Electronic 'mules' absorb the risks in online money-laundering scams, often without knowing they're doing anything wrong

Tim Wilson, Editor in Chief, Dark Reading, Contributor

August 10, 2007

4 Min Read


If you've seen messages like this in your email box, you might recognize them as spam. But you might not recognize that many of them are recruiting posters for one of the fastest-growing segments of the cyber crime economy -- the online mule.

A "mule" is an intermediary who carries goods or money on behalf of a paying criminal. In the drug trade, a mule might help with deliveries or smuggling. In credit card schemes, a mule buys goods with stolen credit cards and shares the proceeds with the card thief. In both cases, mules usually know they are participating in a crime.

But Gunter Ollmann, director of security strategy at IBM Internet Security Systems , says there is a new category of mule that is increasingly -- and sometimes unwittingly -- playing a critical role in the business of phishers and online identity thieves.

"When a phisher steals money from a victim's bank account, he obviously doesn't just route that money to his own account and spend it," Ollmann explains. "If he did that, he'd be caught right away, because the bank can monitor the money's trail. So most phishers need help from mules to help launder the money -- and that's who they're trying to recruit when they send out those 'work from home' spam messages."

The process works like this, according to Ollmann. When a phisher starts a major spam campaign, he also initiates a separate campaign to recruit the mules he'll need to launder the money he's getting from the phishing victims. While he's emptying the bank account of the victim, he's asking other banking customers to accept small fractions of the money into their accounts.

Once the mules have those electronic funds, they may transfer the bulk of them to another country where they can't be traced, or simply write a paper check to buy goods that can be resold for cash. Sometimes the mule simply gets cash and transfers it to another location via Western Union. However the transfer is done, the mules get to keep a portion of the money for themselves.

But while some mules know that what they're doing is illegal, many others do not, Ollmann observes. "Some of these money laundering schemes look very legitimate," he says. "The phisher might say they are a company that is looking to gain a tax advantage by having the user handle the money, or they might say they want the mule to do some purchasing on behalf of their company. Their communications are very professional, and their Websites look very established."

Phishers often take advantage of mules who don't know they can be detected or prosecuted for participating in money-laundering schemes, Ollmann says. "They get a lot of high school or college students who think they won't get prosecuted, even if they are caught."

Banks are constantly on the lookout for suspicious funds transfers, even before a theft occurs. But they can't monitor every transaction, so they usually put a minimum -- say, $1,000 -- on the transfers they monitor. "The goal of the phisher is to make transfers that are smaller than that minimum, so that the bank won't detect them," Ollmann explains.

But as identity theft becomes more common and banks raise their antennas to detect these schemes, that "minimum" transfer is shrinking, Ollmann says. "To continue to operate under the radar, [phishers] need to work in smaller and smaller transaction sizes. Some of the banks have lowered their thresholds to a few hundred dollars."

As a result, phishers now need more mules than ever, and their recruiting campaigns have intensified. "We're seeing more recruiting spam, and it's becoming more sophisticated, so more people are being taken in," Ollmann says.

But users shouldn't have any illusions about making a few extra bucks by playing mule, Ollmann warns. "Mules do get prosecuted -- in fact, they're more likely to get prosecuted than the phishers, because the bank can trace the money to their accounts. The life of a mule is pretty short. They might only operate for two to four weeks before they're caught."

IT and security pros should take care to advise their users about these phishing/spam campaigns and keep them from getting sucked in, Ollmann says. "These offers look pretty attractive, even to people who are already employed and doing well. It can be easy to get fooled."

— Tim Wilson, Site Editor, Dark Reading

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading


Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights