A week ago Friday, the U.S. Justice Department announced that MoneyGram International had agreed to pay a $100 million fine and admit to criminally aiding and abetting wire fraud and failing to maintain an effective anti-money laundering program. Loyal readers of this blog no doubt recognize the crucial role that MoneyGram and its competitors play in the siphoning of millions of dollars annually from hacked small- to mid-sized business, but incredibly this settlement appears to be unrelated to these cyber heists.
According to the DOJ, the scams – which generally targeted the elderly and other vulnerable groups – included posing as victims’ relatives in urgent need of money and falsely promising victims large cash prizes, various high-ticket items for sale over the Internet at deeply discounted prices or employment opportunities as ‘secret shoppers.’ In each case, the perpetrators required the victims to send them funds through MoneyGram’s money transfer system.”
The government found that the heart of the problems at MoneyGram stemmed from the age-old conflict between the security staff and the folks in sales & marketing (oh, and willful neglect of employee fraud).
“Despite thousands of complaints by customers who were victims of fraud, MoneyGram failed to terminate agents that it knew were involved in scams. As early as 2003, MoneyGram’s fraud department would identify specific MoneyGram agents believed to be involved in fraud schemes and recommended termination of those agents to senior management. These termination recommendations were rarely accepted because they were not approved by executives in the sales department and, as a result, fraudulent activity grew from 1,575 reported instances of fraud by customers in the United States and Canada in 2004 to 19,614 reported instances in 2008. Cumulatively, from 2004 through 2009, MoneyGram customers reported instances of fraud totaling at least $100 million…To date, the U.S. Attorney’s Office for the Middle District of Pennsylvania has brought conspiracy, fraud and money laundering charges against 28 former MoneyGram agents.”
$100 million may seem like a painful fine, unless you take a look at MoneyGram’s company facts page, which states some fairly staggering figures: “MoneyGram has 293,000 agent locations in 197 countries and territories,” or, to put it another way, “more than twice the locations of McDonald’s, Starbucks, Subway and Wal-Mart combined.”
The company doesn’t say how much money it moved last year, but an older version of that page said that in 2010, approximately $19 billion was sent around the world using MoneyGram transfer services. The same page notes that MoneyGram is the second-largest money transfer company in the world. Second only to Western Union, no doubt, which has long struggled with many of the same anti-money laundering problems.
Each week, I reach out to or am contacted by organizations that are losing hundreds of thousands of dollars via cyber heists. In nearly every case, the sequence of events is virtually the same: The organization’s controller opens a malware-laced email attachment, and infects his or her PC with a Trojan that lets the attackers control the system from afar. The attackers then log in to the victim’s bank accounts, check the account balances – and assuming there are funds to be plundered — add dozens of money mules to the victim organization’s payroll. The money mules are then instructed to visit their banks and withdraw the fraudulent transfers in cash, and wire the money in smaller chunks via a combination of nearby MoneyGram and Western Union locations.
The latest example: On Nov. 16, 2012, attackers logged into accounts at Performance Autoplex II Ltd., a Honda dealer based in Midland, Texas, and began adding money mules to the company’s payroll. The thieves added at least nine mules, sending each a little more than $9,000. One of the mules used in this attack — a Louisa Lies (no kidding, that’s her real last name) — got two transfers totaling $9,220.58. She was instructed to visit two different Western Union locations, sending a total of $3,844 to two different recipients (one in Russia, the other Ukraine); Lies sent another pair of transfers (again, to two different people in Russia and Ukraine) totaling just over $5,000, via two separate MoneyGram locations. Lies said she paid $155 in fees to Western Union, and $136 in MoneyGram charges.
It appears that there were at least eight other money mules who were sent and forwarded on similar sized transactions drawn on the hacked Honda dealer’s accounts. If we assume that the average transfer fee that MoneyGram charged for those transactions was about $150, that means MoneyGram received about $1,350 of the money stolen from the Honda dealership. Now imagine that there are dozens of U.S. small businesses each week that find themselves in a similar situation, and you begin to get an idea of MoneyGram’s (and Western Union’s) role in this type of fraud.
Saying that MoneyGram has a problem combating money laundering is a bit like observing that the American people have truthiness and trust issues with Wall Street. Perhaps fittingly, MoneyGram was one of the first publicly traded U.S. companies to face serious financial trouble after the housing and credit markets began weakening in 2007, and in 2008 Goldman Sachs owned a 79 percent stake in the firm. MoneyGram ended up paying $80 million to settle a securities fraud lawsuit stemming from losses on subprime loan investments at the time.
Between now and then, the company has settled a bevy of other fraud-related lawsuits, including a case in 2008 with 43 U.S. states, and an $18 million fraud case brought in 2009 by the Federal Trade Commission.
According to the DOJ, MoneyGram has agreed to enhance compliance obligations and structural changes to prevent a repeat of the charged conduct, including:
-Creation of an independent compliance and ethics committee of the board of directors with direct oversight of the chief compliance officer and the compliance program;
-Adoption of a worldwide anti-fraud and anti-money laundering standard to ensure all MoneyGram agents throughout the world will, at a minimum, be required to adhere to U.S. anti-fraud and anti-money laundering standards;
-Adoption of a bonus system which rates all executives on success in meeting compliance obligations, with failure making the executive ineligible for any bonus for that year; and
-Adoption of enhanced due diligence for agents deemed to be high risk or operating in a high-risk area.
The DOJ further said that to oversee implementation and maintenance of these terms, and to evaluate the overall effectiveness of its anti-fraud and anti-money laundering programs, MoneyGram has agreed to retain an independent corporate monitor who will report regularly to the Justice Department.
I don’t claim to have the answers about what MoneyGram could be doing better to fight fraudulent uses of its network, but here’s hoping the newly agreed-upon anti-fraud measures don’t overlook the rampant use of MoneyGram’s services in costly and disruptive cyberheists against America’s small businesses.