November 19, 2012

A week ago Friday, the U.S. Justice Department announced that MoneyGram International had agreed to pay a $100 million fine and admit to criminally aiding and abetting wire fraud and failing to maintain an effective anti-money laundering program. Loyal readers of this blog no doubt recognize the crucial role that MoneyGram and its competitors play in the siphoning of millions of dollars annually from hacked small- to mid-sized business, but incredibly this settlement appears to be unrelated to these cyber heists.

According to the DOJ, the scams – which generally targeted the elderly and other vulnerable groups – included posing as victims’ relatives in urgent need of money and falsely promising victims large cash prizes, various high-ticket items for sale over the Internet at deeply discounted prices or employment opportunities as ‘secret shoppers.’  In each case, the perpetrators required the victims to send them funds through MoneyGram’s money transfer system.”

The government found that the heart of the problems at MoneyGram stemmed from the age-old conflict between the security staff and the folks in sales & marketing (oh, and willful neglect of employee fraud).

“Despite thousands of complaints by customers who were victims of fraud, MoneyGram failed to terminate agents that it knew were involved in scams.  As early as 2003, MoneyGram’s fraud department would identify specific MoneyGram agents believed to be involved in fraud schemes and recommended termination of those agents to senior management.  These termination recommendations were rarely accepted because they were not approved by executives in the sales department and, as a result, fraudulent activity grew from 1,575 reported instances of fraud by customers in the United States and Canada in 2004 to 19,614 reported instances in 2008.  Cumulatively, from 2004 through 2009, MoneyGram customers reported instances of fraud totaling at least $100 million…To date, the U.S. Attorney’s Office for the Middle District of Pennsylvania has brought conspiracy, fraud and money laundering charges against 28 former MoneyGram agents.”

$100 million may seem like a painful fine, unless you take a look at MoneyGram’s company facts page, which states some fairly staggering figures: “MoneyGram has 293,000 agent locations in 197 countries and territories,” or, to put it another way, “more than twice the locations of McDonald’s, Starbucks, Subway and Wal-Mart combined.”

The company doesn’t say how much money it moved last year, but an older version of that page said that in 2010, approximately $19 billion was sent around the world using MoneyGram transfer services. The same page notes that MoneyGram is the second-largest money transfer company in the world. Second only to Western Union, no doubt, which has long struggled with many of the same anti-money laundering problems.

Each week, I reach out to or am contacted by organizations that are losing hundreds of thousands of dollars via cyber heists. In nearly every case, the sequence of events is virtually the same: The organization’s controller opens a malware-laced email attachment, and infects his or her PC with a Trojan that lets the attackers control the system from afar. The attackers then log in to the victim’s bank accounts, check the account balances – and assuming there are funds to be plundered — add dozens of money mules to the victim organization’s payroll. The money mules are then instructed to visit their banks and withdraw the fraudulent transfers in cash, and wire the money in smaller chunks via a combination of nearby MoneyGram and Western Union locations.

The latest example: On Nov. 16, 2012, attackers logged into accounts at Performance Autoplex II Ltd., a Honda dealer based in Midland, Texas, and began adding money mules to the company’s payroll. The thieves added at least nine mules, sending each a little more than $9,000. One of the mules used in this attack — a Louisa Lies (no kidding, that’s her real last name) — got two transfers totaling $9,220.58. She was instructed to visit two different Western Union locations, sending a total of $3,844 to two different recipients (one in Russia, the other Ukraine); Lies sent another pair of transfers (again, to two different people in Russia and Ukraine) totaling just over $5,000, via two separate MoneyGram locations. Lies said she paid $155 in fees to Western Union, and $136 in MoneyGram charges.

It appears that there were at least eight other money mules who were sent and forwarded on similar sized transactions drawn on the hacked Honda dealer’s accounts. If we assume that the average transfer fee that MoneyGram charged for those transactions was about $150, that means MoneyGram received about $1,350 of the money stolen from the Honda dealership. Now imagine that there are dozens of U.S. small businesses each week that find themselves in a similar situation, and you begin to get an idea of MoneyGram’s (and Western Union’s) role in this type of fraud.

Saying that MoneyGram has a problem combating money laundering is a bit like observing that the American people have truthiness and trust issues with Wall Street. Perhaps fittingly, MoneyGram was one of the first publicly traded U.S. companies to face serious financial trouble after the housing and credit markets began weakening in 2007, and in 2008 Goldman Sachs owned a 79 percent stake in the firm. MoneyGram ended up paying $80 million to settle a securities fraud lawsuit stemming from losses on subprime loan investments at the time.

