Money Mules, If it looks too good to be true…

It is a sad state of affairs, but email is still a viable attack vector for the bad guys, and today I wanted to touch on the “fabulous job opportunities” that sometimes arrive in you email inbox.


We know one of the things that malicious actors try to get, when they infect computers with their malware, is credentials, more specifically banking credentials.

This begs the question,  what do they do once they have these credentials?

In the past, cyber criminals tried to transfer money directly out of the victim’s bank account and into a one that they controlled.

There are distinct disadvantages to this method, as this leaves a clearly visible paper trail and financial institutions soon started to implement fraud detection flags. If the bank saw Grandma, transferring her life savings to a bank in Romania, they started treating that as a red flag for fraud.

Enter the “money mule”.

A money mule is a person who is local to the compromised account, who can receive money transfers with a lesser chance of alerting the banking authorities.

These money mule retrieve the funds and transfer them to the cyber criminal.

When the victims financial institution investigates the fraud, they can retrace the funds only up to the money mule, who is left holding the bag, and faces criminal charges, while the cyber criminal, residing in a different country, under a different jurisdiction, gets away scot-free.

This would still seem like a fair outcome if the money mule had entered into this proposition knowing what was at stake. Most often they are victims themselves, having been duped into believing that the money transfers were performed as part of a legitimate work at home business.

After the muling is up, they are often victims of identity theft as well.

The money mule recruiters are a crafty bunch, and here are some of the tricks they will use:

  • They send job pitch emails, pertaining to be from online job search websites such as,, and Although not fool proof, checking the “from” field in emails is always advised.
  • A potential employer will never be sending emails from a webmail client. Recruiters will never use an address such as yahoo, hotmail, or g-mail.
  • Also ask yourself, are you presently looking for employment, have you recently used the sites that the recruiter is using in this correspondence?
  • Both the examples I provided have pages describing such fraud.

The Job Pitches sometimes have typo’s.

  • Legitimate job offers will almost never have typographical errors.

While the common wisdom has been that as the job application questionnaires, supporting websites, and employment contracts used by fraudsters contain typos as they are fakes, and shoddily constructed, some have postulated that these errors are intentional.

This assumes that the potential victim who cannot recognize something is amiss, by the presence of typographical errors, will make an even easier mark.

If you coincidently happen to be seeking employment when you receive these job offers, here are some positions that should raise suspicions:

  • Financial Manager
  • Private Financial Receiver
  • Financial Agent
  • Private Financial Broker

All of the “positions” have one thing in common. They require you to use your personal banking account to conduct business. This should be a huge red flag.

A legitimate employer will never ask you to use your personal bank account as part of your employment.

The job involves money transfer business. (Western Union, Cash Sender, MoneyGram, etc)

  • Any employment that involves money transferring services should also be a huge red flag. While money transferring services such as Western Union are not illegal in of themselves, a business that relies on such a service for the employee to retransmit funds is almost certainly fraudulent.
Businessman wearing a dunce hat

Spotting that your potential employer is fraudulent is increasing in difficulty as we are seeing turnkey money mule recruitment websites templates that are offered on criminal forums.

We have heard of lengthy phone interviews, and legitimate looking questionnaires, all designed to reinforce the illusion that the employment offer is genuine.

Here are the key points to take away:

Unsolicited job offers, coming via emails will not end well.

Offers that require you to use money transferring services will also not end well.

If it looks too good to be true, it probably is.


Jean Taggart

Senior Security Researcher

Incorrigible technophile who loves to break stuff and habitually voids warranties.