It All Comes Out in the Wash: The Most Popular Money Laundering Methods in Cybercrime
There are many ways in which a criminal can illegally acquire money electronically. Whether it’s through malicious malware, phishing, vishing and smishing scams, account takeovers or other vectors, a commonality across all these attack methods is that fraudsters will need to move the illicit funds fast to avoid being caught and have the sum confiscated.
This is where the three stages of money laundering come into play, according to the United Nations Office on Drugs and Crime (UNODC): placement, layering and integration. In traditional money laundering schemes, the placement of funds begins when dirty money is put into a financial institution. When funds are stolen online through digital transactions at financial institutions, the process immediately jumps to layering.
This is done in three main ways:
- Moving funds within the financial system;
- Moving funds into unregulated financial e-cash systems; and
- Removing funds from the financial system altogether.
Moving Funds Within the Financial System
Moving funds within the financial system generally only occurs with very large sums of money. Some of the most common methods for this include the use of:
- Offshore accounts;
- Anonymous shell accounts;
- Money mules; and
- Unregulated financial services.
Individuals can transfer stolen funds into an offshore account in a locale where bank secrecy laws are very strict. These countries and territories are often referred to as tax havens.
Financial institutions, trusts, shell corporations and other financial groups in these regions may welcome money from almost anywhere and often do not require disclosure of information regarding where the money originated from. In turn, these institutions do not file any reporting back to the country in which the funds were generated.
Anonymous Shell Accounts
A shell company, bank, account or corporation is an entity that conducts no real business. It is essentially a cover used to hide and move funds. The purpose of these accounts is to deceive others into thinking the business is legitimate while laundering money and evading taxes.
According to the Federation of Tax Advisers, shell accounts “conceal the identity of the beneficial owner of the funds, and the company records are often more difficult for law enforcement to access because they are offshore, held by professionals who claim secrecy, or the professionals who run the company may act on remote and anonymous instructions.”
A money mule is a person who receives and transfers funds acquired illegally for others. Most mules receive a commission for their efforts.
When bank accounts are compromised by cybercriminals and international organized crime groups (OCGs), money mules are an essential part of moving victims’ money through the financial system and assisting criminals in cashing out the compromised accounts.
Unregulated Financial Services
Unregulated entities may offer a variety of services that can be applied for criminal purposes. Many things fit into this category, such as:
- Electronic Money: Stored-value cards allow electronic money to be put onto the card directly and then used to purchase goods and services.
- Casinos: In recent years, the Financial Crimes Enforcement Network (FinCEN) placed regulatory requirements on casinos due to the large sums of money and high frequency of transactions at these establishments. Not every country and territory follows these guidelines, however, allowing savvy criminals another pathway to move their illicit funds. A recent example of this is a Bangladesh bank heist where cybercriminals targeted the SWIFT system to move money before extracting it through a casino in the Philippines.
- Underground Networks of Money Dealers: This refers to conduits through which money is transferred via informal methods. These underground systems can be used for legitimate remittances but are also used for money laundering, criminal activity and terrorist financing.
Preventing Money Laundering
Financial institutions have attempted to stop this type of criminal behavior through Customer Due Diligence (CDD) and Beneficial Ownership regulatory requirements. These requirements call for the identification of the true owner of an account to stop the abuse of anonymous shell corporations.
Mary Beth Goodman, a former member of the National Security and International Policy team at the Center for American Progress, wrote in American Banker that “beneficial ownership rules are actually good for business because they would lead to reduced corruption and increased competitiveness. Beneficial ownership rules reduce risk by allowing banks and other companies to know who they are doing business with and minimize their financial exposure to others’ misdeeds.”
These rules may be difficult to enact and follow; it can be a herculean effort to identify the true owner of a shell corporation or trust. Criminals know this and will purposely shuffle money from one anonymous offshore account to another, moving money through the financial system before it ends up in an account from which it can be withdrawn.
Financial institutions are continuously monitoring their security systems and watching account activity. Through the use of device identification, biometrics, transaction velocity monitors, geographical dispersion and customer behaviors, they are able to flag more attempted fraudulent activity than ever before. Having a systematic approach to financial security and financial crime prevention is essential to address vulnerabilities that fraudsters are eager to exploit.