The technique began in the Chinese underworld, and it amounts to an unusually protracted form of social engineering. The analogy is with fattening up a pig, then butchering it for all it’s worth. In this case the analogy is wayward, since the criminal doesn’t really fatten up the pig, not that much, anyway, but it works at least this far: they develop the marks slowly, and they get the marks to fatten up the accounts they ultimately drain.
It begins with a cold call, without there necessarily being any other preparation. “Scammers cold-contact people on SMS texting or other social media, dating, and communication platforms,” Wired writes. “Often they’ll simply say ‘Hi’ or something like ‘Hey Josh, it was fun catching up last week!’”
And an act of common courtesy, telling the caller in effect they’ve got the wrong number, sets the social engineering in train. “If the recipient responds to say that the attacker has the wrong number, the scammer seizes the opportunity to strike up a conversation and guide the victim toward feeling like they’ve hit it off with a new friend. After establishing a rapport, the attacker will introduce the idea that they have been making a lot of money in cryptocurrency investing and suggest the target consider getting involved while they can.”
Like any classic confidence game, pig-butchering works by developing rapport with the victim. That rapport may be rooted in loneliness (a lot of pig-butchering begins with contact on dating sites) or it may be rooted in a desire for financial gain. That second motive is often derided as “greed,” but that seems unfair–it’s as often as not a desire for financial security, and the criminals use the trust the victims develop for them over time to induce them to move funds into bogus financial services accounts that the criminals can eventually access, drain, and close out.
“Next, the scammer gets the target set up with a malicious app or web platform that appears trustworthy and may even impersonate the platforms of legitimate financial institutions,” Wired explains. “Once inside the portal, victims can often see curated real-time market data meant to show the potential of the investment. And once the target funds their ‘investment account,’ they can start watching their balance ‘grow.’ Crafting the malicious financial platforms to look legitimate and refined is a hallmark of pig butchering scams, as are other touches that add verisimilitude, like letting victims do a video call with their new ‘friend’ or allowing them to withdraw a little bit of money from the platform to reassure them. The latter is a tactic that scammers also use in traditional Ponzi schemes.”
Public education is widely held to be the key to controlling pig-butchering. “If people know the telltale signs and understand the concepts underlying the scams, they are less likely to be ensnared,” Wired writes. “The challenge, they say, is reaching the wider public and getting people who learn about pig butchering to pass on the information to others in their families and social circles.” Thus here as elsewhere, when it comes to defense against social engineering, new school security awareness training can help protect people against falling for the scam. (And when you receive that training, pass the warnings on to your family and friends.)
Wired has the story.