On Mystery Shoppers, Money Mules and the Average Time Between Births of a Sucker

February 9, 2011 - 2 Comments

I’d just started looking at all the bills from the Australian summer holiday trips, when this amusing email landed in my inbox…

Ladies and gentlemen!

Do you want to combine business and pleasure? Let us pay your purchases you make for us and become a professional “mystery shopper.”

“Mystery shoppers” check clients’ branches in the region and evaluate the service they are offered in the stores. You will check the condition of purchased goods at home and then send your feedback via Internet. The information you provide will help companies to estimate the quality of their service and improve it.

The reason I found the email so funny was the timing. Just a few weeks ago, Cisco released its Annual Security Report for 2010, and one of the more interesting items is around “Money Mules” and their recruitment.

Cybercriminals need to “launder” the money obtained through their criminal activities. This leads to other fraud such as the “Mystery Shopper.” In one scenario, stolen money is transferred to the mule’s bank account who then purchases goods, ostensibly to “estimate the quality of their service.” They are the told to ship the goods on to foreign locations.

In a scam such as this one, the “shipping mule” is often completely unaware of their criminal involvement—until they are contacted by law enforcement. At that point the mule is abandoned. While there are other Money Mule scenarios, the outcome is invariably the same, driving a continuous need for a steady supply of mules.

The risk to employers is similar to older 491 Nigerian emails where employees embezzle money to fund their involvement in the scam.  Email spam and security solutions can help flag recruitment emails such as the “Mystery Shopper” one which landed in my inbox—but education is key.  As with any con, they are about exploiting our own greed, even when we should know better.

If it sounds too good to be true, it usually is.

The recruitment of Money Mules is just one of the trends discussed in the report. For more details on what we saw in 2010 and what we can expect for 2011, get the Cisco 2010 Annual Security Report.

Stay mobile. Stay secure.


In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Hey, even we supposedly ‘smart’ people can fall for these if they are done correctly (or incorrectly as the case may be).

    I received such an e-mail, but was not promised any exorbitant amount of money, or any amount for that matter. I wasn’t expecting a lot, just a little bit of money to help me through the southern California crunch.

    The next thing I know, I receive a $900 check in the mail. Without really examining it, I took it to my bank. At the last minute my ‘spidey sense’ went off because $900 is about 100 times more than the real mystery shoppers give you – if anything, they usually make you pay them a ‘fee’. I was worried about it bouncing, not about money laundering. So I told the teller, let’s cash this first and then I’ll deposit part of it.

    Several problems appeared magically before me. The magnetic numbers on the bottom of the check weren’t magnetic. The teller looked at me funny. She tried to scan it again, no deal. She called her manager and my eyebrows raised as automatic reflex. I told her, “Well, I’m glad I decided not to deposit this one.” He called me over to the side and I started to feel smoke coming out of my ears. My temper had ignited. I requested a photocopy of the fake check so that I could show the police for my report. Then he showed me some very obvious discrepancies on the check: different addresses, no watermark, back ink was the wrong color, etc. All things I know about. I was very embarrassed. The most startling fact? The address for the check said California, but the postage was for Florida and the letterhead on the accompanying letter was an address in New York. Why had I not noticed it?

    But worse than my sleepwalking to the bank was the local police department’s response: they couldn’t be bothered with it. Unbelievable.

    • There’s an important lesson in your story: No one is immune. The right bait (“just a little bit of money to help”), the right hook (“a $900 check in the mail”), at the right time (“the southern California crunch”) and anyone can be caught.
      Your story illustrates why defence in depth and breadth is so important. While your own “security mechanisms” failed, the ones at the bank did not.
      Thanks for sharing.