Cybersecurity highlights: The “money mule” and cybercriminals

Often truth is stranger than fiction.

There is certain conduct that one simply cannot make up. Dubbed the “money mule” in the February 16th U.S. Department of Justice (DOJ) Press Release, a woman from Orange County, California was “charged in a six-count federal grand jury indictment alleging she laundered money directly from fraud victims who were tricked into sending the funds to financial accounts she controlled rather than to the victims’ intended recipients.” Essentially, acting as an intermediary to “carry” funds from the victims to the cybercriminals, just like a “mule” who illicitly acts as a middleman between a drug supplier and a dealer.

The perpetrator was arrested, pled not guilty, paid a $50,000 bond, and has a trial date set for April 11, 2023. Here are some of the key highlights from the court documents:

• Approximately 4 years ago, law enforcement learned that the perpetrator-controlled bank account received a wire transfer of $103,350 from a business email compromise (BEC), which is a scam (also a form of social engineering) that targets entities and persons who perform legitimate transfer-of-funds requests;
• The victim, who is located in the Dallas, Texas metroplex, was duped by cybercriminals using social engineering or malware to impersonate a legitimate person and the funds are diverted to a bank account controlled by cybercriminals;
• May 2019 FBI interview with the perpetrator – 11 bank accounts at seven separate financial institutions were opened within a two year period and was transferring the fraudulent proceeds between the various accounts;
• May 2019 – the perpetrator was issued and signed a “money mule” warning letter;
• July 2019 – April 2021 – despite the warning, the perpetrator allegedly proceeded to traffick the fraudulent proceeds from the fraud victims and received more than $1.8 million into various bank accounts; and
• Once the money was received, it was often promptly withdrawn or transferred into different accounts or converted to cryptocurrency.

In criminal law, a defendant is presumed innocent unless proven guilty beyond a reasonable doubt. If the perpetrator is convicted on all counts, she would face a statutory maximum of 20 years in federal prison for each money laundering count and up to 10 years in prison for each illegal monetary transactions count.

Although the primary focus is money laundering, since electronic and stored communications were utilized, it may have been possible for liability to be premised on violations of other laws such as the Stored Communications Act or the Travel Act. In sum, social engineering is a common technique employed by cybercriminals and it is imperative for covered entities, business associates, and any person creating, receiving, maintaining, or transmitting protected health information to include the various types of social engineering in training, as well as raise awareness about the downstream fraud that can occur if sensitive information is “poached” and utilized for personal gain or to impugn/extort a patient.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.