Between now and then, the company has settled a bevy of other fraud-related lawsuits, including a case in 2008 with 43 U.S. states, and an $18 million fraud case brought in 2009 by the Federal Trade Commission.

According to the DOJ, MoneyGram has agreed to enhance compliance obligations and structural changes to prevent a repeat of the charged conduct, including:

-Creation of an independent compliance and ethics committee of the board of directors with direct oversight of the chief compliance officer and the compliance program;

-Adoption of a worldwide anti-fraud and anti-money laundering standard to ensure all MoneyGram agents throughout the world will, at a minimum, be required to adhere to U.S. anti-fraud and anti-money laundering standards;

-Adoption of a bonus system which rates all executives on success in meeting compliance obligations, with failure making the executive ineligible for any bonus for that year; and

-Adoption of enhanced due diligence for agents deemed to be high risk or operating in a high-risk area.

The DOJ further said that to oversee implementation and maintenance of these terms, and to evaluate the overall effectiveness of its anti-fraud and anti-money laundering programs, MoneyGram has agreed to retain an independent corporate monitor who will report regularly to the Justice Department.

I don’t claim to have the answers about what MoneyGram could be doing better to fight fraudulent uses of its network, but here’s hoping the newly agreed-upon anti-fraud measures don’t overlook the rampant use of MoneyGram’s services in costly and disruptive cyberheists against America’s small businesses.


19 thoughts on “MoneyGram Fined $100 Million for Wire Fraud

  1. Philippe

    Did anybody go to jail? It admitted criminally aiding and abetting wire fraud. If I were to do that is it not go to jail, do not pass GO, do not collect 200$? If nobody goes to jail, the fine is just a cost of doing business.

    1. SeymourB

      “To date, the U.S. Attorney’s Office for the Middle District of Pennsylvania has brought conspiracy, fraud and money laundering charges against 28 former MoneyGram agents.”

      That being said, agents are the bottom of the rung, and basically act like a franchisee of any large chain firm. If nothing changes at MoneyGram after this settlement, though, I would expect some heads further up will end up on the chopping block next time.

      But I will be extremely shocked if anyone higher than a middle management peon ever loses their bonus due to fraudulent activity. That’s just not how executive compensation works in the US these days.

      1. Greybeard

        Indeed. And “Adoption of a bonus system which rates all executives on success in meeting compliance obligations”?! Wow, a bonus for actually doing something legally required as part of your job! Must be nice…

    2. Uzzi

      $100 million is just a small fine for organized crime (Goldman Sachs controlling, consulting and/or lobbying , Trilateral Commission, Group of Thirty (G30), World Bank, U.S. Federal Reserve (Fed), European Central Bank (ECB), Council on Foreign Relations, Young Leaders Alumni… most governments in the world and MoneyGram), but nonetheless good news. Thanks Brian!

    3. Sharon

      You are so right on this. Fine just passed on to shareholders and is only a dent in profits. The U.S. is so far behind in Security and Cybertheft issues. Consequently, there are so many victims (myself included) that are left helpless. The U.S. needs to modernize it’s laws on these issues ASAP. The cost involved in prosecuting and putting these people away would be recouped very fast, if there was an agency simply dedicated to discovery, create laws on and prosecute these malicious evil people who do this, that would help. Fine? Slap on the wrist and is unacceptable. This type of crime and all cyber theft is bar none the worst thing this country will see and could lead to a downfall if it goes unchecked. These people continue to reinvent new and ingenuous ways to steal hard earned money from especially poor people. I have had it! The internet cannot be trusted, ever. I have learned the hard way. Thanks.

  2. clashguy

    Did this happen to Xoom in the past? At one time they accepted all credit cards, now they only accept american credit/debit cards when sending money. Not sure about checking accounts though.

  3. dano

    “…termination recommendations were rarely accepted because they were not approved by executives in the sales department and, as a result, fraudulent activity.”

    and

    “…don’t claim to have the answers about what MoneyGram could be doing better to fight fraudulent uses of its network.”

    What is the (federal) penalty for fraud? If DOJ were to send one or two of these executives to room with Bernie Madoff for 5-10 then the rest would get the message and stop allowing this behavior.

  4. Bob

    Is it too simplistic for companies to specifically password protect their payroll accounts? I realize they are part of an accounting package, but certainly those programs could be modified such that before any names can be added to the payroll a specific password would needed.

    Accordingly, even if a hacker got through a firewall and/or other security features, adding fake employees would not be possible without the password (a strong one of course, that is changed frequently).

