A new security report from Cisco Systems estimates that the amount of stolen online bank account data far exceeds the number of people fraudsters can get to transfer stolen funds, who are known as "money mules."
A mule is someone who is either knowingly helps or is tricked into moving money from a victim's bank account through their own account and then onto a third party, usually located in another country.
Despite increasing awareness of the schemes, which are often advertised as "work-at-home" jobs with generous salaries, many people still get caught up in the frauds.
Cisco said in its 2010 Annual Security Report that the ratio of stolen account credentials -- which can be acquired through phishing or hacking -- to available mule capacity could be as high as 10,000 to one.
Being a mule is a high-risk job, and many are caught. Last year, dozens of people were arrested in the U.S. and U.K. on charges they were part of a large gang that stole money from bank accounts using a sophisticated piece of malware known as the Zeus program.
Many of those arrested in both countries were from Eastern Europe. In the U.S., many had gained entry to the country on J-1 non immigrant visas, often granted to visiting students.
Those running the scam will often use a mule only once, since authorities are likely to shut down the mule's account quickly. The money is transferred from the victim's account to the mule's account, and the mule is then instructed to quickly withdraw the money and either do a wire transfer or an ACH (Automated Clearing House) transfer.
The ACH system is used by financial institutions for exchanging details of direct deposits, checks and cash transfers made by businesses and individuals. It can be used to send very large sums of money, which are difficult to recover once the money makes it to an account, for example, in the Ukraine.
If banks detect the fraud, the institutions can try to reverse the transfer, but it is "not a quick and easy process" to initiate, Cisco wrote in its report. The reason is that if a fraudster has started to withdraw some of the money, the reversal won't work.
"The appropriate thing for the bank to do is to keep trying with progressively smaller amounts until it succeeds in recouping at least a portion of the stolen money," according to Cisco's report. "However, many banks are not sophisticated enough to do this, and the money is lost."