For a more recent article on money mules, read “How Cybercriminals Use Money Mule Accounts to Profit From Online Fraud.”

Money mules are significant in the process of cashing out compromised financial accounts. A money mule is a person who receives and transfers illegally acquired money on behalf of others. Unknowing mules are likely recruited through online job advertisements and spam email. Job titles may include, but are not limited to, “mystery shopper,” “payment processing agent” or “money transfer agent.” Mules may also be recruited through romance and lottery scams.

They also may be recruited through romance and lottery scams. Unknowing mules are vulnerable adults who are often older, lonely and potentially financially strapped. Fraudsters will start relationships with these individuals through online dating sites, social networking sites and/or job advertisement sites. The fraudster, acting as a predator, will attempt to cultivate a relationship with the victim based on lies.

Schemes that target unknowing participants are typically focused on employment and relationship scams. At some point, the victims of these schemes (particularly the employment scams) may become knowing, or at least half-suspecting, mules. They realize that they may be part of an illicit scheme but will continue to try to make money because of personal circumstances.

Read the white paper: Prevent phishing success with cognitive fraud detection

Work-From-Home Schemes

Work-from-home (WFH) schemes are fake job offers that are used by fraudsters and mule herders to entice witting or unwitting individuals into providing bank account details for the purpose of receiving an Automated Clearing House deposit or counterfeit check. They are then instructed to electronically transfer funds to a third party, often in another country. Mules are also often instructed to make transfers to the third parties via a money-service business, such as Western Union. Occasionally, mules will deliver cash in person to representatives of the crime group. This type of transfer usually involves a mule who is a willing participant in the illicit scheme.

WFH offers are usually cleverly created to look like legitimate companies. They will sometimes use recognizable trademarks, logos or names to create apparent legitimacy. Fraudsters use the following methods to get these job opportunities in front of potential victims:

  1. Spam Email: These emails are designed to look legitimate and bypass spam filters. The subject line is designed to entice people to open the email, claiming, for example, that participants can make thousands of dollars while working from home.
  2. Job Search Sites: Fraudsters troll career search sites such as Monster or CareerBuilder, looking to collect emails of those seeking employment. Those individuals will receive spam email as described above.
  3. Online Classifieds and Social Networking Sites: Fraudsters will post job opportunities in the employment sections of sites such as Craigslist. In one such job application, there is a description of the little work that is required to earn $500 a week. Those who click on the website link will be brought to a page that likely looks legitimate, provides more information and has an application process.

The job application process for some opportunities even require applicants to be interviewed by a company representative and possibly sign an employment contract. One or both steps may be taken by the fraudsters to enhance the offer’s legitimacy.

Individuals who succumb to these types of fraudulent job offers are often financially distressed due to extended unemployment or other financial hardship. The recent economic recession and high unemployment rate have provided a large population of long-term unemployed people who are vulnerable to this type of scam. Even though the job offers will seem suspicious to many, those who feel they don’t have anything to lose will give it a try. Unfortunately for them, most mules are only used once and will never see a commission. There is also a significant chance of being arrested and being a victim of identity theft later on because the fraudsters have all the personally identifiable information they need, such as the mule’s Social Security number.

The WFH Money Mule Process

Assuming that an individual has received and responded to an email or job posting, the remainder of the scam looks like this:

  • The new employee (mule) will be instructed to provide his or her bank account information or to set up a new account at his or her local bank and provide that information to the fraudsters.
  • The mule will receive an electronic fund transfer (EFT) into his or her account. The deposit will typically be less than $10,000, but may sometimes be more.
  • The mule will receive instructions about where he or she should transfer the funds, minus the commission. The mule will then perform an EFT from that account or through a service such as Western Union or MoneyGram. The typical “commission” for the mule is 10 percent or less.
  • The destination for the transfer may be to another mule or directly to a foreign bank account, likely in Eastern Europe.

A variation of this scheme is called a reshipper scam. The recruitment process is the same, but the difference is that the mule will receive illegally obtained merchandise and will be instructed to send that merchandise to a third party. Again, this could be another mule or directly overseas to a foreign recipient. As compensation, the mule is promised a commission, which obviously never arrives.

There are, however, WFH opportunities that are actually legitimate. These types of scams are successful because it may be difficult for some to distinguish between legitimate and fraudulent opportunities. The U.S. Computer Emergency Readiness Team provides the following warning signs of mule recruitment:

  • The position involves transferring money or goods.
  • The specific job duties are not described.
  • The company is located in another country.
  • The position does not list education or experience requirements. All interactions and transactions will be done online.
  • The offer promises significant earning potential for little effort.
  • The writing is awkward and includes poor sentence structure.
  • The email address associated with the offer uses a Web-based service (Gmail, Yahoo, Windows Live, Hotmail, etc.) instead of an organization-based domain.

