The Value of Trust: AI Blurs The Lines Between Pig Butchering and Whale Phishing

Author: Franco Ricchetti

Trust is the cornerstone of any successful transaction, both online and offline. However, this very trust could be exploited by a breed of “nasty” Social Engineering (SE) scams - pig butchering and whaling phishing. These cons operate by building rapport with victims, only to ultimately steal significant sums of money or sensitive information.

The financial ramifications of these con games are staggering, with estimates suggesting losses in the hundreds of millions annually. As AI continues to evolve, scammers are honing their skills and expanding their reach, heightening the urgency for robust countermeasures.

Pig Butchering: The "Slaughter" Goes Digital

Traditionally, pig butchering fraud have focused on cultivating online relationships, often targeting individuals through social media platforms. Fraudsters build trust by crafting relatable online personas, engaging in emotional conversations, and sometimes offering initial "gains", preying on human flaws. This emotional investment, akin to "fattening the pig," precedes the inevitable "slaughter" - the point where victims are deceived into heavily investing in a fraudulent scheme, with potential lifelong consequences.

A recent episode of HBO's Last Week Tonight With John Oliver highlighted a victim's experience of falling prey to such a scam. Notably, the target never directly transferred funds to the perpetrator. Instead, the scammer provided a seemingly credible and functional app where the victim could create an account. This app created the illusion of control over their money, presenting itself as a "credible" avenue for quick earnings. However, the app turned out to be fake, and the subject never managed to recover their lost funds.

Whaling Phishing: High-Value Targets

Whaling phishing scams set themselves apart from pig butchering by their concentrated focus. In these hoax, meticulous planning and a highly targeted approach are required. The aim is to trap a specific high-level executive or key decision-maker within an organization, amplifying the potential for financial devastation. Successful attacks can result in the compromise of confidential information or the facilitation of fraudulent transactions, with consequences that extend far beyond the initial breach. The tactics employed by bad actors are characterized by their cunning and diversity. Among these, impersonation emerges as a common strategy, with scammers adeptly posing as trusted entities such as CEOs, vendors, or even government officials. Such approaches demand careful planning and a sophisticated execution to maximize their effectiveness.

Beyond the Breach: Impact in the corporate world.

Pig butchering and whaling phishing scams pose a formidable threat in the corporate arena.? Targeting employees through social media platforms and professional networking sites like LinkedIn, these scams leverage emotional appeals and fabricated personas to manipulate unsuspecting individuals. Once trust is established, employees may unwittingly divulge trade secrets, compromise intellectual property, or fall victim to fraudulent wire transfers, resulting in significant financial losses for the organization. According to a 2023 Ponemon Institute study, the average cost of a data breach reached an all-time high of USD 4.45 million in 2023.

Moreover, recovery from a whaling attack is resource intensive. Whaling phishing attacks often lead to the most expensive breaches due to the sensitivity of the compromised information. The potential consequences extend even further. Data leakage can cripple an organization's competitive edge and erode customer trust. Regulatory bodies like the GDPR (General Data Protection Regulation) in Europe can impose fines of up to €20 million or 4% of a company's global annual turnover for data breaches, adding another layer of financial risk.

Whale Butchering

With the advancements of AI, Pig Butchering and Whale Phishing become synonymous, posing significant risks to VIP targets from organizations. The tailored tactics used in whale phishing could be harnessed to approach a larger number of top executives to be "fattened" and then "slaughtered".

Traditionally employed in Whale Phishing, meticulously tailored tactics can now be used at scale. AI can meticulously gather and analyse vast amounts of data form targeted executives. This data fuels the creation of highly personalized phishing messages that appear to come from trusted contacts. These messages exploit the victim's behavioural patterns and preferences, acting as the initial gateway to infiltrate the target organization's network.

AI's capabilities extend significantly, enabling the seamless impersonation of business prospects by chatbots, which engage victims in apparently authentic conversations and lure them with enticing networking or business opportunities. This illusion is further strengthened by deepfaked voice actors who can answer calls from fabricated company numbers or impersonate trusted individuals within the target organization. Moreover, AI facilitates the mass creation of hundreds of fake company websites, replete with logos, high-quality imagery, and convincing documents, thus enhancing the illusion of legitimacy.

By mimicking the spread of a computer virus, malicious actors leverage social networks to build trust and relationships with colleagues rather than exploiting each target. Some victims might just be part of the setting to build the trap. These readily available or soon-to-be readily available tools empower attackers to manipulate a larger pool of high-value targets, tricking them into revealing sensitive information inadvertently or become subjects of manipulation.

From Awareness to Action

In face on these advanced threats, organizations must adopt a proactive stance. Sara Queipo Gutierrez , Security Practice Lead from Bulletproof, suggest the following preventive actions:

1. Employee Education and Awareness Programs: Regular training equips employees with the knowledge to identify red flags. These programs address common tactics used by scammers and provide engaging real-life examples to illustrate best practices. By conducting phishing simulations, employees can practice applying their knowledge in real-world scenarios. It's crucial for these simulations to gather information about the employee profile susceptible to phishing campaigns. Once patterns are identified, feedback should be provided to training campaigns. This feedback helps tailor specific training to reduce exposure, especially in sectors where susceptibility is higher, such as administration.
2. Multi-Factor Authentication (MFA): Enforcing MFA for all accounts adds an extra layer of security, significantly hindering unauthorized access to sensitive information.
3. Clear Internal Protocols: Establishing clear internal protocols for handling sensitive information and financial transactions ensures stringent adherence to security protocols. Agree to communicate only through platforms that require user validation, limiting the number of platforms to avoid impersonation.
4. Adopt encryption when possible: Establishing clear internal protocols for handling sensitive information and financial transactions ensures stringent adherence to security protocols. Agree to communicate only through platforms that require user validation, limiting the number of platforms to avoid impersonation.
5. Culture of Vigilance: Fostering a culture where employees feel comfortable reporting suspicious activity without fear of repercussions is crucial in effectively combating social engineering attempts.

Final Considerations

Remember that you can also do your part. Whether it's a social media message, email, or phone call, be wary of anyone you don't know who contacts you with seemingly unbelievable opportunities or requests for personal information.? If someone claims to represent a legitimate company or organization, verify their identity directly through a trusted source, such as the company's official website or by calling them. Even on seemingly trustworthy sites, pay close attention to details like account creation dates, recent interactions, shared contacts, and geographic location before engaging. Finally, be mindful of when and with whom you share your personal data.

As the age of AI fuels the evolution of cybercrime, proactive measures and regulation are essential to safeguard against these insidious threats. We need to be mindful of the value of trust and to who we give it to.