In India’s rapidly expanding digital economy, businesses, especially startups and merchants, are facing a new wave of sophisticated threats. While many are prepared for technical attacks, a more insidious danger is on the rise: one that targets not systems, but people. This guide is designed for business leaders, founders, and merchants to understand and defend against a complex social engineering threat that has moved from personal spaces into the corporate world, threatening your finances and reputation. Here’s what you need to know to keep your business safe.
Key Takeaways
This report analyzes the evolving threat of Catfishing, redefining it as a critical and escalating corporate threat for Indian businesses. The primary findings for merchants, startup founders, and business leaders are:
- Catfishing is a Business Impersonation Threat: In a corporate context, Catfishing is a form of social engineering or “Business Impersonation Fraud.” Scammers create fake professional identities (like executives, vendors, or recruiters) to manipulate employees, steal funds, and damage brand reputation.
- AI is the New Accelerator: Generative AI and deepfakes now allow attackers to create flawless, persuasive messages and fake media, making these impersonation scams harder to detect than ever before.
- Defense is a ‘Human + Tech’ Firewall: Technology like secure payment gateways and KYB checks is critical, but insufficient. The most effective defense combines tech with a “human firewall”—robust employee training and simple, mandatory policies like “out-of-band verification” for any urgent financial request.
Redefining “Catfishing” for the Indian Enterprise
Beyond Personal Deception: The New Corporate Threat
The term “Catfishing” is most widely understood from its origins in personal deception, which was popularized by a 2010 documentary. While this defines the origin of the term, it dangerously obscures its modern, corporate application.
For Indian merchants and startup founders, this personal context is a distraction. In the enterprise world, Catfishing is a targeted method of social engineering. The core mechanic—creating a fabricated online identity to build trust—remains the same. But the “persona” is no longer a potential romantic partner; it is a CEO, a new vendor, a human resources recruiter, or a trusted supplier. The goal of this corporate Catfishing is for financial gain, data theft, or unauthorized access. The “emotional deception” is replaced with the manufacturing of professional trust. An employee who is manipulated into trusting a scammer may be duped into transferring funds, sharing corporate credentials, or unknowingly disclosing sensitive intellectual property.
Why Indian Startups and Merchants are Prime Targets
The current Indian business landscape, characterized by rapid digital transformation and a hyper-growth startup culture, creates a unique set of vulnerabilities.
India’s digital economy is advancing, and the startup ecosystem prioritizes speed and agility. This leads to the rapid adoption of digital-first tools for seamless vendor onboarding and instant payments. This creates an “Agility-Vulnerability Paradox.” As procurement and invoicing go digital, “speed is often prioritized over depth in risk checks”. Scammers exploit this by using urgency to bypass verification policies. Furthermore, the competitive job market and high-volume, high-urgency atmosphere of festive sales create ideal conditions for these scams.
The Catfishing Threat Matrix: How Impersonation Scams Cripple Businesses
The threat of business Catfishing is a matrix of four distinct vectors, each using impersonation to target a different part of the business.
Threat Vector 1: CEO and Executive Fraud (Business Email Compromise)
This form of Catfishing, also known as CEO Fraud or Business Email Compromise (BEC), targets businesses that regularly perform wire transfers. The attack vector in India has migrated from email to instant messaging. This is evident in a recent fraud case in Kolkata, where an accountant at a firm was duped out of ₹98 lakh. An analysis of this case reveals the modern anatomy of the attack:
- The Channel: The attacker used an unknown WhatsApp number.
- The Impersonation: The attacker’s profile displayed the company CEO’s photograph.
- The Tactic: The message cited “urgent business needs” to create a sense of pressure and panic.
This “Business WhatsApp Compromise” bypasses all traditional email security protocols and is alarmingly effective.
Threat Vector 2: Vendor and Procurement Fraud
Vendor fraud is a “silent risk” that can cripple a business. This vector involves an attacker impersonating a legitimate supplier or inventing a “ghost vendor” (a shell company) to submit fake, inflated, or duplicate invoices. This risk is rising in India due to complex regulations (making documents like GST registration easy to fake) and the “speed over depth” priority in digital vendor onboarding. Many businesses also lack continuous monitoring of vendor credentials, checking them only once at onboarding.
Threat Vector 3: Recruitment and Reputation Damage
This form of Catfishing does not steal from the company; it steals using the company’s reputation. Scammers create fake personas of HR representatives from well-known, trusted brands to defraud hopeful job seekers. Scammers have impersonated major FMCG and q-commerce firms, conducting fake interviews and charging victims thousands in “processing” or “registration” fees. This “Reputation-Poisoning” attack is a C-suite-level problem. The more successful and well-known an Indian startup becomes, the more likely its brand will be catfished and used as a lure.
Threat Vector 4: Brand and Customer Impersonation
This is Catfishing at an industrial scale. Here, the “fake identity” is a fake e-commerce store or brand social media account. Scammers create look-alike websites to trick a merchant’s customers into making purchases. This threat is supercharged by AI. A 2025 McAfee study on AI-driven scams in India revealed staggering statistics:
- Over 36,000 fraudulent websites impersonating a major e-commerce marketplace were identified.
- Over 75,000 impersonation text messages were sent.
- The scams include deepfake videos of influencers appearing to endorse fake products.
Table 1: The Business Catfishing Threat Matrix
| Threat Type | Attacker’s Persona (The “Catfish”) | Target (Internal/External) | Attacker’s Goal | Key Indian Red Flag (from research) |
| CEO Fraud / BEC | “Your CEO” or “CFO” | Finance or HR Employee (Internal) | Illicit Wire Transfer | “Urgent” request via WhatsApp from an unverified “CEO” number. |
| Vendor Fraud | “Legitimate Supplier” / “Ghost Vendor” | Procurement or Accounts Dept (Internal) | Payment of Fake Invoices | Mismatched or unverifiable GST/CIN details; “speed over depth” onboarding. |
| Recruitment Fraud | “Your HR Department” or “Recruiter” | Job Seekers (External) | Steal “Fees” / Data Theft | Job offer made via SMS/WhatsApp; request for upfront payment or “training fee”. |
| Brand Impersonation | “Your E-commerce Store” | Your Customers (External) | Steal Credentials / Sell Fake Goods | “Too good to be true” offers; deepfake celebrity endorsements; fake delivery texts. |
The AI Accelerator: How Technology Is Making Catfishing Scams More Convincing
From Bad Emails to Believable Personas
A cornerstone of past cybersecurity training was to “look for spelling and grammar errors”. This advice is now dangerously obsolete. Large Language Models (LLMs) allow criminals, regardless of their native language, to generate flawless, persuasive, and context-aware text, eliminating traditional red flags.
The Deepfake and Data-Scraping Threat
Beyond text, AI provides data-scraping tools and synthetic media generation (deepfakes). This allows for a “Synthetic Persona” Attack that is far more convincing.
- Scrape and Target: The attacker mines professional networks like LinkedIn to identify a target and map their professional relationships.
- Personalize: The attacker uses an LLM to craft a hyper-personalized message referencing real projects or colleagues.
- Deceive: The attacker initiates contact using the “Business WhatsApp Compromise” method.
- Convince: If the employee hesitates, the attacker uses an AI-powered voice clone or deepfake video to defeat skepticism.
A Proactive Defence Framework for Indian Businesses
Technological Defences: Your First Line of Security
A business’s financial infrastructure is the first line of defense. Any platform handling payments must be, at a minimum, PCI-DSS Level 1 Compliant. Merchants should ensure their payment systems use tokenization, which replaces sensitive card data with a unique “token.” This means sensitive data never touches the merchant’s servers, massively reducing risk. Since attackers are using AI, businesses must use AI to detect it. Modern payment platforms incorporate in-house AI fraud detection engines to analyze transaction patterns and block fraud in real-time.
Process & Policy: Building a “Human Firewall”
Technology cannot stop an employee from being tricked into authorizing a fraudulent payment. This is where process and policy—the “human firewall”—become the most critical defense.
Mandate “Out-of-Band” Verification (The Golden Rule)
The ₹98 lakh Kolkata CEO fraud would have failed if one simple policy had been in place. This policy is “out-of-band” verification. It must be non-negotiable: “Any urgent or unusual financial request (wire transfer, password change) received via a single channel (email, text, or WhatsApp) MUST be verified through a separate, known communication channel.” This means if a “CEO” texts from a new WhatsApp number, the employee’s required action is to call the CEO on their old, known office or mobile number to verify. This simple, low-tech step breaks the scammer’s entire model.
Implement Rigorous Vendor Onboarding (KYB)
To combat vendor fraud, businesses must move beyond “speed over depth”. A strict vendor onboarding checklist is essential. This process must include independently verifying all regulatory numbers (GST, CIN) against official databases and verifying bank account details before the vendor is added to the payments system.
Enforce Strict Internal Access Controls & Training
Access to critical systems must be limited. Use Two-Factor Authentication (2FA) on all financial dashboards, define and enforce strict user roles, and enforce a “one user, one account” policy. This must be combined with continuous employee training to recognize these new social engineering threats.
What to Do After an Attack: A Response and Reporting Guide
If a business or its employees fall victim, a fast and structured response is critical.
Step 1: Immediate Response (The Golden Hour)
For any financial fraud, there is a “golden hour” to act.
- Immediately call the National Cyber Crime Helpline at 1930. Reporting immediately initiates a process with banks to attempt to trace and freeze the stolen funds.
Step 2: File a Formal Complaint
After the call, file a formal complaint at the official Government of India portal: (https://cybercrime.gov.in/). This is the central mechanism for reporting all cybercrimes and is necessary for any police or legal action.
Step 3: Report Suspicious Communications
To help authorities track and block scammers, report suspicious communications (calls, SMS, or WhatsApp) on the Chakshu facility on the Sanchar Saathi portal.
