Pig Butchering – FinCEN Alert
Recently, I've gotten an increase in text messages that go something like "Hey, Joe it's Jane. How have you been?" To which I will reply with “wrong number” and then they will say "I'm sorry, how are you?" I will immediately block the number as I don't know this person and do not wish to continue a conversation with them. I have since learned that scammers use this tactic to build a rapport with their victims and eventually steal from them.
On September 8th FinCEN issued an alert to the public, specifically financial institutions to bring attention to a new prominent scam and remind financial institutions of their Suspicious Activity Report (SAR) filing obligation. As a reminder, financial institutions, including credit unions, are required to file a SAR if certain suspicious activity or transactions are suspected.
This specific FinCEN alert caught my eye because of the scam’s name and then the reasoning behind the name had me even more intrigued. The scam is referred to as "pig butchering" because it resembles the practice of fattening a hog before slaughter. Weird analogy, right? To dive deeper the victims are referred to as "pigs" by the scammers who leverage fake identities, potential relationships and elaborate storylines to "fatten" the victim or pigs up and then "butcher" or "slaughter" them by stealing their assets.
The scammers will initially reach out to the victims either by text message, direct message on social media, or other communication platforms, usually something along the lines of reaching the wrong number or trying to reconnect with an old friend as I’ve described above. Once the scammer is able to get a response from the victim, they will continue to communicate with them in order to establish a relationship and build trust. Through the trusting relationship the scammer can convince the victim to invest in virtual currency with the intent of defrauding them of said investment, also known as the butchering phase.
FinCEN's analysis has revealed that some victims have liquidated holdings in tax-advantaged accounts or even taken out home equity lines of credit (HELOC) and second mortgages on their homes in order to increase their investment, based on the scammer promising them a fabricated return on their investment.
FinCEN and law enforcement have identified some red flags that may help a credit union detect when a member may be being targeted by this pig butchering scheme. It is important to note that no single red flag is determinative of this scam and "in line with their risk-based approach to compliance with the BSA, financial institutions are also encouraged to perform due diligence where appropriate."
Behavioral Red Flags
- A member with no history or background of interacting with virtual currency attempts to exchange a high amount of fiat currency (US dollars) from an existing or newly opened account for virtual currency or attempts to initiate high-value transfers to Virtual asset service providers (VASPs).
- Any mention of an investment opportunity leveraging virtual currency with significant returns that they were told about from a new contact who reached out to them unsolicited online or through text message.
- A member mentions that they were instructed by an individual who recently contacted them to exchange fiat currency for virtual currency at a virtual currency kiosk and deposit the virtual currency at an address supplied by the individual.
- A member that appears distressed or anxious to access funds to meet demands or the timeline of a virtual currency investment opportunity.
Financial Red Flags
- A member uncharacteristically liquidates accounts prior to maturation and then subsequently attempts to wire the liquidated fiat currency to a VASP or to exchange them for virtual currency.
- A member takes out a HELOC, home equity loan, or second mortgage and uses the proceeds to purchase virtual currency or wires the proceeds to a VASP for the purchase of virtual currency.
- A member receives what appears to be a deposit of virtual currency from a virtual currency address at or slightly above the amount that the member previously transferred out of their virtual currency account. This deposit is then followed by outgoing transfers from the member in substantially larger amounts.
- Accounts with large balances that are inactive or have limited activity begin to show constant, uncharacteristic, sudden, abnormally frequent, or significant withdrawals of large amounts of money being transferred to a VASP or being exchanged for virtual currency.
- A member sends multiple EFTs or wire transfers to a VASP or sends part of their available balance from an account or wallet they maintain with a VASP and notes that the transaction is for “taxes,” “fees,” or “penalties.”
- A member with a short history of conducting several small-value EFTs to a VASP abruptly stops sending EFTs and begins sending multiple high-value wire transfers to accounts of holding companies, limited liability corporations, and individuals with whom the member has no prior transaction history. This is indicative of a victim sending trial transactions to a scammer before committing to and sending larger amounts.
Technical Red Flags
- System monitoring and logs show that a member’s account is accessed repeatedly by unique IP addresses, device IDs, or geographies inconsistent with prior access patterns. Additionally, logins to a member’s online account at a VASP come from a variety of different device IDs and names inconsistent with the member’s typical logins.
- A member mentions that they are transacting to invest in virtual currency using a service that has a website or application that seems fraudulent based on appearance and its URL.
- A member mentions that they downloaded an application on their phone directly from a third-party website, rather than from a well-known third-party application store or an application store installed by the manufacturer of the device.
- A member receives a large amount of virtual currency such as ether at an exchange, subsequently converts the amount to a virtual currency with lower transaction fees such as TRX, and then abruptly sends it out of the exchange.
If a credit union suspects one of their members is a victim of pig butchering, FinCEN requests that credit unions reference the alert in SAR field 2 and the narrative by including "FIN-2023-PIGBUTCHERING" and selecting "Fraud-Other" under SAR field 34(z) with the description "Pig Butchering." In addition, credit unions are encouraged to refer their members who may be victims of pig butchering to the FBI's IC3 and the Securities and Exchange Commission tips, complaints, and referrals (TCR) system to report investment fraud. Lastly in the case of elder victims credit unions may refer them to DOJ's National Elder Fraud Hotline at 833-FRAUD-11 or 833-372-8311.
🎯 Online Compliance Training Subscriptions: For just one price, your entire credit union receives access to over 40 hot-topic compliance webinars per year, so your team can master challenges like BSA, data security, risk management, loss prevention, and more. Learn more.
🌟4.8 Star Rating for NAFCU’s 2023 Credit Union Compliance Roadmap!
"Everything is explained well in a way that’s easy to understand. This is my first go to for research!” - 2023 Purchaser | Read a portion for free.