In his Krebs on Security blog, Brian Krebs outlined a rather creative scam by cyber criminals. This story highlights how criminals tricked consumers to help them commit fraud by preying on consumers job search insecurities.
First the criminals hacked into the Delray Beach Public Library's computer systems to steal the library's financial account credentials. Then, the criminals created a bogus company to recruit fake empoyees to help them commit wire transfer fraud. The scam began to surface when the staff at a Florida library couldn't determine:
"... how or why nearly $160,000 had disappeared from their bank ledgers virtually overnight. The money was sent in sub-$10,000 chunks to some 16 new employees that had been added to the usual outgoing direct deposit payroll."
The criminals had hacked into the library's computyer systems to insert the bogus employees into the library's payroll, and to steal the library's money using the library's financial account credentials. Krebs described the plight of one fake employee:
"... 19-year-old Brittany Carmine... Carmine had just lost her job at a local marketing firm when she received a work-at-home job offer from a company calling itself the Prestige Group. She said after researching the company online, she decided it was legitimate, and filled out the paperwork to begin her employment. Just days later, she received a bank deposit of $9,649, with instructions to wire all but roughly $770 of that to individuals in Ukraine."
Not knowing she was working for criminals, Carmine followed the instructions she received and wired the money to separate accounts in the Ukraine and kept each wire transfer amount below $3,000 -- a limit that would trigger alarms at Western Union and Moneygram. Of course, the bank deposit Carmine received into her bank account was money stolen from the library, and:
"The next day, Carmine found she had a negative $9,649 balance at her bank, which froze her account and sent an investigator to hound her for the money. Brittany says she doesn’t have the money to pay back... The library would later learn that the attackers had swiped its online banking credentials with the help of a password-stealing computer virus, and then initiated a batch of sub-$10,000 transfers to Carmine and 15 other so-called money mules. Because staffers at the library noticed the fraud immediately, their bank was able to reverse most of the other bogus transfers and was willing to refund the library the remaining amount..."
Carmine was stuck because her bank had reversed the deposit to her bank account, and she had already wired money overseas to the cyber criminals. What should a consumer do to avoid getting scammed like this? The Privacy Rights Clearinghouse advises consumers:
- "Do not give personal bank account, PayPal account, or credit card numbers to an employer.
- Do not agree to have funds or paychecks direct deposited to any of your accounts by a new employer.
- Do not forward, transfer, or "wire" money to an employer.
- Do not transfer money and retain a portion for payment."
"Legitimate employers do not usually need your bank account numbers. While direct deposit of a paycheck is a convenience, if that is the only option an employer offers, then you should not accept the job. A legitimate employer will give you the option of direct deposit, but not demand that it is used. You should wait until you have met the employer in person before agreeing to a direct deposit option."
Follow this advice so you don't become a "money mule" in your next job. If you are already a scam victim, then you should:
- "Close all bank accounts at the bank where the scam took place.
- Order a credit report from all three credit bureaus every 2 to 3 months. Watch the reports for unusual activity. If you have given your SSN to the fraudster, we advise that you place fraud alerts on your three credit reports - Experian, Equifax, and TransUnion.
- Victims of payment-forwarding scams should contact their local Secret Service field agent. The Secret Service handles complaints of international fraud. Fraud victims should also file a police report with local law enforcement officials as well.
- Victims should report the company name, the job posting, and all contact names to the job sites where the scam was posted.
- Victims should permanently close all email addresses that were associated with the job fraud."