For example, a woman was on Craigslist looking for a job when she found a WFH administrative assistant opportunity. She applied for the job, and that’s when things took a strange turn. She had not yet accepted the position when a package containing a check for $3,450 arrived at her door. Along with the check, the envelope contained detailed instructions to deposit the check into her personal ATM account, keep $400 for herself and send the rest via two separate MoneyGrams to different individuals in West Africa. This potential victim realized this was fraud and reported it.

Secret-Shopper Schemes

The secret-shopper mule usually falls prey to a secret-shopper scam, which is similar to the WFH scheme. This employment-based scheme is designed to lure victims with offers to earn extra money for shopping at certain stores or having the opportunity to keep the goods that are purchased in exchange for “evaluating” the customer service, among other things, while visiting the store.

Like the WFH scheme, these scam advertisements and websites are designed to look legitimate and blend in with other genuine secret-shopper programs. Likewise, recruitment is performed in a similar fashion using spam email and employment-site advertisements.

These scams will often include evaluating a money-service business such as Western Union or MoneyGram. Shoppers will receive a counterfeit check that may be worth several thousand dollars. Shoppers will be instructed to cash the check and use their local Western Union or MoneyGram to send proceeds to a designated third-party account. The shoppers are told to keep a certain amount for themselves and email the fraudster their rating of the service.

The Better Business Bureau issued a warning of one such scam business called Pinecone Research. This is an example of how fraudsters use legitimate-looking businesses to trick victims, since Pinecone Research Panel is an actual company. Hoax-Slayer did a further analysis of this scam, detailing the actual email and “company” correspondence sent out.

According to an article from First Coast News, a U.S. Navy veteran found securing full-time employment difficult after he completed his military career. While job hunting on the Internet, he saw an advertisement for a mystery-shopper evaluation job and applied. His assignments were easy; he would receive checks via FedEx and deposit them into his personal account. He was instructed to purchase prepaid cards with the funds from Green Dot, a provider for prepaid Visa or debit MasterCard cards. Once he had the Green Dot cards, he would call his manager and provide the card numbers and the amount. After the second “assignment,” his bank withdrew $3,000 to cover the cost of the counterfeit deposits. The victim reported the incident to his local sheriff’s office, but there was little that could be done.

Romance Mules

Romance mules usually fall prey to romance scams, which take place online and are deceitful romantic interactions with unsuspecting victims. These fraudsters work to gain the trust and affection of mules and use that relationship to commit fraud. The majority of the time, the victims do not know they are involved in a fraud scheme or criminal act until it is too late.

Fraudsters create fake profiles with stolen photographs and false names on dating websites, social media sites, blog forums, support groups, etc. Upon finding their next victim, they will begin contacting them and almost immediately want to chat privately via email or chat sessions.

The next phase generally lasts between four and six months as the fraudster forms a relationship with the victim. They act as if they are in love with the victim, forming bonds and sharing life stories. These fraudsters never live close to their victims; typically, they live or work abroad and promise they will visit as soon as they can. Once they gain the victim’s trust, they begin asking them to receive and transfer money on their behalf.

The following are some examples of reasons given by fraudsters:

  • They are experiencing banking-wire issues due to a foreign account.
  • They need money in the romance mule’s home country to pay for a family member’s illness or funeral, employees, taxes, etc.
  • They claim to be military personnel stationed overseas who need assistance accessing their funds due to being in a war zone.
  • They claim they are inheriting millions of dollars and must receive the funds in the romance mule’s home country.
  • They claim to need a package or documents received by the victim resent to someone in the victim’s home country.

Once the victims agree to accept the funds or packages and assist in resending them to others, they have unknowingly become mules. The packages could contain illegal drugs, weapons or large sums of cash. The deposits will most likely be from stolen or counterfeit checks and transferred funds will be from illicit activities or compromised accounts.

According to WKYT, a U.S. woman met a man on an online dating website whom she believed to be a U.S. soldier deployed to Nigeria. He said he was in the middle of a divorce and needed some assistance pawning jewelry and having the funds sent to him through Western Union. The jewelry the woman received was stolen from fraudulent online auctions, and she unknowingly became a mule in his scheme.

