September 9, 2014 By Steven D'Alfonso 5 min read

Money mules are an important element in the process to cash out compromised financial accounts. The term “mule” comes from the narcotics trade, where an individual is paid a fee for transporting illicit drugs across the U.S. border. Money mules are different, as there is typically no physical transportation of cash involved. However, in some circumstances, the mule will withdraw cash and provide it to a representative of the criminal group or leave it at a designated drop area.

What Is a Money Mule?

A money mule is an individual who knowingly or unknowingly engages in the movement of illicit proceeds/goods for a commission. Criminal organizations or mule herders recruit money mules in various ways. Most often, they are recruited through online advertisements and spam email for work-at-home and secret-shopper employment schemes. The employment ads usually promote great pay for little work with minimal skills required. Criminal groups also actively seek out candidates that have posted their resumes on career sites such as or These job applicants are often put through an interview and evaluation process that adds legitimacy to the fictitious business offering the position.

Money mules may be knowing (witting accomplices) or unknowing (unwitting accomplices). Knowing mules are fully aware of the scheme in which they are participating. They may normally be upstanding citizens who fell under financial hardship and suspect the activity they are about to engage in is illegal, but they are desperate to get out of their current situation.

Unknowing mules are often older, lonely or otherwise vulnerable adults. These individuals often strike up relationships through online dating sites and other social networking sites and develop strong emotional ties to the fraudster. As a predator, the fraudster cultivates a personal relationship with the victim based on lies. Eventually, the fraudster will ask a favor of the victim that will involve the victim receiving and transferring money or goods.

Whom Do Mule Herders Target?

Fraudsters seek out a few different types of individuals, such as those who are in on the scheme, the extremely gullible and the financially distressed. The following are classifications for those targeted by mule herders:

  • Tier 1: People in this tier will identify an unsolicited spam email or advertisement touting the potential to work from home, a sizable income, a minimal time commitment and no required skills as suspicious. These people will typically delete the email without reading it or ignore the advertisement.
  • Tier 2: People in this category may have their interest piqued and inquire further about the “opportunity” being presented. Upon further review, they will determine that the offer is suspicious and go no further.
  • Tier 3: People in this tier are the target market for fraudsters. These individuals are extremely gullible and trusting. They may be lonely, older individuals who need companionship and may be easily drawn into a scheme through romance. They tend to be more easily persuaded and misled than younger people. Individuals in this tier will also view a fraudulent work-from-home scheme without suspicion and believe they have found a great opportunity.
    • The Extremely Gullible: These individuals are often the target of romance and lottery scam frauds. Mule herders/fraudsters often find these individuals on dating websites and online social forums. Their desire for companionship leaves them vulnerable. The relationship will be cultivated over several months to gain the victim’s trust. Additionally, these individuals implicitly trust scam emails and websites that contain offers of substantial earnings for little work.
    • The Financially Distressed: High, long-term unemployment in the United States and other countries has left some people desperate for income. Individuals who are financially distressed may be grasping at straws to make ends meet. The prospect of making several thousand dollars each month on a part-time, work-from-home basis is too tempting for some to pass up. Many likely suspect they are involved in a scam but believe they have nothing to lose. Investigative journalist and blogger Brian Krebs interviewed more than 150 money mules and found that many opened new accounts, separate from their regularly used accounts, because they knew there was a possibility they were entering into a scam.

    Tier 4: People in this tier are full-knowing mules, otherwise known as professional mules or mules for hire. They are either working in unison with criminal organizations or being forced to commit the fraud against their will in a trafficking or debt situation.

  • Insider Threat: The “insider” applies to a knowing mule situation. In the past, the term “insider” referred to a regular employee, but the way businesses are run today encompass a larger organization of people that represent the insider. Full-time employees, temporary employees, contractors and vendors are now included. Many people are now privy to proprietary company information and understand their systems. This opens organizations up to a larger amount of risk.

Most people fall into Tier 1 or Tier 2, while mules fall into Tier 3 and Tier 4.

The selection process is a low-cost numbers game. Sending out thousands of spam emails and hoping a few people will respond is not a substantial investment, and it is free to advertise on sites such as Craigslist. The recruitment process is continual because mules are often used just once and must be constantly replaced. The economic recession has certainly aided fraudsters by increasing the number of financially troubled people.

Great Britain and the eastern United States are key target areas. The time zones are compatible with Eastern Europe, which is where many cybercriminals operate. There have been money mules in the western United States, but they are relatively rare compared to the east. Open source reports indicate that Singapore and areas within India have become popular with Nigerian rings over the past few years. In November 2013, the Singapore National Crime Prevention Council announced that through nine months of 2013, the police investigated 133 money mule cases compared to just 93 for the full year of 2012.

Effects for Financial Institutions

The following are several potential negative effects that money mule schemes have on financial institutions (FIs) related to financial losses, regulatory fines and reputational harm:

  • Fraud: Money mules are just one part of a wider cybercrime scheme to defraud FIs and their customers. Because many banks have zero-liability policies related to customer online banking, the FIs typically absorb the losses.
  • Money Laundering: The specific actions taken by money mules to transfer or transport money to fraudsters is a money-laundering transaction. FIs in the United States, United Kingdom and other countries have faced increased regulatory scrutiny related to money laundering activity over the past decade. FIs are expected to have a robust money-laundering program and know-your-customer policies and procedures in place. Anti-money-laundering noncompliance regulatory fines can be substantial.
  • Reputation Risk: FIs face damage to their reputations if they are caught up in a widespread money mule syndicate or are frequent targets of money mules due to weak account-opening controls. FIs may suffer a lack of confidence on the part of consumers from activity publicized in the popular press. Conversely, FIs with strong fraud and money-laundering-monitoring systems and advanced analytical tools may be able to enhance their reputation by identifying money mule rings and fraud activity and assisting law enforcement and prosecutors with investigations and successful convictions.


The concept of the money mule is not new. They have played an important role in fraud and money laundering for decades. Individuals who receive and transfer money or merchandise to third parties are mules that are needed to help clean or launder stolen money or goods. Some mules know, some don’t, some suspect they are part of an illicit scheme and some are professional mules who offer their services for hire.

Money mule transactions represent a serious financial crime threat — particularly money laundering — to which FIs may be subject to punitive fines. The Federal Deposit Insurance Corporation offers the following red flags that may indicate money mule activity:

  • A deposit account opened with a minimal deposit soon followed by large, electronically transferred deposits
  • Deposit customers who suddenly begin receiving and sending electronic funds transfers (EFTs) related to new employment, investments, business opportunities or acquaintances (especially opportunities found on the Internet)
  • A newly opened deposit account with an unusual amount of activity, such as account inquiries, or a large dollar amount or high number of incoming EFTs
  • An account that receives incoming EFTs, then shortly afterward originates outgoing wire transfers or cash withdrawals approximately 8 percent to 10 percent less than the incoming EFTs
  • A foreign exchange student with a J-1 Visa and fraudulent passport opening a student account with an active volume of incoming and outgoing EFT activity.

These red flags can be used as part of a comprehensive financial crime strategy built to incorporate these and other indicators to help detect suspicious activity indicative of mule activity.

More from Banking & Finance

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today