Financial news

By Mike Britton

At a time when sophisticated threats like ransomware are rampant, a new and devious breed of investment fraud has surfaced with significant concerns: pig butchering. This sinister scam combines the dark art of social engineering with the volatility of cryptocurrency markets to devastating effect, costing victims hundreds of millions of dollars to date

It’s a new twist on the romance scam, where cybercriminals engage their victims over the course of weeks or months to build their trust – even going as far as creating fabricated friendships or romantic relationships. Victims are then conned into making cryptocurrency investments through fake platforms designed to show massive returns until eventually, the criminals shut down the fake platforms, seize their victims’ hard-earned funds, and vanish without a trace.  

Threat actors have seen huge payouts in their shift from high volume/low yield “spray and pray” campaigns, to targeted and low volume – but massively high yield – social engineering attacks. And with these incentives, they won’t be slowing down anytime soon. With investment fraud now the number one cybercrime according to the 2022 FBI IC3 report, it is clear that this scam is successful, which means more criminals are likely to hop on the trend.

So, how can individuals stay informed about such devious social engineering threats, and how can organisations protect their workforce from falling victim to such campaigns? Let’s discuss in-depth.  

Staying informed about dominant social engineering tactics 

This relentless rise of pig butchering and other social engineering tactics underscores the critical need for individuals and organisations to remain informed and vigilant. Protecting yourself and your workforce from these sophisticated attacks requires a proactive approach, fostering a security-conscious culture and implementing robust, next-generation security measures. 

Firstly, it’s important for businesses to support a culture of healthy scepticism. Encourage employees to approach requests, especially those involving financial transactions, with a reasonable level of suspicion. Empower them to seek external verification and remind them that “better safe than sorry” should be their guiding principle when dealing with unusual or unexpected communication. Remember that it’s not just financial information that criminals are after in these sophisticated attacks – many are also looking to steal account credentials as a gateway into the broader organisation. Employees should be weary of any communication seeking to obtain sensitive information, financial or otherwise. 

It’s also critical to improve your workforce’s resilience to such threats. The best way of achieving this is through social engineering penetration testing. Conduct regular tests to evaluate your workforce’s susceptibility to social engineering attacks. These controlled exercises simulate real-world threats, helping you assess the effectiveness of your security awareness training, compliance with security policies, and the strength of your network security controls.

Businesses should also adopt the Principle of Least Privilege (PoLP). Implement a zero-trust security approach, granting users access only to the specific data, software, and resources required for their job. By limiting access and adopting PoLP, you can reduce your organisation’s attack surface and minimise the impact of human error or successful attacks.

Additionally, employees should also stay updated on emerging threats. It should be a general practice for any organisation to monitor cybersecurity news, research, and industry reports every day, to stay informed about new social engineering tactics and attack vectors. Share this information with your employees and incorporate it into your security awareness training.

Lastly, collaborate and share information. Join industry-specific cybersecurity forums, associations, and information-sharing communities to exchange knowledge, experiences, and best practices in combating social engineering attacks. 

Recognising the threat of BEC attacks

Even with persistent security awareness training, today’s socially engineered attacks, including business email compromise (BEC), are becoming so sophisticated and believable that they can still slip by even the most vigilant employees. First discussed in the FBI’s 2015 Internet Crime Report, BEC was the leading cause of financial losses for seven straight years. And while it was dethroned by investment fraud in the most recent 2022 report, these attacks were still responsible for $2.7 billion in total losses in 2022—a year-over-year increase of 14.5%.

These attacks are particularly concerning because legacy security technologies, such as secure email gateways (SEGs), struggle to intercept advanced socially engineered messages like those used in pig butchering, where the content of messages is strategically tailored to the victim and crafted to appear legitimate.Although SEGs can combat simple phishing attacks containing known malicious links or attachments, advanced BEC attacks that are designed to look real often bypass these systems. When an employee engages with an impersonator, it puts the organisation at risk, as the information obtained enables threat actors to launch more damaging attacks like investment fraud, or credential theft and account takeover. 

Re-thinking your email security strategy 

With threat actors now utilising advanced social engineering tactics to impersonate high-profile executives, business associates, vendors – or in the case of pig butchering, romantic interests – conventional email security solutions are struggling with detection, especially when emails are text-based without traditional indicators of compromise. 

The next generation of email security, which relies on behavioural AI platforms, offers organisations a more dynamic approach to security that can keep pace with cybercriminals as they shift their attack methods.

AI-based cloud email security technologies are designed to baseline “normal” user behavior, including a user’s established relationships and how they typically engage in those relationships, to identify deviations from that baseline, and promptly mitigate malicious emails to prevent end-user interaction. Even the most subtle changes in user behavior or messaging content can trigger an anomaly that could indicate a potential attack. 

As the transition from early data centre-hosted email to modern cloud-based email infrastructure advances, many organisations still lag behind. To stay secure against contemporary email attacks and rising threats like pig butchering, organisations must implement next-gen protection and adapt to the ever-evolving threat landscape. Investing in AI-powered email security solutions can significantly reduce your employees’ exposure to new age threats and minimise the chances of them misidentifying an attack as a legitimate request.

About the Author

Mike Britton is the CISO of Abnormal Security, where he leads information security and privacy programs. Prior to Abnormal, Mike spent six years as the CSO and Chief Privacy Officer for Alliance Data. He brings 25 years of information security, privacy, compliance, and IT experience from a variety of Fortune 500 global companies. He holds an M.B.A. with a concentration in Information Assurance from the University of Dallas.