There is a New Trend in Social Engineering with a Disgusting Name; "Pig-butchering"

Depositphotos_35209657_SThe technique began in the Chinese underworld, and it amounts to an unusually protracted form of social engineering. The analogy is with fattening up a pig, then butchering it for all it’s worth. In this case the analogy is wayward, since the criminal doesn’t really fatten up the pig, not that much, anyway, but it works at least this far: they develop the marks slowly, and they get the marks to fatten up the accounts they ultimately drain.

It begins with a cold call, without there necessarily being any other preparation. “Scammers cold-contact people on SMS texting or other social media, dating, and communication platforms,” Wired writes. “Often they’ll simply say ‘Hi’ or something like ‘Hey Josh, it was fun catching up last week!’”

And an act of common courtesy, telling the caller in effect they’ve got the wrong number, sets the social engineering in train. “If the recipient responds to say that the attacker has the wrong number, the scammer seizes the opportunity to strike up a conversation and guide the victim toward feeling like they’ve hit it off with a new friend. After establishing a rapport, the attacker will introduce the idea that they have been making a lot of money in cryptocurrency investing and suggest the target consider getting involved while they can.” 

Like any classic confidence game, pig-butchering works by developing rapport with the victim. That rapport may be rooted in loneliness (a lot of pig-butchering begins with contact on dating sites) or it may be rooted in a desire for financial gain. That second motive is often derided as “greed,” but that seems unfair–it’s as often as not a desire for financial security, and the criminals use the trust the victims develop for them over time to induce them to move funds into bogus financial services accounts that the criminals can eventually access, drain, and close out.

“Next, the scammer gets the target set up with a malicious app or web platform that appears trustworthy and may even impersonate the platforms of legitimate financial institutions,” Wired explains. “Once inside the portal, victims can often see curated real-time market data meant to show the potential of the investment. And once the target funds their ‘investment account,’ they can start watching their balance ‘grow.’ Crafting the malicious financial platforms to look legitimate and refined is a hallmark of pig butchering scams, as are other touches that add verisimilitude, like letting victims do a video call with their new ‘friend’ or allowing them to withdraw a little bit of money from the platform to reassure them. The latter is a tactic that scammers also use in traditional Ponzi schemes.”

Public education is widely held to be the key to controlling pig-butchering. “If people know the telltale signs and understand the concepts underlying the scams, they are less likely to be ensnared,” Wired writes. “The challenge, they say, is reaching the wider public and getting people who learn about pig butchering to pass on the information to others in their families and social circles.” Thus here as elsewhere, when it comes to defense against social engineering, new school security awareness training can help protect people against falling for the scam. (And when you receive that training, pass the warnings on to your family and friends.)

Wired has the story.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews