In an in-depth analysis of how money mules operate, Paul Ducklin, Sophos' head of technology for AsiaPacific, says that electronic transfers into the mule's bank account are cancelled when the originator realises a fraud has taken place and contacts their bank.
But, he adds, the manual online transfers that the money mule sends to the cybercriminals cannot be cancelled, so leaving the mule significantly out of pocket on the transactions.
"It will take about a month for the bank or the victims whose accounts have been siphoned off into yours to report you to the cops. Of course, the cops will come knocking to ask you to explain and to justify the legality of all the deposits into your account from the various purchase orders – which you will be unable to do", he said in his latest security blog.
"And the bank and the cops will notice that you are not exactly an unwilling participant, since you'll have collected your commission every time", he added.
But says Ducklin, it gets worse than being simply out of pocket, as the mule will be under suspicion of laundering money, or at best of being unable to account for their earnings.
"Because the EFTs can be reversed, you will be in the red by 90% of the value of the original deposits – that's the original amount less the 10% commission you kept", he explained.
"Because of the suspicion about your involvement, you are unlikely to keep your ill-gotten gains. That is, to put not too fine a point upon it, exactly what they are", he said.
The end result, says the Sophos researcher, is that crooks keep their 90%, because they can't be traced, since you chose to remit them money as cash.
The authorities, meanwhile, confiscate your 10%, and the rightful owners have their 90% restored.
"The bad news, if you're unlucky, is what comes next: investigation, arrest, criminal charges, arraignment, trial, conviction, sentencing and incarceration", he said.
"You've got to ask yourself one question. Do you feel lucky?"