Fraud Detection Methods

Phishing detection training needs an update. Typos aren’t your biggest clue anymore. Had a conversation with a friend recently who went through one of our phishing simulations. His first reaction? “Wow — I was looking for spelling errors or bad grammar. But these emails were perfect.” Exactly. Because with LLMs, attackers don’t write awkward phishing lures anymore. They spin up professional, fluent, regionally adapted messages on demand — even if English isn’t their native language. So all that training telling employees to “look for typos”? It’s outdated. Doesn’t match how real attacks work now. Sure, weird phrasing or off-brand tone can still be a signal. But today’s phishing detection needs to go deeper: emotional triggers, urgency patterns, context mismatches. Attackers are evolving. Our training — and our expectations — need to evolve too. #phishing #awareness

A major challenge with rule based detection is that one must pre-define both what the threat is, but also include exceptions ("tuning") to encode what the rule should NOT match. This is impossible, of course, because the context needed to determine something is either malicious or benign is only available at ALERT TIME, not at DETECTOR DEFINITION TIME. This is why analysts exist. They take the alert and add context around the alert. Most of the time, they either find no evidence of maliciousness, or they find benign evidence, and rule the alert as benign. These AI SOC vendors, and others like Alpha Level, we're all doing the same thing. We are automating parts of this dynamic context acquisition at the time of the alert. We can argue about what method to use...should we use "AI", should we use some other method...but my point is that the market is beginning to recognize what many of us have realized for a long time: the context needed to resolve an alert isn't complete until the alert happens. Only when we can augment static rule matches with dynamic context can we truly knock down FP rates, and ratchet up the TPs.

The message arrives like a mistake. "Hey, is this Michael? We met at that conference last week." You're not Michael. You tell them so. But they don't disappear - they apologize, they're charming, they ask about your day. Over the following weeks, something unexpected happens: a friendship develops. They share photos of their life, ask about yours, remember details from previous conversations. Eventually, almost casually, they mention an investment opportunity that's been working remarkably well for them. Would you like to try? This is how it begins. Not with a Nigerian prince or a obvious phishing scam, but with something that feels achingly real - a human connection in a lonely digital age. And by the time you realize what's happening, your savings are gone. Welcome to the world of pig butchering, a form of fraud so sophisticated and so profitable that it's generated an estimated fifty to seventy-five billion dollars annually - more than the global trade in illegal arms. The name comes from a Chinese phrase, sha zhu pan: the pig-slaughtering board. First you fatten the animal. Then you kill it. In October, federal prosecutors in New York unsealed an indictment that offers a rare glimpse inside this machinery of deception. At its center: Chen Zhi, a businessman who built what prosecutors call one of the largest cryptocurrency fraud and money-laundering operations in history. Behind the respectable facade of Prince Holding Group - with offices in thirty countries, legitimate businesses, even diplomatic connections - Chen ran something else entirely: a network of compounds in Cambodia where thousands of people, many held against their will, spent their days systematically defrauding victims around the world. The documents reveal an operation of staggering scale and chilling efficiency. Detailed ledgers cataloguing which floor of which building ran which specific scam. "Phone farms" controlling tens of thousands of social-media accounts. Scripted conversations tested and optimized like advertising copy. A hundred and twenty-seven thousand bitcoins - worth billions -flowing through an elaborate laundering system that mixed criminal proceeds with legitimate mining operations, making dirty money look clean. The industry Chen helped build, meanwhile, has become Cambodia's largest economic sector, generating more revenue than all others combined. Hundreds of thousands of people work in these compounds across Southeast Asia. And every day, millions of potential victims on every continent open their phones to find a message from a stranger: "Hey, is this Michael?" Someone always answers.

