Lessons In Reconnaissance From Catfish: The TV Show

In 2013, MTV released a new television show called Catfish: The TV Show (Catfish for short). Catfish is based on a documentary of the same name created by Nev Schulman and follows his journey to meet the woman he met online and developed a relationship with only to find out that she wasn't who she said she was. The TV show follows the same format. Nev and his co-host, Max (Max leaves during season 7 so there are different co-hosts some times), will read an email from someone ('the victim') explaining their situation. "I met this person online. They're really hot and we have great conversation. There's only one problem. They won't meet me in real life. I only have 2 pictures of them. They won't video chat. They won't talk on the phone." It usually rolls like this for every single episode.

I'd like to note that the producers of Catfish:The TV Show revealed that often times the catfish is the one to write the show because they're ready to come clean. The producers will then connect the dots back to the victim and have the full story. However, Nev and Max have no idea who the catfish is and their investigations during the show are real. Wild. I know.

Nev and Max will then go meet the victim in person to get the full story and find out more information about the catfish. Once that's done, the investigation starts.

Catfish gif

The Catfish's OPSEC vs Nev and Max's OSINT

OPSEC stands for operational security and it's basically used to describe the things you do to keep the people you don't want in your business, out of your business. Check out this link for a more detailed understanding of OPSEC. OSINT stands for Open Source Intelligence and is used to describe a set of publicly available, and often times free, tools that can be used to obtain information about someone or something.

The investigation portion of Catfish is a battle of OPSEC vs OSINT. Nev and Max will use free and publicly available tools to try to find out who the catfish really is. They'll usually begin by doing a reverse image search on Google. If the catfish is using pictures that are on a public social media account or a picture that can be seen by Google's crawler, then it'll show up in the results. If the picture doesn't produce any results, it doesn't necessarily mean the picture isn't the catfish but it doesn't confirm it either. The catfish can get around this by checking the images first in Google Image Search before using it.

Next Nev and Max will try to do a phone number lookup. The show hides the specific names for the tools being used in the show, but there are enough tools out there to get the same results. I found True People Search to be particularly useful. It will tell you who that number has been tied to with that person's full name and location. A catfish could get around this by using a Google Voice number for free.

If neither of these tools turn up any results, they'll begin to dig into the details provided to them by the victim. Starting with the social media profile they check a few things:

  • How many friends/followers does this person have? Too few looks suspicious. To combat this, some of the catfish on the show will friend hundreds of random people.
  • Is anyone tagged in any pictures or commenting and liking posts and photos? Finding someone who has met this person in real life would be helpful in figuring out if this person really exists or not. Then you're at the mercy of that individual because they could be lying too.
  • Where does the profile say this person is employed? Nev and Max will call the employer and ask for that person to establish if they're really employed where they say they are using a little bit of social engineering.
  • What's the username used for the profile? They can use this to search other social media platforms for profiles with the same username since people tend to stick to the same one. This is poor OPSEC on the catfish's part.

Usually the catfish's OPSEC is fairly predictable. Someone pretending to be of the opposite sex will usually refuse to have phone calls and video chats; instead choosing to stick to texting. Someone who doesn't look like their pictures will usually refuse to video chat or video chat in the dark while obscuring their face, but will do phone calls. If they're using a friend's pictures, they're more likely to be able to produce better pictures that look like they're coming from the person they're pretending to be. This is in contrast to someone using a stranger's photos and only being able to use the pictures they can find of that person online.

Sometimes, the show will use more advanced OSINT. For example, in season 7 episode 8 Nev sends a text message to the Catfish containing a link that would send the IP address of the person who clicked on it.

The show wraps up with a confrontation between the catfish and the victim. It honestly doesn't matter who won the battle of OSINT versus OPSEC because Nev will always just reach out to the catfish directly to establish a meeting. The only difference the battle makes is how much information Nev, Max, and the victim go into the confrontation with beforehand.

I've been watching a lot of this show lately. I come for the OPSEC vs OSINT battle and stay for the messy confrontation at the end.

Catfish Kelly Price Gif


Antoinette Stevens

Antoinette Stevens

Writing about tech and security.

comments powered by Disqus