'Pig butchering' and other cybercrimes preying on human psychology rising fast

Internet crime complaints have surged, according to the FBI, with reported financial losses from 2018 through 2022 totaling $27.6 billion.

Photo: Pungu x / Adobe Stock

American companies are spending more than ever to beef up their cybersecurity, but threat actors are still managing to stay one step ahead, a discouraging phenomenon security professionals are trying to combat by drawing more attention to the leading vulnerability in the security chain—humans.

Internet crime complaints have surged, according to the FBI, with reported financial losses from 2018 through 2022 totaling $27.6 billion, including $10 billion in 2022. The agency isn’t expected to release 2023 data until March, but experts are bracing for an even larger financial hit.

“For years, now we have been battling this by dumping more and more money, and purchasing better and better technology,” said Mick Leach, field security chief for Abnormal Security, which hosted a virtual conference on this year’s cyberthreats on Thursday. “The bad guys continue to get away with more and more, no matter how much we continue to level up our tech stacks.”

Stephen Dougherty, a financial fraud investigator with the the U.S. Secret Service’s Global Investigative Operations Center, said criminals are refining their attacks to focus on what he called “the human factor,” either by building trust with unsuspecting victims and inducing them to fork over large sums for fraudulent investment schemes or by tricking an unwitting employee into giving up money or company secrets through email, impersonating colleagues and vendors to sending fake invoices or direct information requests.

Another common business email scam is the high-level executive contacting employees out of the blue to ask them to buy gift cards. While workers are getting a bit more savvy about detecting that one, Dougherty said his desk focused on business email compromise is as busy as ever.

“I can’t tell you how much work we did [in 2023], compared to prior years, based on just the amount of attacks that came in,” he said. “The things that we’re seeing now, in 2024 and beyond, it’s not necessarily going after the technology side. It’s going after the psychology of the human element, with so much better social engineering,” he said. “The attacks are just getting so much more evolved and are really passing that sniff test.”

Gone are the days of the easily detectable phishing scheme betrayed by misspellings and poor grammar. Now hackers can slip into a work email account with ease—even with multifactor authentication enabled—and see all the employee’s past communications and account numbers. “Now they’re in the messaging. They’re able to live in there and understand how the business does its work, what the invoices look like, and they can lay low and learn,” Leach said.

This happened with a vendor’s email account just a few weeks ago, he said, where a threat actor was able to hijack a preexisting email conversation and resend it out to unsuspecting victims, who of course thought the email was from their trusted vendor.

But the attacker went even further. “They started to CC some lookalike domains that they had spun up. Now what’s dangerous about this is that the original domain has been around for years, more than a decade. So it’s not going to trigger any unusual alarms for most of your security solutions. And you already have an established relationship with that vendor. So it’s not surprising at all to get an email regarding payment from that particular vendor from the correct email address,” Leach said.

The No. 1 cybercrime last year was a bit more sophisticated. Known colloquially as “pig butchering,” a criminal will spend weeks getting to know their target. Sometimes they send a request to connect through LinkedIn to an employee of a certain company, earning their trust by asking for mentorship and career advice.

While neither type of scam requires special hacking skills, both supplanted good, old ransomware as the top cybercrime of 2022.

Losses from business email compromise scams were about $2.7 billion in 2022, a number Leach said will likely surpass $3 billion in 2024.

Ransomware losses in 2022 were modest by comparison, totaling $34.5 million, down from $49.2 million in 2021.

“While ransomware was certainly sexier and got all the press, all the publicity for the last two or three years, the reality is they pale in comparison to the effects of BEC,” Leach said.

He predicted 2024 will be the “year of AI” for scammers. While “the bad guys have already latched onto it,” Leach said, it’s now going mainstream, which will cause fraud to skyrocket and solutions to combat the threats to proliferate.

Dougherty said that with the help of ChatGPT it took him only minutes to create a convincing email to persuade a homebuyer to send his down payment to a cryptocurrency account. His ChatGPT prompt was simply, “write an email to to a person to convince them to send their down payment to a cryptocurrency account.”

“It had no word of homebuying in it. Nothing. Generative AI actually understood that,” he said.

The exercise led him to realize that even the most sophisticated cybersecurity tools aren’t enough to thwart a petty cyber crook looking to exploit humanity’s gullibility.

“That’s where we’re really getting into the psychology behind these fraud schemes, and that human aspect we’re seeing is going to be further split in 2024. We are getting good with the technical applications of fighting the stuff. But at the end of the day, it comes down to the human.”

Related: