A number of people have asked me to explain how the mule scam works.

Mule scams are named after the drug mules used in drug smuggling.  The basis of the scam is that criminals need to transfer money they have fraudulently gained from Phishing scams etc. to their own bank accounts.  The criminals need this to happen in such a way to leave no trace back to them.  

The criminals send out emails looking to recruit people to act as agents for a legitimate looking company.  These emails look like legitimate job ads and often link to a website that also looks legitimate.  Indeed in some cases the emails can link back to the web sites of real companies.

The “job advert” is looking for people to act as agents for the company and to process transactions on the company’s behalf.  The potential employee could be given a scenario where they are told they will be collecting money from customers and forwarding that money by wire transfer to the “hiring company’s” account.  All potential employees need to have is an email address and a bank account.  Money from “customers” is transferred into the “employee’s” bank account and the “employee” then transfers that money, minus a commission, to the criminals bank account or most likely via Western Union.  The first thing the employee knows about the scam is when the police call at their door.

Not only should you be aware of this scam on a personal level, but if you are responsible for the information security of your organisation you need to determine what level of reputational risk your organisation faces with regards to this scam.  Questions to consider include;

1. Does your company profile increase the risk?
2. Do your company’s services or products make it easy and attractive for someone to use them to promote this scam?
3. Are new websites being set up with similar domain names to your organisation’s and does the look and feel of these sites mimic your own? 

Once you have determined the risk you should also ensure you incident response plan is updated with how to deal with this type of issue should your organisation be used as part of a mule scam.

This has already happened to an Irish client of BH Consulting and whom we helped deal with the issue, so be aware of the problem and be prepared to deal with it if needs be.