May 11, 2010

The FBI’s top anti-cyber crime official today said the agency is planning a law enforcement action against so-called “money mules,” individuals willingly or unwittingly roped into helping organized computer crooks launder money stolen through online banking fraud.

Patrick Carney, acting chief of the FBI’s cyber criminal section, said mules are an integral component of an international crime wave that is costing U.S. banks and companies hundreds of millions of dollars. He said the agency hopes the enforcement action will help spread awareness that money mules are helping to perpetrate crimes.

“We want to make sure that public understands this is illegal activity and one of the best ways we can think of to give that message is to have some prosecutions,” Carney said at a Federal Deposit Insurance Corporation (FDIC) symposium in Arlington, Va. today on combating commercial payments fraud. “We realize it’s not going to make the problem go away, but it should help raise awareness and send a signal.”

Money mules typically are first contacted by e-mail, usually with a greeting that claims the prospective employer found the recipient’s resume on Careerbuilder.com, Monster.com, or some other job search site. The fraudsters usually represent themselves as international finance or tax companies that are looking to hire “financial agents” to help customers move their money abroad speedily. Candidates often are told the position is a work-at-home job, that no experience is necessary, and that they need only have access to a computer with an Internet connection.

The mule recruitment process can be very convincing: Some scammers go through the trouble of conducting phone interviews, following those up with a barrage of online questionnaires. At some point in the recruitment process, however, the fictitious company will require the recruit to hand over their bank account numbers, so that the erstwhile employer can deposit their clients’ funds. The employees eventually receive checks, wire transfers or automated clearing house (ACH) payments, and are asked to pull the money out of their bank in cash and wire the money overseas through establishments like Western Union and Moneygram. The typical “commission” for each transfer (most money mules get a single transfer before they’re fired) is about 8 percent, minus the fees for wiring the money.

I have interviewed more than 150 money mules in the course of my investigations over the last year into this type of fraud. I can safely say that most mules fit into one of two camps: Those that are simply not the sharpest crayons in the box and really did get bamboozled (at least up to a point); and those who are out of a job, laid off, or otherwise in need of money and simply aren’t asking themselves or anyone else too many questions about the whole process.

I find most mules fit into the latter group, and you can usually tell because these individuals often will admit to having set up a new account for the job – separate from where they keep their meager savings or checking. When pressed as to why they did this, if they’re honest most will say they weren’t sure about the whole arrangement and wanted to protect their investments just in case their employers turned out to be less-than-honest.


47 thoughts on “FBI Promises Action Against Money Mules

  1. Carl

    This should be an effective deterrent if the FBI really carries through with it. I wonder because each mule would be responsible for a small amount of each crime, right?

    Ignorance of the source of the criminal transactions should not be a defense. If the mules are that ignorant and unaware of the schemes and circumstances, they probably should not have a job or a bank account.

  2. TJ

    Well, this just proves to me how completely out of the game the FBI has been up to this point. Brian has written story after story over the past year about how small businesses have been collectively robbed of millions of dollars and the FBI is “just now” considering some form of action against the money mules? Give me a break. Something’s rotten is Denmark.

    That said, in addition to going after the money mules in hopes of making some form of example out of them, wouldn’t it also be logical to do an educational media blitz on TV, radio and print (and oh let’s see Carreerbuilder.com and Monster.com) that explains the process and how your participating could put you at risk of prosecution?

    I’m betting the reason this hasn’t happened and won’t happen is because the banks don’t want the the insecurity of online banking widely publicized. The bank bean counters would rather deal with losses on their own end than compromise the reputation of online banking as a whole.

    1. Bob

      Last paragraph: The bank bean counters don’t usually eat the loss. The business usually is stuck with the loss of money. The business accounts of a bank protect the bank from anything that happens with that account.

      Yes, on-line banking security needs to be increased (as if there is much now).

      A media blitz will never happen. The financial sector has too much influence over the media and the federal trade commission. It would be great to see some/any recognition that this problem exists.

