The Mule Trade
Posted by Gunter Ollmann on July 31, 2007 at 12:39 PM EDT.

99.9 percent of the online world knows what spam is, and I’d guess that around half of them know what phishing is. But how many know what a mule is?

Whatever this lowly figure is (which I’d guess to be less than one percent), I’d postulate that there are probably more people who are mules than there are those who know what a mule actually is.

What’s a Mule?

In the world of phishing, a mule – or money mule, to be more precise – is the person who does the leg work (or should that be donkey work?) of transferring the money from a phished bank account to a foreign bank account.

Most retail banking Web sites now prevent (or place restrictions upon) international electronic transfers – which means that criminal can’t simply log in to a bank account using the credentials of their phishing victim and transfer all the money to a bank account in Egypt or the Cocos Islands.

What’s a phisher to do? Simple, recruit some mules who have their accounts with the same phished bank and get them to transfer the money through international money grams back to you.

Mule Recruitment

Have you ever received an email or visited a Web site that promoted two or more of the following enticements?

• Earn $2000-$3000 per week working from home…

• Only requires 1-3 hours of availability per day…

• Work as a ‘Financial Agent’…

• Combine it with your full-time work…

• Must have a bank account in the USA, UK, Germany, Canada, …

If you have, then you’ve probably stumbled on a mule recruitment scam. Potential mules are solicited through enticing spam messages offering most of these things.

To actually become a mule, all you need to do is have an account with one of the banks the phishers have stolen multiple identities from – whereupon they’ll transfer funds in to your account, which you’ll then forward to an account (or person) of their choice. As part of this process, you’ll keep a fraction (typically 10 to 15 percent) as your "commission."

Welcome to the world of mules – or "money laundering" as it’s more classically known. And, before you ask, yes – being a mule is illegal.

A New Crime?

So, is this some kind of "new" crime? No – it’s been around for several years now, but so few people know about it.

Many people assume that once the phishers have stolen a bunch of identities they just log in and take out all the money. The process of stealing these identities is in reality only the opening scene for an international money laundering process.

Unfortunately, with increasingly regularity, it’s some unsuspecting college student or recent retiree who gets nabbed as part of a phishing syndicate – having thought they were working for a legitimate business.

The International Part

What does an international mule recruitment drive look like? Well, a couple of months ago, I prepared a presentation on this subject for a technical crowd of IBM ISS partners and resellers. In it, I dissected a handful of phishing and mule recruitment solicitations and their corresponding Web sites. Even to this audience of security experts, there were a lot of surprises in just how international these crimes have now become and how certain countries are repeatedly exploited by these criminal gangs.

In fact, I surprised myself with the research, too. I had merely grabbed a handful of random phishing and recruitment e-mails out of my own spam folder, and many certain registration tactics and contacts kept reappearing – it was spooky.

As luck would have it, I’ve updated it and recorded it as a webinar and it is now available online. (Regretfully it’s not my best performance – this was my first time recording in to a microphone without any interaction from an audience – and that’s tough!)

The IBM Web Site

Actually, it was less "luck" and more "last minute scheduling" than anything else. Someone on the ISS marketing team managed a coup and got the subject of phishing plastered all over the front page of the IBM Web site this week. Which consequently meant that I got called in to help supply the technical stuff. But that now means you can view the presentation on international phishing and mule recruitment directly via the IBM site, along with my updated whitepaper, "The Phishing Guide."

Actually – if you want to be really helpful and make sure we get more security themes on to the IBM Web site in the future, tell everyone you know to visit the page this week. In fact, hit F5 a few dozen times while you’re there to drive up the stats :-)


If you’re after some additional information on mule recruitment and want to see more samples of what the solicitations look like, I’d recommend you visit

If you’re also wondering whether ISS provides protection against mule recruitment, the answer is yes. The content filtering technologies we use automatically classify these sites as "Recruitment" – so block/filter that category. The e-mail solicitations themselves are typically stopped by the standard arsenal of anti-spam protection.

And finally, a little word of anti-mule advice. If it sounds too good to be true – it probably is.

    Copyright 2001-2007 © Gunter Ollmann