    1. BrianKrebs Post author

      Is that right? I thought most ransomware scams these days used quasi-prepaid options, like Moneypak and uKash.

  5. Rabid Howler Monkey

    [Scene: Interior. A New York apartment. There is a knock at the door.]
    Woman: [speaking through closed door] Yes?
    Voice: (mumbling) Mrs. Arlsburgerhhh?
    Woman: Who?
    Voice: (mumbling) Mrs. Johannesburrrr?
    Woman: Who is it?
    Voice: [pause] Flowers.
    Woman: Flowers for whom?
    Voice: [long pause] Plumber, ma’am.
    Woman: I don’t need a plumber. You’re that clever shark, aren’t you?
    Voice: [pause] MoneyGram.
    Woman: MoneyGram, my foot! You get out of here before I call the police! You’re the shark, and you know it!
    Voice: Wait. I-I’m only a dolphin, ma’am.
    Woman: A dolphin? Well… Okay. [opens door]
    [Huge latex and foam-rubber shark head lunges through open door, chomps down on woman’s head, and drags her out of the apartment, as Jaws attack music plays.]

    Adapted from:
    http://en.wikipedia.org/wiki/Landshark_%28Saturday_Night_Live%29

    Be careful out there …

  6. Following the Numbers

    $100 Million looks like a large fine to Moneygram. From their financials they took in 1.16 Billion in revenue in 2010, but their profit margin is under 4%.

    It takes them about 2-3 years to make back the money they gave up via the fine. That, plus an additional $80M in compliance activities to prove they’re fixing the problem.

    That looks a lot bigger than “a cost of doing business” which is what a fine should be.

    1. Graham Sutherland

      That’s the figure they’re reporting, but I’d bet they’re making a hell of a lot more in reality. That’s probably the profit figure after the bosses dip their fingers into the coffers to extract their bonuses. Also, with the kind of activity that this article mentions, do you really think their entire revenue stream is on the books?

  7. George G.

    “MoneyGram has agreed to retain an independent corporate monitor”

    Just how independent is that monitor going to be if retained by MoneyGram ? Why not retained by the DOJ ?

  8. Jim Woodhill

    Brian,

    RE:

    > Each week, I reach out to or am contacted by organizations
    > that are losing hundreds of thousands of dollars via cyber
    > heists.

    I hope you are advising all the victims you encounter to call Julie Rogers & Co. at Silicon Valley Law Group first, even before they call their bank. As you yourself noted in:

    http://krebsonsecurity.com/2012/06/bank-settles-with-calif-cyberheist-victim/

    BANK SETTLES WITH CALIF. CYBERHEIST VICTIM

    In this article you noted:

    > Last week, Village View announced that it had reached
    > a settlement with its bank to recover more than just
    > the full amount of the funds taken from the account
    > plus interest for Village View Escrow.

    But you failed to mention (though the corresponding article in BANK INFO SECURITY Magazine did) that SVLG got a LOT more than anyone would ever think possible who was familiar with the limitations of recovery in UCC-4A. This was because SVLG got creative on causes of action, and employed novel pleadings that just happened to be endorsed by the decision of the Court of Appeals for the First Circuit in its *scathing* reversal of PATCO vs. People’s United Bank. (Had Patco’s attorney’s pled that “executed in good faith” part of UCC-4A rather than just the “commercially reasonable security” part, my read of the opinion is that the First Circuit would have allowed “negligence” as a cause of action along with “breach of fiduciary duty” and others that the appeals court found “consistent” with the intent of UCC-4A.

    Silicon Valley Law Group 25 Metro Drive, Suite 600 San Jose, CA 95110
    Tel. (408) 573-5700
    Fax (408) 573-5701
    http://www.svlg.com/

    Victims need to start putting the Fear of God into the banks that let them be robbed. The fear of Julie Rogers and Kim Dincel is the next best thing.

    — Jim Woodhill, Advocate for the Victims

  9. Mikolaj

    The financial penalty is definitely not everything in such cases. It is not too painful for financial institution and – sadly – it looks like the reputation risk importance hasn’t got enough public attention these days…
    I believe the government has got to come up with some more sophisticated forms of enforcement – e.g. requirement of enhanced reporting on remedy actions, mandatory budget increase on AML programs, compulsory training for all employees, intensified internal fraud screening etc.
    Otherwise, financial institutions will just pay fines from the profits they gain on such illegal actions – the final result will be always “above the line”.

Comments are closed.