Who is a money mule?

Online frauds are really easy to do. A scammer needs to put an item on sale, get the money and disappear. But wait – if he got the money, his identity is known to the bank, right? Right. But that’s why scammers often look for people who become money mules.

Then, police will track down the Mule, while the bandit’s identity stays hidden.

Awesome job offer

One of the most common ways of getting a victim’s identity and sensitive data is by proposing a really nice job offer. A nice job offer means a good salary and next to no requisites.

These offers vary a lot – from straightforward offers to becoming a middleman on the e-commerce platforms to regular jobs. Regular job offers are usually aimed at younger users, with no experience. Those include cleaning services or manual work abroad. Work is offered in other countries to explain higher than regular wages. Usually, those offers have some drawbacks which aren’t really bad for students or juveniles but still may justify good payroll.

Be a man in the middle

Man in the middle is a term for an attack type when someone captures and modifies communication between two subjects, i.e. victim and her or his bank. In this case, however, it refers to really becoming a middleman for the scammer. Job is offered to publish online auctions and sell offers from the “employee” account. Scammers usually say that it is a temporary situation and it’s required during the trial period. Victims publish good, bargain offers, usually on electronics – phones, and consoles.

Those are little below market prices and are selling quickly. The employee then gets money in her or his bank account and transfers most of it to the scammer’s “employer”. He leaves a small part as his “payment”. After some time the employee gets mocked by other victims, who – of course – didn’t get any ordered products. Employers disappear and are usually hard to track.

Despite the crude approach, it is still a common technique used by scammers.

A variation of this attack is “financial service tester” where you are asked to test payments. This works the same, you get money from the victim and send it to the scammer.

Give me your bank account, please

Kevin Mitnick said – how do get someone’s password? Ask for it. This unfortunately aged very well. In this case, a job offer is usually physical work. It’s paid well, not very hard and you can start right now. Actually, right after you confirm that you are you, maybe by making a small 1$ or even 0,01$ transfer, so we’re sure who we’re hiring. Sounds good, doesn’t it? Well, it’s not.

When you make that payment it is very prone, that you have just confirmed the creation of another account on your Identity that only the scammer “employer” has access to. Now, scammers have an account that might be almost safely used in further scams.

There is also a variation of this attack, where the goal is to make a new bank account by the victim. It isn’t that harmful, as the victim doesn’t lose any money directly (unless there are fees for a said account). Why would a scammer do so then? He gets provision for a new client registered by his referral link. Those tricks are of course forbidden by the banks and if the attacker gets caught the bank will react very fast.

I have nothing important on Social Media

Social media is a great medium. In recent years privacy settings have improved greatly, so a lot of risks are reduced. It is still good not to show your new TV with your address and some days later announce that you’re leaving for a few weeks. But still – there is a great improvement and most probably no one unwanted notices that information. 

People used to think there is no value in their social media – there are just photos, shared links, and other stuff like that. But there is a huge value – it’s family and friends. 

Scammers may get to our social media accounts in a variety of ways. It might be a phishing link on the mail, it may be a virus, a keylogger, or a brute force attack. Often accounts are attacked by using leaks from other pages. That’s why it is important to use different passwords for each service.

However the scammer gets to your account, he usually will ask your friends and family for some amount of money, saying that you have no phone and need to pay for medicine or a ticket. How many of your friends would try to help you? Would all of them contact you by other means, to confirm the situation? 

The second option is to put some things for sale from your account and quickly collect as much money from buyers as possible.

As you see, taking even temporary access to your account might end with significant money and even friendship loss.

Accounts taken permanently are also used to validate selling scams and scammer pages.

How to protect yourself against scammers?

There are some measures you can take to protect yourself from such an attack. Excluding yourself from the online presence is one way, but in fact, it won’t prevent the thief from creating a profile on your behalf and targeting your friends. Most banking is also online so it is not a feasible solution. What to do then?

A rule of thumb is that offers too good to be true usually aren’t true.

When applying for a job it is good to do basic company screening.

• Companies House in UK  https://www.gov.uk/,
• Company register in Germany  https://www.unternehmensregister.de/ureg/index.htm
• Edgar, Company Filings in the US https://www.sec.gov/edgar/searchedgar/companysearch.
• In Poland you may use the rejestr.io site, it is good to check the judicial registrations of the companies. 

It is also good to contact someone using the official company site to validate a job offer. It is common for scammers to use real companies’ names in their advertisements which of course companies are unaware of. 

Using a password manager is always a good practice. It provides three main benefits:

1. Generated passwords are complex and safe
2. Passwords are different for each site
3. You don’t need to remember or even see them.

That prevents a domino effect when i.e. your email gets compromised. Also, it renders your account impervious to dictionary attacks.

Even after accepting the job, never put any item you don’t control and don’t know its origin on an online sale. You must be sure the item exists and isn’t stolen by any means. If you made that mistake but didn’t transfer the money – you still may contact the police and return the payments. This probably will free you of charges. 

Never under any circumstances retrieve cash on your behalf and give it to a scammer. That will make you the last person which may be connected to the payment by the bank and it will be impossible – or really, really hard to provide evidence that you are also a victim, not a thief.

Keep in mind that this doesn’t always require your personal presence at the ATM! Such a thing might be also done i.e. by a one-time code. Some services are treated like personal action, i.e. Blik in Poland. Those codes shouldn’t be shared with anyone!

If you need to send a scan of your document for any reason over the Internet it is good practice to put a watermark across it stating who is a receiver and what was the reason. That will make unauthorized use of your document a bit harder.

Conclusion

There are a variety of identity theft attacks. Some may end up with a minor loan from your friends, others will clean your bank account, some will make you unaware of the money mule and others will take bank loans on your behalf. 

Always make a basic screening for applying for a job, use different passwords for different accounts, and never sell anything to someone else. Watch out for any job that makes you a middleman without good paperwork and skip any that requires you to use your own account. 

The world economy is going towards a crisis and a lot of entry-level jobs are being replaced with robots (like self-service in fast food or markets), so young people looking for a job are now especially vulnerable. Keep safe!

If you want to protect your eCommerce against fraud check on the Subuno Fraud Prevention Module for Magento a tool we recommend for Magento eCommerce. The truth is you protect this way not only your business but also your clients.