect and produce that tell us, down to the millisecond, who did what, when, how and why.”
Law enforcement officials have also been trained to use fake accounts for the purposes of gathering evidence, especially on child predators. Agents can pose as parents, children or even other “like-minded” perpetrators — using image software or photos of them as a child. “Being someone else on the internet is something you can do for good purposes, bad purposes, something in between or for no significant purpose at all.”
When people report being a victim of catfishing (and they often don’t) to law enforcement, investigators have to ask a number of questions about whether moving forward in an investigation will actually get anywhere and is worth the time and use of scarce investigative resources, said McAndrew.
That list includes: What can we do about this? Is it illegal conduct? Can we prove it through admissible evidence? How would we investigate it? Do we have time to investigate it? How long would it take to bring a successful case? Do we have resources to investigate it? Unfortunately, said McAndrew, the answers to those questions usually lead to a decision not to pursue a criminal investigation because the resources just aren’t there to keep up with the massive number of catfishing schemes going on at any given time.
“There’s been such an explosion in technology-facilitated crime over the last 10 to 15 years that federal, state and local law enforcement agencies simply cannot keep up with the amount of conduct that’s going on. They don’t have — and we have not given them — the resources that they need to really get down to the individual citizen level of dealing with cybercrime on a daily basis,” McAndrew said.
What ends up happening in many cases, he said, is that law enforcement only steps in at the point when catfishing turns physically violent, because that’s the point when a crime clearly has been committed.
“And sadly, this happens a lot with online romance and fraud schemes, domestic abuse cases, and child exploitation crimes,” he said, “where it’s only when you get to a really bad outcome and look backward that you may be in a position to connect all those dots and see the full course of conduct.”
Jurisdictional issues make this especially messy, said McAndrew, because internet-based conduct flows across geographical borders. Both federal and state law enforcement agencies may have jurisdiction over internet-based crimes, but only if the criminal conduct is connected to the geographical area over which a particular court has jurisdiction and law enforcement can physically bring that criminal before that court.
“We used to say, ‘venue schmenu.’ We have jurisdiction over the internet because the conduct involves interstate commerce,” he said. “It’s something that runs across our physical boundaries in the United States. But you need some portion of the conduct to have occurred, at least on the criminal side, in the geographical area over which the particular court that you’re going to present your case in or bring your grand jury investigation in has jurisdiction.”
If the catfisher is located in a foreign country, said McAndrew, other questions arise such as can the catfisher be physically brought before the court and thrown in jail if they’ve violated a U.S. law and are sentenced to jail time. “That often depends on what country you’re talking about,” he said.
“As a country, we cannot get to the [catfishers] who are beyond our borders, and often across oceans, without the help of other countries. And some countries are helpful, and others are not.”
How responsible platforms are for “being weaponized” said McAndrew, is one of the “central policy questions that we’re debating in our society right now.”
From a law enforcement perspective, he said, you have “client-side evidence” such as devices — phone, laptop, tablet — and then you have “server-side evidence” or cloud-based evidence — Facebook account, Instagram account, etc. And both can be “great repositories of evidence that you can use to investigate activity and build cases.”
In the pre-Edward Snowden days (the case that made tech giants nervous about freely sharing back-end user data with investigators), platforms were more willing to share information with the U.S. and even other governments in aid of criminal investigations, said McAndrew. “That was when social media was new and we didn’t know exactly how people would use these platforms, or even how the platforms worked.”
Today, there is much more of a focus on privacy, and you see platforms and device manufacturers using that as a marketing strategy, he said. Entire marketing campaigns are built on the notion that “we provide greater privacy than other companies — think of encrypted apps, encrypted communications, device security features.”
With that evolution, said McAndrew — understanding how people are using the platforms (not always for good) and the call for privacy (perhaps not always a platform priority despite the marketing) — tech companies have long taken the stance that they are not responsible for what happens on their platforms.
There is often a strong legal basis for that view, said McAndrew. Social media platforms have leaned on Section 230 of the Communications Decency Act — a bedrock principle of internet law, said McAndrew — which grants immunity for certain types of content posted on their platforms by others — with implications for everything from Jan. 6, to mass shootings, to individual hate crimes, bullying and catfishing.
But the call for companies to take at least some of the responsibility is growing stronger, said McAndrew.
One of the clearest examples of that of late is Congress passing FOSTA-SESTA in 2018. The legislation — the result of a House bill called the Fight Online Sex Trafficking Act combined with provisions from a Senate Bill called the Stop Enabling Sex Traffickers Act — removed the Section 230 immunity shield for activities relating to sex trafficking. In recent years, McAndrew noted, Congress has considered various proposals to curtail the scope of Section 230 immunity.
“What we’re seeing now is a governmental pushback that really started in Europe and is now moving into the United States that’s saying, ‘You do have some responsibility here, because you control it. And you have visibility and perspective that no one else does. And therefore, you can help interdict the conduct, or at least respond to the conduct.’ So, I think we’ll continue to see a robust policy debate on the appropriate role of social media platforms and other technology platforms in spotting and responding to significant unlawful conduct.”
Thanks to Lillian Barkley for copy editing this article.
Christian Thorsberg is a reporter for Grid.
Suzette Lohmeyer is the senior editor at Grid, where she focuses on daily news.
Sign up for Grid Today and get the context you need on the most important stories of the day.