🚨 Learn Something New: The ETHM Token Trap in Pig Butchering Scams If you’re investigating cryptocurrency fraud or educating potential victims, you need to know about ETHM (Ethereum Meta) - a worthless token being weaponized in pig butchering operations. 🐷🔪 Here’s How It Works: Scammers send massive amounts of ETHM to victims’ wallets on BNB Chain. When victims check their balance, they see inflated values - sometimes $50K, $100K, or more. 💰📈 The wallet displays this because of fake pricing data, but ETHM actually trades at essentially $0 with near-zero liquidity. The scammer then claims these tokens are “profits” from the victim’s fake investment platform. But there’s a catch - to “unlock,” “withdraw,” or “bridge” these funds, the victim must pay “fees” or “taxes” in real cryptocurrency (ETH, USDT, BTC). 🎣 The Result: Victim sends real money to access fake profits. The ETHM remains worthless. ❌ Variant: Some victims are tricked into approving contracts that swap their real crypto FOR ETHM - effectively burning their actual assets for worthless tokens🔥 Red Flags: 🚩 ∙ Sudden appearance of high-value tokens you didn’t buy ∙ Demands for fees/taxes to access “profits” ∙ Pressure to “migrate” or “bridge” tokens ∙ Unfamiliar tokens with astronomical displayed values If You’re a Victim: 🛡️ 1. ⛔ STOP - Don’t send any more funds 2. 🔒 Secure your wallet - Revoke permissions at revoke.cash 3. 📞 Report to IC3.gov and your local cybercrime unit 4. 📸 Document everything - screenshots, transaction hashes, chat logs For Investigators: 🔍 ETHM on BNB Chain (contract: 0xbb38f4b6e289aa900505c92bd9743bd4d3c8d2de) is showing up repeatedly in 2024-2026 pig butchering cases. When you see it, you’re likely looking at a secondary extraction attempt after the initial fraud. The enemy is creative. We must be more vigilant. 💪⚖️ Operation Shamrock TRM Labs Chainalysis Deconflict.com Anchorage Digital Heights Labs ACAMS Association of Certified Financial Crime Specialists - ACFCS Association of Certified Fraud Examiners (ACFE) International Association of Financial Crimes Investigators University of New Haven Fairfield University Charles F. Dolan School of Business CT Digital Forum CT Blockchain Association

The old fraud detection techniques are declining in efficacy. For decades, fraud rings were exposed through reuse of identity elements linked to multiple 'people' or applications. The same email, same device, same IP address, or same phone # tied to hundreds of applications. In one case, a single fake phone number was linked to 987 applications across 207 synthetic identities in 25 states in one month. Now those linkages are declining (chart below). The decline accelerated in early 2025. Current trajectories suggest near-complete email uniqueness in fraud populations by 2027, with address and phone uniqueness potentially following. Over time, these identities age into legitimacy, making fraudulent elements increasingly difficult to distinguish from real ones. While these signals still provide value, they are no longer sufficient as primary anchors for detection. As an industry, we will need new ways to link fraud together. The most durable way to do that is through device and infrastructure intelligence, where signals are significantly harder to fabricate and remain consistent across sessions, environments, and time. In practice, this shifts the foundation of fraud detection from static identity elements to persistent device and behavioral linkages. Full report linked in the comments.

🗽 Late last week, Brooklyn District Attorney Eric Gonzalez announced that his Virtual Currency Unit - led by the incomparable Alona Katz - successfully disrupted a cryptocurrency scam that targeted members of Brooklyn’s Russian community. The investigation identified over 20 Brooklyn investors who lost over $1 million and additional victims from across the United States who lost an additional $4 million combined. 70 linked scam domains have now been taken offline. The investigation identified a shared narrative under which victims were lured into the scam by clicking on a Facebook advertisement promising impressive returns. Many of the ads they described featured a “deepfake” video of Elon Musk, encouraging people to invest in cryptocurrency (see attached image). Victims then received a follow up call from an “investment advisor” who spoke to them in Russian and coached them into creating an account on an investment website. With the help of the “advisor,” victims purchased cryptocurrency and transferred it to addresses linked websites. After “investing” for several weeks or months, the victims attempted to make a withdrawal but were locked out of their account or told they had to pay additional fees and taxes. This type of scam is commonly known as “Pig Butchering.” This week, the Virtual Currency Unit, pursuant to a court order, seized a network of 70 linked scam domains, all associated with the investment scam targeting Russian victims in Brooklyn and elsewhere. Something I love about the press releases from the Brooklyn DA is the way the office educates the community by adding warning signs of someone trying to lure a victim into a cryptocurrency scam. 🚩 You get a “wrong message” text from a stranger who attempts to start a friendship and talks about how much money they’ve made by investing in cryptocurrency. 🚩 You are added to a group chat on WhatsApp or Telegram that offers advice on how to invest in cryptocurrency with promises of getting rich quickly. 🚩 Someone on Facebook brags about how much money they have made in cryptocurrency and tells you they can help you get rich. 🚩 Someone you’ve never met in-person starts giving you cryptocurrency investment advice and promises returns on investments that seem too good to be true. 🚩 You are directed to download an app to track your investments from a cryptocurrency website for a company you’ve never heard of before, not from an official mobile app store. 🚩 The financial advisor or customer support for a cryptocurrency website communicates with you through Telegram or WhatsApp. 🚩 You are asked to make cryptocurrency investments by giving large amounts of cash to couriers and company representatives in-person. 🚩 You can make small withdrawals at the start but can’t withdraw any large amounts without having to pay a tax or additional fee. Read the full release in the comments 👇 Great work Brooklyn! 🗽

