Money Mules, Not Customers, The Real Victims of Bank Fraud

Money mules – the accomplices who help move stolen funds – may be the real victims of online banking scams, not the bank customers who are the ostensible targets of fraudsters, according to new research from Microsoft.

Money mules – the accomplices who help move stolen funds – may be the real victims of online banking scams, not the bank customers who are the ostensible targets of fraudsters, according to new research from Microsoft.

In a paper that turns conventional thinking about online banking crime on its head, researchers at Microsoft argue that it is the mules – the witting or unwitting accomplices of the fraudsters – who are the real victims of account takeover scams, not the owner of the account that is raided.

“Money mules are not merely unwitting accomplices, they are the true victims in credential theft fraud,” wrote the researchers, Cormac Herley and Dinei Florencio of Microsoft Research.

Their paper, “Is Everything We Know About Password-Stealing Wrong” appears in the latest issue of IEEE Security and Privacy Magazine.

In it, Herley and Florencio argue that U.S. laws that indemnify victims of banking and credit card fraud change the calculus and economics of online fraud. Victims whose accounts are raided, they note, are made whole again by the bank or credit card company.

Mules, on the other hand, are not victims of fraud. Instead, they participate in it: receiving stolen funds into a legitimate account they own, then quickly forwarding those funds to the criminals responsible for the crime in exchange for a small commission.

Unlike the victims, mules are not protected by anti fraud laws. Unlike the criminals, they are not off shore and beyond the reach of the banks or law enforcement. Further, as banks and other financial institutions have gotten better at tracing account takeover scams and reversing charges, it is the mules who pay the price: having funds extracted from their account to make the victim whole, assuming such funds are available.

“The thief is really stealing from the mule, not the compromised account, though that fact does not become clear until the dust settles,” the researchers write.

Herley has made a name for himself turning conventional wisdom about online crime on its head. He has challenged estimates about the size of the underground online economy as ridiculously inflated. Such estimates are based on merely the presence of sellers, not records of actual transactions. He has written critically about the utility of cyber crime surveys which he said “are so compromised and biased that no faith whatever can be placed in their findings.”  Passwords have also been a regular focus of his work. In a paper on the use of statistical guessing attacks to defeat passwords, Herley and two co-authors: Stuart Schechter of Microsoft Research and Michael Mizenmacher of Harvard University argued that many features to force the creation of strong passwords actually result in users picking passwords that are easy to guess or crack.

In his latest research, Herley and his coauthors tap much of that early work and suggest that concentrating security investments on passwords to secure online banking sessions probably doesn’t do much to reduce online banking scams, given the realities of the cut throat cyber crime marketplace.

Knowing the customer’s password, they argue, is just the first step in emptying their account and is of relatively small utility. That, Herley and his colleagues say, explains why fraudsters get just pennies on the dollar for credentials in online bazaars. “Why would anyone sell the credentials that unlock an account with a $5,000 balance for $5,” they ask. “It makes a lot more sense if emptying accounts is hard and stealing passwords is merely the first step in a difficult and error-prone process which only occasionally succeeds,” the authors wrote.

It follows, then, that merely making passwords harder to steal won’t do much to stem online banking fraud.

“If a large lake of credentials is drained by a narrow pipe of mules, then reducing the inflow to the lake might have no effect on the net harm done,” they wrote. 

Rather than focus on authentication, banks and financial services, as well as law enforcement, might do a better job staunching online banking theft by focusing, instead, on better back end fraud detection to make it harder to empty accounts, or on the mule recruitment process, to cut off access to the key middle men and women who are needed to move actual money into accounts under the attackers control.

Online criminal groups have gone to great lengths to recruit mules in recent years. Social networks like Facebook, MySpace and Twitter have all been used to recruit individuals willing to let their bank account be used to receive a transfer from an illegal account, then forward it along. In turn, the FBI has said that it was going to be stepping up efforts to crack down on money mules.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.


