During “romance week” and Valentine's Day, your heart can be stolen in the blink of an eye, and so can your money. The FBI has warned of “romance” scams, centering the bulletin around the celebration of love, which demonstrates that it’s not just a box of chocolates that are seducing people, it’s scammers and cybercriminals. Staggering new data from the FTC shows that last year, nearly 70,000 people reported a romance scam, and reported losses hit $1.3 billion. The median reported loss was $4,400.
Romance scams are a variation of what’s called “pig butchering,” a type of social engineering attack that alludes to the practice of fattening up a hog before slaughtering it. The approach combines some time-tested elements of fraud — such as gaining trust. It relies on the effectiveness of relationships nurtured on social media and the ease with which currencies can be moved electronically. In simpler terms, scammers are posing as lovers, gaining the trust of their fake beau, and then asking them for money for gifts, procedures, plane tickets, you name it.
SafeGuard Cyber believes these so-called “romance” or “pig butchering” scams point to these main areas of concern for enterprises:
- Blurred Lines: The blurred lines between personal use and business use of devices puts companies at risk when it comes to romance scams. Employees often conduct business on personal devices which can put the enterprise at risk. Cybercriminals know this, so they will target employees during business hours, distract them, and gain entry to the enterprise through the employee’s personal device that has access to their employer's information. Attackers can make an even bigger score if they seduce an employee long enough to get in and deploy ransomware.
- Similar Tactics: These schemes frequently target individuals over WhatsApp, and typically involve AI-generated profile photos of beautiful women in exotic locales. Attackers claim to have unique knowledge about things like gold prices or cryptocurrency. From a business communication perspective, while pig butchering schemes target individuals for profit. Cybercriminals and nation-states use similar tactics to honeypot key employees with privileged access, often starting in social media apps like Instagram or Facebook.
- Bigger Reel, Bigger Fish: Organized cybercrime groups that leverage “romance” or “pig butchering” scams bring unprecedented levels of scale to cybercrime and social engineering attacks. The size and scope of their operations is staggering including gray economies that support these illicit operations with ready-made supplies like stock photo bundles, social profiles, and operational playbooks. The bigger the size and scope, the bigger fish they can go after, in this case not just a single person but their employer as well.
- Lowering the Barrier, Heightening the Risk: The commodification of social engineering techniques and tactics will result in lower barriers for entry for criminal groups of all sizes, from large syndicates to local street gangs. New Phishing as a Service (PhaaS) kits make high-volume phishing (in this case love interest phishing) accessible and easy to execute.
- Export It: Out of fear or shame, most romance or pig butchering victims do not report their losses to the authorities or to their employers. Compromised individuals in “romance” or “pig butchering” scams can not only lose a lot of money personally but can put their organizations at great financial risk if the crime happened during business hours and on a device with access to business information.
The depth and breadth of these operations are devastating and heartbreaking and the scale of the operation is astonishing. There is a great human cost to these social engineering scams that come in the form of “romance” or “pig butchering”. Let’s focus on these concerns and raise awareness so that we can protect people and the companies they work for from malicious cybercriminals.