    2. A. Thomas

      I disagree, it’s not the banks fault for not informing these people who don’t know that if “it is too good to be true it’s a SCAM!!!!” Why doesn’t careerbuilder.com or monster.com put some type of warning or education out there regarding these scams?? Because they don’t want the negative publicity……they know their business is aiding these fraudsters and don’t care enough to try and warn the “not so bright bulbs in the pack” to stay away from these offers.

  3. qka

    FBI = Fools. Buffoons. Idiots.

    Instead of going against the originators of the crimes, they go against the lowest level underlings, many who as Mr. Krebs said may either not be the brightest bulbs, or who are unemployed and somewhat desperate.

    It’s like going after the street corner dealers instead of the drug kingpins.

    1. JBV

      The Federal Bureau of Investigation (not your peculiar designation of FBI) lists “Protect[ing] the United States against cyber-based attacks and high-technology crimes” as its third highest investigative priority, coming only after protection from terrorist attacks and foreign espionage. They have been very active in investigating high-tech crimes; apparently this is an attempt to go about it from a different direction.

      Just as an aside, the federal DEA (Drug Enforcement Administration) will not investigate drug complaints that involve small quantities, e.g., street corner dealers. This is left to local jurisdictions. But, being a money mule is not local criminal activity, and is appropriately handled at the federal level.

      1. qka

        Retiring a billionaire is my third highest priority; I’m not sure it’s going to happen either.

        In all fairness, I’m sure the FBI is doing good things in the area of InfoSec. I also realize there are legitimate reasons why they cannot publicize much of that work.

        On the other hand, in the past decade or more, they have had an image problem. Coming down hard on individuals who will have a tale of woe for the press will not help that image.

        Remember too, that a lot of their image problem, at least in my opinion, stems from that the FBI had a lot of information in house on the 9/11 hijackers on 9/10, and was not prevent those disasters.

        1. Joe Schmoe

          Obviously, their priorities are way off. They should pursue college kids copying music files instead because, according to the RIAA, there dollarss being stolen are tremendously high in comparison to these theoretical dollars from ACH. Plus, poor musicians such as Michael Jackson are losing their homes because of the heinous crimes committed by kids while studying!

      2. Anonymous

        The FBI is rarely willing to investigate cyber crimes. They’ll actually tell you to contact your local police dept sometimes, who tells you to contact the FBI. I’ve had some personal experience in this area. Read the book Fatal System Error by Joe Menn for a good description of how the FBI handles computer crimes.

    2. Paul

      Are you really comparing a neighborhood dealer selling to underground market to someone stealing money from your neighbor’s bank account? Come on!

  4. emv x man

    The FBI would be better off investing the time and money into helping the banks make improvements to their security rather than attacking the mule.
    Does anybody know how much money the average mule transfers.
    When it comes to unwitting mules, we get into the realm of ID fraud and the the potential issue of the FBI prosecuting people for ‘allowing’ themselves to have their ID taken and used in muling transfers.
    And qka makes two very good points.

  5. furble

    Shouldn’t banks, Western Union etc. question these transfers? I think for banks when someone who has never gotten ACH deposits into their account suddenly does red flags should go up. And when someone wants to send $9k to Russia, perhaps they should have to read an advisement of money mule/cybercrime? Maybe sign a form saying what the transfer is for? This is somewhat akin to prosecuting Grandma for falling for a Nigerian 411 scam. There has to be some safety checks built into the system somewhere.

    1. Michael

      I actually went and looked at a WU moneygram at a grocery store and to WU’s credit, the top left quadrant of the 1st page is a list of warnings on sending money to someone you haven’t met, etc. However the tone of the warnings is subdued and not screaming-out-at-you, and not effective IMO. While I agree with other comments on the futility of prosecuting street-corner drug retailers, prosecuting mules may work because mule-ing doesn’t have the addiction component that drugs do (which keeps demand up). On the other hand, economics say criminals may simply have to offer a higher rate like 20 or 30% to convince mules to continue mule-ing with the real threat of prosecution in play. I think the criminals are beyond the reach of US law and the FBI’s going after mules because they’re the only ones readily accessible to them as a domestic law enforcement agency.

    2. single-use-name

      This kind of thinking is what makes using services like Moneygram or Western Union such a beurocratic hassle.