There are several variants of investment scams being run around the world - one interesting one our researchers dove into combined malvertising with pig butchering style social engineering. This type is particularly prevalent in Japan. One of our researchers chased this thread, going from malicious Facebook ads through to joining WhatsApp groups where scammers coach potential victims into fake investments. Although this work began from a Japanese attack, the same kits were seen in a number of countries, including South Korea, Turkey, and the US. Naturally these leverage AI for content generation and more. But, they also used people. Our researcher was moved from one chat into another as the actors seemed to vet the likelihood of a reward. Instead of losing money, in the end we relied on Japanese media reporting about the potential loss... no chump change here. If you haven't seen this one yet, take a look. The variety of domain names used by bad actors is pretty interesting too... from lookalikes to RDGAs. https://lnkd.in/gzKCC-dF

A prospect showed me an Excel spreadsheet from their incumbent MDR. Hundreds of detection rules, neatly listed. Their first question to me: "Do you have the same ones?" I get why this happens. Security teams want proof of coverage. Incumbents hand them a laundry list of rules to fill the heat map, and it feels like proof of something. It’s definitely proof of something. But it’s not proof of coverage. It’s proof that the MDR is giving you the same templated security it gives to all of its customers. When I looked at that Excel spreadsheet, here’s what I saw: -Detections that weren’t tuned to their environment -Coverage that wasn’t built around their business -Rules designed for MITRE bingo This kind of security doesn’t cut it anymore. Instead, security services need to spend time understanding what’s important for each business. They need to tailor their detection and hunt efforts to each customer's actual priorities. This is the only way security services can drive actual findings and actual outcomes that reduce risk for the organizations they serve. It might involve fewer rules than what your incumbent MDR offers, but the rules that are in place are going to offer a lot more impact and protection than a one-size-fits-all template. Quantity can feel good, and big numbers tend to make a great first impression. But if you don’t have quality coverage that is tailored to your environments, you can stuff a million detection rules in a spreadsheet and still be vulnerable to the next threat that comes along. You don’t need more rules. You need the right ones.

🚨 Another devastating pig butchering scam... 😡 I’m sitting down to talk about something I wish I didn’t have to repeat. Another victim, another life savings wiped out—this time $450,000 stolen in the blink of an eye. That’s the fifth person who's reached out to me in the past two months, and the pattern is painfully familiar. A female scam artist befriends them, builds trust, and then convinces them to download a fake trading app. The victims are led to believe they’re making money, but in reality, their savings are funneled directly to cybercriminals operating through WhatsApp. The hardest part? They contact law enforcement, only to learn there's little that can be done because these criminals are overseas. This is why I keep repeating it: A CyberSecure Mindset could have prevented nearly all of these cases. That’s why I’m making this video—to arm you with the knowledge you need. 🔒 5 Tips to Spot a Pig Butchering Scam: 📱 They rush to move you into a messaging app like WhatsApp after brief communication elsewhere. 💰 They promise easy, guaranteed profits—usually involving cryptocurrency or fake trading platforms. 📲 They push you to download a trading app, often from an unverified source, that simulates gains. 🖼️ Their profiles seem too perfect—professional photos, minimal personal details, and vague background info. ⏳ They create urgency around investments or insist on keeping the opportunity a secret. Don’t wait until it’s too late—visit www.cybersecuremindset.com for more tips on staying safe from these and other scams. Protect yourself and your family before you become their next target. #CyberSecureMindset #CyberSecurity #ScamAwareness #PigButchering #StaySafeOnline #FBI #CryptoScam #RomanceScam #FightBack #StayVigilant 🔒💡 Corey Munson Kevin D. Darren Mott, FBI Special Agent (Ret.), "The CyBUr Guy" Operation Shamrock Erin West