In the United Kingdom, a 61-year-old man was tricked by fraudsters when he allowed his personal bank account to receive and send money as part of a scheme to finance terrorists, according to The Telegraph. The victim believed he was corresponding with an affluent businesswoman in her early 60s whom he met on an online dating site. The “woman” claimed she needed to pay some of her employees in the United Kingdom who she said would only trust payments coming from a U.K. bank account. Once the man agreed, she began to wire large sums of money into his account and he would prepare and send checks on her behalf. The victim was charged with a criminal offense because he did not report the illicit incident to police.

According to the New Zealand Herald, a 50-year-old New Zealand woman met a man on an online dating website and corresponded with him for a year before he asked her to come visit him. The man transferred money into her bank account to pay for the cost of tickets. She was planning to visit him in London, but at the last minute, he asked her to make a “pit stop” in Buenos Aires, Argentina, to pick up some documents for him. The documents were actually 5 kilograms of cocaine that were hidden in the bottom of her suitcase.

A variation of the romance-mule scam is when the mule is being blackmailed to carry out the illegal activities on behalf of the fraudsters. The majority of these cases arise because the fraudsters, under the guise of an online love interest, convince the victims to share provocative or sexual photos or Skype sessions. The fraudsters will reveal their true nature and threaten to go public with these images or videos if the victim does not assist them in their illegal activities.

The following are some warning signs that you are talking to a fraudster:

  • After introductions, they want to move the conversation out of the forum or dating website to email, instant messaging or text messaging.
  • They profess love quickly and utilize endearing terms and pet names.
  • They live or work abroad but will be back in your area soon.
  • Their grammar or language skills are imperfect.
  • They want to know all about you and your life but do not share much about themselves.
  • They ask you to receive money or items and transfer them on their behalf.

Romance scammers prey on people who are vulnerable. Victims who become mules, whether knowingly or unknowingly, are highly traumatized and embarrassed. More often than not, these scams will go unreported.

Lottery and Inheritance Scam Mules

Lottery and inheritance mules usually fall prey to a lottery or inheritance scam. These types of scams inform the victims that they have won a lottery or sweepstakes or are set to receive an inheritance from an unknown deceased relative. Fraudsters or mule herders initiate these scams through a number of ways, such as email, telephone, letters, faxes and social media. Once victims respond to their communications, the fraudsters will then require proof of identity to facilitate the payment transfer. In reality, the fraudsters are gathering information to potentially steal the victim’s identity. Next, the fraudsters will mention legal issues, taxes, insurance, probate fees or delivery costs. These scams are a form of the advanced fee scams, though the difference is that these fraudsters are using the victims as unsuspecting money mules.

Fraudsters do this by offering to assist potential money mules with paying the fees mentioned above. They inform the victims that the payments are coming from legitimate clients, but they are normally from other victims’ accounts. The fraudsters will then wire funds into the victim’s account; on rare occasions, they will use stolen or counterfeit checks. Once the victim has received the funds, he or she will be instructed to keep a portion and send the rest to another account, effectively turning the victim into a money mule.

According to the Long Island Press, an elderly U.S. couple in Raleigh, North Carolina, were informed that they had won an international sweepstakes. The fraudsters requested fees in advance, and the couple agreed. Soon after, more and more sweepstakes mailers came in, and the couple kept engaging the fraudster, believing they were winning. Once the couple was deep in debt, the fraudsters offered to hire them as representatives for the Canadian sweepstakes company. Large sums of cash began to arrive at their home, where they would repackage them and mail them out. They would receive commissions for their work as their payment. The couple’s children eventually became suspicious and enlisted the help of federal authorities.

In other cases, the victims themselves became knowing money mules in order to recoup some of the funds they lost. In these cases, the victims fall prey to advance fee funds of the inheritance and lottery scams. The fraudsters or mule herders then work out a deal with the victim to get them some of their money back.

For example, a 74-year-old U.S. woman living in Georgia is facing felony money-laundering and theft charges after she allegedly fell prey to a Jamaican lottery scam, according to WSBT. After she lost so much money, the fraudsters offered her a deal. She could work as a mule for them, and they would help her get her money back. The victim was so desperate that she agreed, thus moving from victim to perpetrator.

Money mules are an old concept. For decades, they have played an important role in fraud and money laundering. Unknowing mules are typically vulnerable individuals who are preyed on through romance, lottery and inheritance schemes, often through dating or other social networking sites.

Read the white paper: Prevent phishing success with cognitive fraud detection

More from Fraud Protection

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today