      Why should I suffer because some merchant accepts payments via inherently insecure credit cards and fails to secure their cc info databases from script kiddie carders when I want to move a spot of cash to a distant friend?

      And what bank doesnt at least use two factor authentication for their remote banking nowdays?

      (And dont get me started on the KYC dossier compilation requirements just to open an bank account.)

    3. The Banker

      If you bank @ a large bank you can forget it! But if you want good service and bank with a community bank then the odds are these types of transacactions are monitored very closely and denied. That is why the fraudsters are now using the Western Unions and MoneyGrams because they don’t care why you are sending money any where. They should have alerts posted at all locations warning of these scams but again, that would give negative publicity and these days businesses are only focused on sell, sell, sell not protect your customers!

  6. seattlemkh

    You know, I attended a talk by an FBI higher-up more than a year ago, where he was talking about increased international cooperation in prosecuting information-based (there is no such word as cyber) crimes, and I asked what they were doing about the mules as part of a comprehensive strategy. He looked at me as if I was speaking Martian and had no response.

    But ask yourself this – in Mexico, there are killings every day over drug money. While I don’t personally believe it, it’s been said that there’s more money in logical crime than the drug trade. Doesn’t it stand to reason that this will soon get violent, and the crusaders that take down botnets, impede the recruitment of the mules etc. are going to be targeted?

    Just sayin’.

  7. seattlemkh

    … and let me just say too, that the banks’ inability to detect this fraud is reprehensible. They are complicit. I’ve spoken with the acquiring bank of my employer about this, and their solution is a year away.

    Lame.

    1. The Banker

      sounds like your employer has chosen the wrong bank to keep their money safe!

  8. Louis

    Lack of controls is the number one issue here, in my mind. (And apparently, furble is the only other one)

    Banks, banks, banks… Whenever they can make more money than lose, there will usually be a lack of control to begin with. The credit card industry’s history is paved with examples.

    In my mind, going after the money mules will be another haven for defense lawyers; you can almost see the ads from here…

  9. PhantomTramp

    If I’ve got a vine taking over my house, do I just trim the ends of it and hope it will all die?

    Nope.

    Find where the stalks meet the root and cut out seven inches…

    The Tramp

  10. LT

    Brian, I think I got an email once from someone saying they found my resume on Monster and I just deleted it, but I did try to find first if there was somewhere I could forward the email so the authorities could try to trace it back to its source, but I didn’t find anyplace to send it. Is there a place (FTC, maybe) where these types of emails should be forwarded?

  11. Blue Steel

    Now that’s how you fight crime!

    Go after the innocent people who contribute nothing to the investigation. Never go after the criminals that are responsible – then you would get your massive FBI budget cut – and we most certainly can’t have that.

    Another way to “raise awareness” would be to raise awareness by buying advertising. But why do that when you could spend millions of dollars on salaries for special agents and jam the courts with even more people?

  12. Bob

    Are mules used more than once? I would like to think that after the first returned ACH deposit that is debited from your account, you would think that something is not quite right and not do it again. Especially if the bank is threatening to come after you for the money that you sent somewhere. But then again, some of these people (like Brian said) are not necessarily the sharpest tool in the shed.

    1. BrianKrebs Post author

      Hi Bob. Good question. In most cases, the mules are one-time use, and that’s it. They’re burned. I have encountered the odd exception. One thing that is actually starting to happen more frequently now is where a mule will get one fraudulent transfer, and then they’ll get a fraudulent check from another victim organization a few days later.

      Generally speaking, though, once they’ve wired that money overseas, they’re as good as forgotten by the bad guys.

      Although, that actually may not be the case. I’m doing some longitudinal studies to see if these mules end up becoming victims of ID theft. I doubt that’s the case, but then again why not wring one more ounce of value out of the system while you can, right?

      1. ThinkAboutIt

        >I doubt that’s the case, but then again why not wring one more ounce of value out of the system while you can, right?

        Thats bad business, those that do fall into the latter category usually know they are getting into something illicit already, be it from news articles they’ve read or friend of a friend, thats advertising in itself, if you suddenly burn everyone you recruit, well whos going to want to work for you, whether they know your a criminal or not?

        I think you will find that most mules are not victims of ID theft on the behalf of their employer

        1. BrianKrebs Post author

          You seem to be thinking that mules recruit one another by word of mouth. That’s not generally the case.

          Strictly speaking, why wouldn’t the mule recruiters steal these peoples’ identities — that is, *after* the mules have already wired the money? By definition, everyone who is a mule and wires the money is burned, because the second the thieves have the MCTN that allows them to pick up that wire anywhere in the world, they cease all communications with that mule. But that doesn’t mean that mule’s personal and financial information can’t still be abused.

          Why is that? Most of these mules give up their Social Security Number as well.

          1. Carl

            To your point, Brian, those who are engaged in the business account ACH theft might not have anything to do with the mule after one incident, and while they will not necessarily be engaged in a scheme that requires stolen identities, they could certainly sell the stolen identities.

          2. ThinkAboutIt

            Of course mules dont recruit each other, the ladder has to go up, what im saying is that those creating these fake checks dont want to have word of mouth out that they burn everyone they use, that would be bad advertising for their side, all the press they have recieved already im sure has piqued the interest of many that have fallen on hard times in this economy, thus the sweep on the middlemen, to create a buzz as another user put it.

            It works both ways you know.

  13. Michael

    Hmm. What would happen if the mule just kept the money and mnoved it out of the compromised account?

    1. KFritz

      Just to hazard a guess. He/she would be guilty of easily provable grand theft. I’d venture to guess that’s Big Trouble in River City.

  14. Dave Mich

    My assumption here is that the FBI wants to generate more grassroots word-of-mouth buzz about the dangers of being taken in by check-cashing schemes (which is what this is, not significantly different from the craigslist “here’s 10K for your bike, please send the difference to my brother in slovakia” scam.) By leaning on the money mules they will generate a whole raft of “ain’t it awful” stories in the press which might actually get the attention of potential recruits.

  15. Ben K

    All one big dog and pony show to ‘please’ the public and make it seem like they are making a credible effort. Which politician put them up to this? Go after the mules? Seriously? can you be that stupid?

    I wish they would stop pussyfooting around..it seems like they or someone higher up is afraid to _require_ stronger e-banking standards in banks because they don’t want the system to appear ‘unstable’ to the public. We know the big gov protects banks and is afraid of lowering banking system confidence. So they do their best to divert attention or throw smoke up.. Kind of how they have really danced around the NASDAQ dip last week. That last sentence was a bit of a stretch, but, it goes to show how they walk on broken glass all the time…

    Who do they think they are fooling with these headlines?

  16. Ben K

    Meanwhile every Admin behind each of those C&C’s on the Zeus tracker is laughing at the ‘effort’ being made to come after them.

    These guys don’t need to walk into a bank and risk life and limb anymore.. They don’t need to get cute with web app penetration…they just need to continue the spam campaigns, iFrame injections, targeted emails, etc. All that while sitting in their homes in their underwear.

  17. potential MM

    I find all this very interesting….I have been contacted by a person who is suppose to help me receive lottery winnings(PIGGSONLINE 2006). Does anyone know of John Terry & Associates (New York) (johnterry347@yahoo.com) 646-833-5845? He is supposidly the head-financier referred to me by Mike Harris (UK) (harrism2111@yahoo.co.uk).

    This is how he is to help me. He wants me to open an account for both of us, inwhich he has access to. He was going to deposit a large sum of money in order for me to transfer to a CBN bank in Nigeria (big clue) which is required so I could receive lottery winnings of $3.2M. He would receive 15% of $3.2M for his advance money to me. I have already lost over $400K trying to receive these funds. Ok, it appears I’m not the brightest crayon in the box, but since I have invested and lost so much, I just want to re-coop my losses.

    Is there a way I can trap him? Or do something that would protect myself and still receive some money? I would be happy to receive $5K and walk away.

    I invite all feed-backs……

    1. Kathy

      I receive those type of emails all the time and have actually received two large checks which I chose not to cash even though I had a daughter who thought I should so I could help her out of a tough stop do to the economy. I’m glad I never got pulled into those money scams.