Step 4: Stay Informed
Stay informed by monitoring official advisories from CERT-In (https://www.cert-in.org.in/), India’s national nodal agency for cybersecurity.
Securing Revenue Beyond Payment Acceptance
An analysis of the threats indicates that businesses must pair human policies with technological safeguards. The modern payment infrastructure chosen by a merchant is not merely a processor but a critical security partner.
Effective security begins with adherence to global standards. A payment gateway must be 100% PCI DSS Level 1 Compliant, ensuring all data is managed according to the most stringent security protocols. This is complemented by server-side tokenization, a technology that ensures sensitive card data never touches a merchant’s servers, thereby protecting them from data breach liability.
To counter AI-driven threats, these platforms must leverage AI-driven defenses. Advanced in-house AI fraud detection engines, such as ‘Thirdwatch,’ utilize machine learning trained on billions of data points to proactively identify and block fraudulent transactions in real-time, protecting revenue without blocking genuine customers.
For comprehensive financial protection against fraudulent disputes, solutions like Razorpay Chargeback Shield are available. Such systems leverage AI to offer zero fraud chargeback liability, absorbing the financial loss from fraudulent chargebacks and protecting a merchant’s bottom line. Businesses can explore these advanced security suites to build a comprehensive defense against the financial and reputational risks of fraud.
Simplify Financial Workflows with Razorpay
Automate collections, invoicing, and reconciliation to stay compliant and maintain complete visibility into your business finances.
Learn how Razorpay helps businesses operate with greater efficiency and compliance.Get Started with Razorpay
Conclusion: From Unaware Target to Resilient Enterprise
This analysis demonstrates that “Catfishing” has evolved far beyond its colloquial definition. For Indian founders and merchants, it is a C-suite-level business impersonation threat that strikes at the heart of an organization: its finances, its reputation, and its customer relationships.
The “Agility-Vulnerability Paradox” that defines the Indian startup ecosystem is being exploited by scammers. The solution is not to slow down, but to build smarter. These threats are not technological problems alone; they are human problems. They exploit trust, authority, and anxiety.
A resilient enterprise in this new landscape must be built on a dual-pronged defense:
- Smart, Modern Technology: A payments and financial infrastructure that acts as a security partner, integrating AI-fraud detection, tokenization, and robust compliance.
- A Smart, Skeptical Workforce: A “human firewall” built through relentless training and the enforcement of simple, unbreakable policies like “out-of-band verification”.
Defending that trust—from employee impersonation, vendor fraud, and customer-facing deception—is now a critical and non-negotiable cost of doing business.
Frequently Asked Questions (FAQs)
1. What is the difference between business Catfishing and phishing?
Phishing is typically a broad, one-time, “spray and pray” attack, like a mass email. Its goal is to trick anyone into clicking a malicious link immediately. Business Catfishing is a targeted, long-term attack, a form of social engineering. The scammer creates a fake identity (like a vendor or executive) and may spend weeks building a relationship to gain trust. The final “ask”—like a large wire transfer—is highly specific and directed at a single, researched individual.
2. How can a business identify if a new “vendor” or “partner” is a catfish?
Several red flags exist. Their online presence may be weak, new, or have few connections. They will consistently have excuses to avoid a video call or an in-person meeting. Their stories may have inconsistencies, or the opportunity they present seems “too good to be true”. For vendors specifically, the biggest red flag is any inconsistency or unwillingness to provide documentation for their business registration (GST, CIN) or bank details, or if they pressure the business to skip these verification steps.
3. A business’s brand is being impersonated online. What steps should be taken?
Act quickly to protect customers and brand reputation.
- Publicly warn customers on all official social media channels and the company website.
- Report the fraudulent website or social media profile to the respective platform provider (e.g., Shopify, Facebook, or the domain host) for takedown.
- File a formal complaint with India’s https://cybercrime.gov.in/ to create an official legal record of the impersonation.
3. Are employees at risk from Catfishing on professional sites like LinkedIn?
Yes. LinkedIn is a primary “hunting ground” for professional Catfishing. Scammers create fake but credible-looking professional profiles, connect with employees, and build professional trust. They then use this trust to lure employees into investment scams, recruitment fraud (posing as a recruiter for another firm), or sophisticated data-gathering operations that can lead to a future breach.
4. What is the first action to take if an employee wires money in a CEO fraud scam?
Call the National Cyber Crime Helpline 1930 immediately. This is known as the “golden hour” for financial fraud. This helpline can coordinate with banks and financial institutions to attempt to freeze or block the transaction before the scammer can move the funds. This must be the first call. After this, the business should file a full report at cybercrime.gov.in.
5. Why do scammers in India often ask to move a conversation to WhatsApp?
Scammers do this for two strategic reasons. First, it moves the conversation off the original platform (like a job portal or LinkedIn) where they might be monitored and reported. Second, WhatsApp is perceived as a more personal, private, and urgent channel. This helps the scammer build a false sense of familiarity and trust, making their “urgent” requests for money or data seem more plausible.
