In May, it was reported that criminals had siphoned hundreds of millions of pesos from Mexican banks through unauthorized transfers. The attack exploited problems with third-party software used by banks to connect to Mexico’s interbanking electronic payment system to send unauthorized transfers to various accounts at other banks. The transfers were quickly withdrawn as cash, a likely indicator that money mules played an instrumental role in this large-scale act of fraud.
Money mules are individuals used by fraudsters to receive and transfer stolen money. The use of mules allows fraudsters to avoid detection and obfuscate their identity when extracting funds. As such, it’s critical for decision makers to understand the role money mules can play in money-laundering schemes:
Mule Recruitment Practices
In many cases, money mules are unaware that they are acting as an agent of crime. Using social engineering tactics, threat actors have been known to target the unemployed, students, and other individuals struggling to support themselves by framing the arrangement as a legitimate job opportunity.
Money mule recruitment activity tends to occur through public channels such as job websites, classified ads, social media, and other public channels. Mules are often recruited via misleading advertisements for seemingly legitimate job opportunities that tout benefits such as great pay, easy work, and the ability to work from home.
According to the U.S. Computer Emergency Readiness Team (US-CERT), criminals often take considerable measures to make their so-called job offer appear legitimate. Criminals have been known to carefully craft their emails so they appear legitimate, posting job ads on fake but professionally designed websites, or alternatively, posting ads on legitimate career websites. These bogus job ads tend to have vague titles such as “finance manager,” “mystery shopper,” or other positions that could logically entail carrying out financial transactions.
Some threat actors have gotten particularly creative in their mule-recruitment practices. For example, in June 2013, a threat actor recruited mules for malware-related schemes by injecting a popular career website with malicious HTML code, and as a result, redirecting site visitors to a decoy website advertising mule opportunities.
Although advertising fake job opportunities is the most common social engineering strategy for mule recruitment, more criminals are turning to online romance fraud—otherwise known as catfishing—to manipulate lonely singles into carrying out illegal money transfers.
The Role of Money Mules
In a typical scheme, criminals typically find an excuse to collect personally identifiable information (PII) from their intended mule after initial recruitment in order to create a bank account in their name that stolen funds can be transferred to. This information may be obtained under the guise of an employee onboarding or job-contract signing process.
Once a mule account has been established, the mule receives the stolen funds and is instructed to transfer them to another account, which may belong to a threat actor behind the scheme or, in some cases, yet another mule. Ultimately, the objective of using money mules is for criminals to receive stolen funds while concealing their identity from law enforcement.
The War on Mules: Upping the Ante
Recognizing money mules as an increasingly pervasive threat, law-enforcement authorities from 26 countries joined forces for a third global action week against money muling in November 2017. As a result of the coordinated effort, 159 threat actors were arrested, 409 suspects were interrogated, and 766 money mules were identified. The effort was followed by a joint #DontBeAMule campaign that sought to spread awareness among individuals who could be targeted as potential mules.
Money mules are a particularly troublesome threat for the financial services industry as new technologies intended to facilitate faster and more convenient financial transactions are inevitably being abused. IBM’s SecurityIntelligence reports that in the U.K. alone, more than £100 million ($132.3 million USD) was lost in transfer scams during the first six months of 2017, with an average loss of £21,477 ($28,409 USD) for targeted businesses.
In addition to financial losses, targeted organizations may face reputational damage, a lengthy mitigation process, and depending on the method of fraud used to steal the transferred funds, the potential compromise of sensitive data.
Financial institutions can combat the abuse of their services for money mule activity by developing effective customer screening processes, such as asking certain questions when a new account is being opened, as well as monitoring existing accounts for suspicious activity. While most mule recruitment occurs through open channels, the threat actors behind money-laundering schemes likely coordinate their activities on the Deep & Dark Web (DDW). As such, Business Risk Intelligence (BRI) is an invaluable resource in this undertaking, because it provides intelligence teams with unparalleled visibility into the DDW and a decision advantage over threats and adversaries.