Cybercriminals’ money-laundering backbone: Cash-strapped consumers

Ever see an online ad, or receive a text message or email that offers you an extra $1,000 a week, or perhaps an 8 percent commission, to conduct financial transactions from the comfort of your home? If money is tight, offers like these can seem like a lifeline, but the ads are nothing more than scams designed to lure you into becoming a money mule—with or without your knowledge.

If the offers sound too good to be true, it’s because they are, says Joram Borenstein, vice president of marketing at financial-crime prevention company NICE Actimize.

“If you’re a consumer, ask yourselves why an organization would ask a complete and total stranger [to] handle sensitive financial transactions,” Borenstein says, without even requiring a résumé.

Money mules perform a critical task for online thieves by helping them launder stolen funds with their legitimate financial accounts. A thief pays a mule a flat fee or a percentage of the total funds to accept a money transfer into a legitimate account the mule owns, then transfer it to another account controlled by the thief, thus making it appear clean to investigators. And the thief quickly drops the mule, often after only one transaction.

The appeal of low-effort, high-reward money for doing what millions of people do every day—send money from one account to another—is a tempting siren. Many mules aren’t aware that what they’re doing is illegal until caught and confronted by authorities. By that point, the thieves have disappeared, leaving the mules to face money-laundering charges alone.

Despite years of efforts by law enforcement agencies and financial institutions to stop online money muling, cybercriminals’ practice of recruiting and using mules persists. It remains a reliable way to move money across institutions and national boundaries, Borenstein says.

“It’s very old-school and old-tech. It could have some twists with mobile technology and bitcoin, but they use fairly rudimentary techniques because it works,” he says.

From January 2015 to June of this year, the FBI’s Internet Crime Complaint Center said it received 22,143 complaints related to online money muling, totaling more than $3 billion in losses, says Jim Barnacle, who leads the FBI’s Money Laundering Unit.

Online thieves have been refining their schemes over the years to appear slick and professional, to make up for the red flags that keep others away, says George Tubin, director of product strategy at ThreatMetrix, who has been tracking financial cybercrime for more than a dozen years.

They create listings on job sites like Monster, or build fake corporate websites, or send out phishing emails that look authentic—no misspellings or Nigerian princes here, Tubin says.

“What they’re looking for are folks with established bank accounts [who] don’t have to open up something new,” he says.

One scheme involves the mule receiving a fraudulent check that looks legitimate. The mule deposits the check and transfers the money, minus their fee, to the criminals’ account, often before the bank is able to flag the check as fake. At that point, the mule is out the entire sum of the check, having used his own money to enrich the criminals.

In another tactic, cybercriminals target college students with the promise of earning “$100 here and there,” Barnacle says. They also target people searching online for work-from-home opportunities and love.

“People who should be cautious are people who are being targeted for work-from-home schemes and romance schemes,” Barnacle says. In online-dating chats, one common line of persuasion is that the online lover is a soldier stationed overseas, and he needs to get money to his mother who doesn’t have an account at a big bank.

“Don’t send them money, no matter how much they say they love you or how gorgeous the pictures are,” Tubin advises.

The easiest way to to tell if you’re unwittingly muling money for a criminal enterprise, Borenstein says, is if you’re performing money transfers through your own account for somebody else. That act alone is rare enough to raise law enforcement concerns. But if you started performing money transfers in response to an ad for an employment gig “as short as 30 or 60 days” with an organization that isn’t listed with the Better Business Bureau, it’s a pretty safe bet that you’ve been muling.

What to do if you suspect you’ve been money muling

Completely stopping money muling is hard, but Barnacle says international efforts to increase awareness are helping.

“We’re constantly working with our partners, particularly in the Five Eyes law enforcement group, to target the bad guys,” he says, adding that he wants wants consumers who suspect that they’ve been unwittingly muling money for cybercriminals to contact the FBI through the IC3.gov site and detail their experiences.

The FBI uses this information to “triage and determine what new schemes are going on. That data is critical to figure out what’s going on,” he says.

Barnacle says that while the law enforcement agency has prosecuted mules in the past, pre-emptively coming forward as a possible victim of a larger organization is the safest route.

“For low-level, unwitting victims, we typically provide them a letter telling them that what they’re doing is illegal, and they should cease and desist,” he says. “We’ll go out and talk to them. We’ll explain the scheme and how they’re an unwitting victim. Often, it ends at that point, and if it doesn’t, we’ll meet them again, or send a letter again.”

If the mule still refuses to stop, Barnacle says the FBI will file criminal charges against them. “Ultimately, they can be charged with fraud.”