Categories: Web Security

Comments (11)

  1. Brian Krebs

    With all due respect, arguing that money mules are the victims, and that those robbed with the help of money mules are made whole by their banks, is a laugh. I haven’t yet read the article that forms the basis of this blog post (I will next), but the Microsoft researcher betrays his utter lack of understanding of who these mules and criminals are targeting. It’s not consumers for the most part: It’s small to mid-sized businesses. There are millions of these mom and pop shops in the United States and elsewhere, and many of them are learning the hard way every week that one virus infection can ruin their business. Why? Because in the U.S. at least, banks are not liable for losses on corporate accounts due to cyber fraud. That liability rests with the business. Anyone who wants to learn more about the real situation on the ground with these money mule attacks should spend a few moments reading the stories of more than 75 companies I have profiled over the past two years that have lost tens of millions of dollars at the hands of money mules. They’re available at my site, and click the Target: Small Business category on the right hand side.

  2. Anonymous

    haven’t read it just yet. any information in the study or from the fbi on threats made to mules’ selves and families if they quit? anything about reasons that busted immigrant mules returning to “muling” a couple weeks later in the US? these incidents are documented, but don’t seem well investigated. that would shed some light on the situation too.

  3. Anonymous

    Regardless of culpability and mitigation, it appears that the mules are key to the whole process.  Stop/inhibit them, and you greatly minimize the harm that can be done to bank accounts of either individuals or small businesses.  In addition, the banks could do a better job on their end via more “intelligent” back-office procedures/software.


  4. David

    I believe there is a substantial difference between being reimbursed the money you may have lost through fraud and being “made whole”.

    Ask anyone who has been through the process of closing accounts, opening new ones, changing automatic transactions and then dealing with the things they never thought of that come up.  Then never quite feeling secure with the daily dealings in life.  Nope, the money is only part of being “made whole”.


  5. Cormac Herley

    The paper is the first link above, free and in the clear.

    Well, you say that I betray a utter lack of understanding for what’s going on and yet you acknowledge not having read what I wrote. That’s pretty half-cocked. My paper explicitly limits its scope to password stealing attacks on the bank accounts of US consumers. Perhaps you don’t find that interesting, but that’s what the article is about. I’m well aware that Reg E protections do not extend to businesses, and stress it several times. However US consumers are covered, and a mule who receives a fraudulent transfer and initiates a good one is left holding the bag if reversal is successful. Not sure I would term that a laugh.

    I don’t quite understand the suggestion that mules are being replaced by prepaid debit cards. At least in the consumer space I don’t think getting a prepaid debit armed only with the account password is easy.  At least I don’t see that as an option when I login to online banking. 

    Anyhow, if you still feel I betray and utter lack of understanding after reading the paper happy to continue the discussion.








  6. Anonymous

    While the small to mid-size businesses pay the toll for the fraudster and their mules on business account fraud, it is the banks that pay the considerable toll for the fraudster taking advantage of personal accounts. Regulation E protects the personal/household accounts, so when a fraudster runs amock with the targeted debit cards (and credit cards), the bank makes our customers whole and we sustain the loss.  If we are able to find out who the fraudster is (not that often) we rarely see the funds returned to the bank – the fraudster is long gone and the money mule does not have 2 nickels to rub together, but they may have a huge big screen TV and plenty of bling that they received as part of their bounty, so we all lose.  Due to these sizeable losses the banks sustain, we just get yelled at about the fees that people have to pay.  while we should protect our customers from liability, the money mules working for the fraudsters do not have my sympathy.  What they are doing is illegal.

  7. Anonymous

    Sorry, I don’t agree.  Those mules who know what they are doing and why they are doing it, are engaging in deliberate criminal acts.  They should be prosecuted.  Especially the ones who flout it on FaceBook.

  8. Riddle

    It happens all over and over ,from the dawn of civilization . little beasts get eaten by the bigger ones , we can call that the “crime-chain” . Although the fraudsters didn’t directly harm the mules ,but they used them, for a reason , a good one…

    they aren’t really victims,however, they are just paying for the harm they caused .

    The ulitmate victims are the people who lost the money they hardly worked to earn.


  9. Victor Probo

    I think this very blog posting does exactly what the authors wanted. Generalization and splash headlines. The opening paragraphs announce a ‘startling conclusion’ (good headline) without mentioning the the strictly limited conditions where that conclusion applies. In the opening paragraph of the original paper (accessed through the link for free) it specificly qualifies this conclusion to “consumers”. At the end of page 5, Mr. Krebs’ work is discussed, and the applicability of the conclusion is weakend (if not severed) in the case of commercial customers.

    But the authors got what they wanted… a big splashy headline, lots of press, based upon non-critical thinking by this blog.

Comments are closed.