      I used to delete them as spam, but now that I read one one of Brian Krebs e-mails saying to forward quesstionable e-mails to Bobbear: bbctactus at gmail dot com

      Thanks Brian the info will be of great use.

  18. AlphaCentauri

    Shall we prosecute the bank tellers that allow the mules to withdraw the money? Should we prosecute the WU clerks that wire the money overseas? Shall we prosecute the bank managers and Western Union executives that fail to train their staff to spot mules?

    After all, those people deal with financial transactions for a living, day after day. There’s more reason to expect them to recognize a scam than to expect someone who has never been involved in something of the sort and who is uninformed enough to get involved. If the mule knew what was going on, he wouldn’t bother. It’s not easy money if you have zero chance of keeping it.

    The underlying assumption of this plan is that mules should be better than anyone else at spotting the scams. If the role of mules is so critical to the process, then the FBI would accomplish a lot more by becoming undercover mules and baiting the scammers themselves. There’s no shortage of mule recruitment spam to answer. And if the FBI created designated bank accounts to go with their operation, then the minute any money were transferred in to one of them, there would be an alert sent to the company being victimized. With immediate warning, the transfers could be reversed before the mules’ banks opened in the morning. A single undercover mule could stop an entire operation.

  19. meh

    That’s worked wonderfully for the DEA with drug mules… The U6 unemployment number (the REAL rate) is over 17%. Hungry people about to lose their homes will do this. This crime is a perfect example of a crime whose cause is socioeconomic. Putting more people in prison isn’t the answer. Your going to send someone to prison for 10 years at a cost of 50k a year because they send five hundred bucks to a Russian via Western Union? Good luck with that.

  20. Allan Lengel

    hey brian. like the site.. i don’t know if you’ve seen mine, ticklethewire.com… allan lengel

    1. Brian Krebs

      Hey Allan! Thanks for visiting. I’m enjoying your site. I’ll send you a note separately.

      Cheers!

  21. AlphaCentauri

    I found a story about a mule who did go to jail, several years ago. Someone made a lot of money; he lost all his assets and went to jail. He was so ticked off at being taken advantage of that he signed up with another scam. Instead of cashing the fake cashier’s checks they send him, he’s been collecting them as evidence:
    http://www.kxxv.com/Global/story.asp?S=12523787
    Too bad you need a bank account to bait the ones who use bank transfers.

  22. TheRock

    What will it take to make banks and online brokerages start using security tokens and key fobs? Most people would pay for it and I am surprised providers of business interruption policies don’t mandate their insureds use banks that have security tokens. The problem is, no banks seem to provide them as an authentication mechanisms.

    The banks need to lose a really big lawsuit. They just do not care right now that all these small businesses are being fleeced. They are complicit. They are negligent and they need to be litigated into oblivion over what is happening.

    1. Kathy

      I can’t speak for all other banks or online brokerage firms, but the Credit Union I am a member of and have been for more than 15 years. Once they went online, the use of security tokens and authentication mechanisms were in place to keep its members protected when doing their online banking and I’m glad they do.

  23. Ann Talbot

    Hey Brian, I’d love for you to give me Mr. Carrey’s contact info so he can put his action where his mouth is. As a firm that recently got hit and would love to prosecute some of those mules that benefited (as well as those receiving banks that knew in advance that they were mules) we’d love to be holding the hammer instead of being the victim. For the comments made regarding banks don’t care because it isn’t their money, that’s EXACTLY what we found. MOST of the receiver banks would not even cooperate and those that did required a hold harmless agreement to be signed. As one security expert told me, Banks are not your friends. A true statement if there ever was one.

  24. Carl

    Actually, the banks cannot possibly fund all of the losses from stupidity. It is unsecured computers and hackers who go after them who are not your friends.

  25. fsvnsjh5

    Панель управления Интернет Радио, техническая поддержка и администрирование Интернет Радио, разработка радио проектов,

  26. antique furniture restoration

    I just couldn’t go away your web site prior to suggesting that I really enjoyed the usual information a person provide to your visitors? Is gonna be again incessantly to check up on new posts.

Comments are closed.