  • Brian Krebs on

    With all due respect, arguing that money mules are the victims, and that those robbed with the help of money mules are made whole by their banks, is a laugh. I haven't yet read the article that forms the basis of this blog post (I will next), but the Microsoft researcher betrays his utter lack of understanding of who these mules and criminals are targeting. It's not consumers for the most part: It's small to mid-sized businesses. There are millions of these mom and pop shops in the United States and elsewhere, and many of them are learning the hard way every week that one virus infection can ruin their business. Why? Because in the U.S. at least, banks are not liable for losses on corporate accounts due to cyber fraud. That liability rests with the business. Anyone who wants to learn more about the real situation on the ground with these money mule attacks should spend a few moments reading the stories of more than 75 companies I have profiled over the past two years that have lost tens of millions of dollars at the hands of money mules. They're available at my site, and click the Target: Small Business category on the right hand side.

  • Anonymous on

    haven't read it just yet. any information in the study or from the fbi on threats made to mules' selves and families if they quit? anything about reasons that busted immigrant mules returning to "muling" a couple weeks later in the US? these incidents are documented, but don't seem well investigated. that would shed some light on the situation too.

  • Anonymous on

    Regardless of culpability and mitigation, it appears that the mules are key to the whole process.  Stop/inhibit them, and you greatly minimize the harm that can be done to bank accounts of either individuals or small businesses.  In addition, the banks could do a better job on their end via more "intelligent" back-office procedures/software.


  • David on

    I believe there is a substantial difference between being reimbursed the money you may have lost through fraud and being "made whole".

    Ask anyone who has been through the process of closing accounts, opening new ones, changing automatic transactions and then dealing with the things they never thought of that come up.  Then never quite feeling secure with the daily dealings in life.  Nope, the money is only part of being "made whole".


  • Cormac Herley on

    The paper is the first link above, free and in the clear.

    Well, you say that I betray a utter lack of understanding for what’s going on and yet you acknowledge not having read what I wrote. That’s pretty half-cocked. My paper explicitly limits its scope to password stealing attacks on the bank accounts of US consumers. Perhaps you don’t find that interesting, but that’s what the article is about. I’m well aware that Reg E protections do not extend to businesses, and stress it several times. However US consumers are covered, and a mule who receives a fraudulent transfer and initiates a good one is left holding the bag if reversal is successful. Not sure I would term that a laugh.

    I don’t quite understand the suggestion that mules are being replaced by prepaid debit cards. At least in the consumer space I don’t think getting a prepaid debit armed only with the account password is easy.  At least I don’t see that as an option when I login to online banking. 

    Anyhow, if you still feel I betray and utter lack of understanding after reading the paper happy to continue the discussion.








  • Anonymous on

    While the small to mid-size businesses pay the toll for the fraudster and their mules on business account fraud, it is the banks that pay the considerable toll for the fraudster taking advantage of personal accounts. Regulation E protects the personal/household accounts, so when a fraudster runs amock with the targeted debit cards (and credit cards), the bank makes our customers whole and we sustain the loss.  If we are able to find out who the fraudster is (not that often) we rarely see the funds returned to the bank - the fraudster is long gone and the money mule does not have 2 nickels to rub together, but they may have a huge big screen TV and plenty of bling that they received as part of their bounty, so we all lose.  Due to these sizeable losses the banks sustain, we just get yelled at about the fees that people have to pay.  while we should protect our customers from liability, the money mules working for the fraudsters do not have my sympathy.  What they are doing is illegal.

  • Anonymous on

    Sorry, I don't agree.  Those mules who know what they are doing and why they are doing it, are engaging in deliberate criminal acts.  They should be prosecuted.  Especially the ones who flout it on FaceBook.

  • Riddle on

    It happens all over and over ,from the dawn of civilization . little beasts get eaten by the bigger ones , we can call that the "crime-chain" . Although the fraudsters didn't directly harm the mules ,but they used them, for a reason , a good one...

    they aren't really victims,however, they are just paying for the harm they caused .

    The ulitmate victims are the people who lost the money they hardly worked to earn.


  • Victor Probo on

    I think this very blog posting does exactly what the authors wanted. Generalization and splash headlines. The opening paragraphs announce a 'startling conclusion' (good headline) without mentioning the the strictly limited conditions where that conclusion applies. In the opening paragraph of the original paper (accessed through the link for free) it specificly qualifies this conclusion to "consumers". At the end of page 5, Mr. Krebs' work is discussed, and the applicability of the conclusion is weakend (if not severed) in the case of commercial customers.

    But the authors got what they wanted... a big splashy headline, lots of press, based upon non-critical thinking by this blog.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.