Lately all the banks around here (Latvia) have been sending out warnings about scammers that try to get access to your online banking. Fair enough. But what confuses me is - so, what can they do after that? I mean, obviously they can transfer my money wherever, but... those transactions will be traceable. They'll just be leaving a trail of breadcrumbs leading straight to them. Sure, if they hoodwink just one or two people the bank might not notice (and not believe the victims, since all the operations will be properly authorized), however it's obviously gotten to the point where the banks are quite annoyed and would probably be very interested in tracking them down. So why don't they? What can the scammers do that can get them money yet leave them untraceable?
9 Answers
This is the "problem" that all of the myriad money laundering schemes attempt to solve. One of the fastest and most common ways to steal money and get away with it is by purchasing online giftcards to merchants like Amazon, Best Buy, Google Play, iTunes, etc. There are several online platforms where owners of giftcards can sell them to others. Typically they're sold at a discount to their face value. This is essentially the "fee" the criminals pay to launder their stolen money. In many cases, they will exchange the giftcards for cryptocurrencies such as bitcoin. The crypto can then be sent to a coin mixing service, which essentially disconnects the proceeds from the previous sequence of transactions beginning with the stolen money. They now can move this laundered crypto to their own accounts or sell it to get fiat currency back. The stolen money cannot be traced back to them.
So to summarize, the steps are as follows:
- Using the compromised banking information, purchase online giftcards.
- Find a buyer and sell the giftcards online in exchange for cryptocurrency.
- Send the crypto to a mixing service to disconnect from the previous chain of transactions
- Transfer the crypto to your own custody or sell it on an exchange for fiat.
If you're familiar with the three steps of money laundering, the first bullet point above is the "placement" step. The second and third bullet points are "layering." And the final bullet is "integration."
- 5,350
- 2
- 32
- 32
Compromised accounts are the backbone of a common "overpayment" scam. It works like this:
Scammer takes control of Person A's bank account and uses it to overpay for something they buy from Person B on eBay, Nextdoor, etc.
"Oops I accidentally sent you too much money. Please send the difference back to me with Western Union or Bitcoin or Apple gift cards or another non-reversible form." Person B complies.
Person A discovers the fraudulent payment and reports it. Banks reverse it, money drains out of person B's account. But Person B's payment is gone forever.
Person A has a major hassle to get their money back. Person B has no hope. They may additionally have overdrafts if they've moved money out of their account in the meantime. And technically they may fall afoul of money laundering rules.
So the scammer gets paid without actually directing any money from Person A's account to themself.
- 541
- 2
- 11
Some transfer methods are NOT reversible.
They transfer your money to another victim, and trick them into sending Western Union or Bitcoin.
Scammers work as teams and are running several scams at once. The other victim is in a scam like:
- Overpayment scam: "I want to buy your €300 boogie board. Oops, I accidentally sent you €3000. Can you send the €2700 back Western Union?"
- Employment scam: "We do QA testing of Bitcoin ATMs. Your job is to physically go to Bitcoin ATMs and make test deposits. We have sent you €3000. Deduct your €300 salary, then make this list of deposits summing to €2700".
The other victim cannot reverse the money forwarding they did, because Western Union, Bitcoin, Venmo and several other transfer methods are non-reversible.
Now you are in a "victim vs. victim" situation. One of you is left holding the bag.
- 59,009
- 10
- 94
- 199
There are wagonloads of schemes for making unsuspecting victims convert money from stolen accounts to real money, making others hold the bag. You can combine this with a dating scam: an online acquaintance in Russia becomes totally infatuated with you and wants to come over for a visit or marriage or whatever. But she insists on doing it on her own dime and transfers visa fees/ticket price/bribes/whatever to your bank account and needs you to pass this on to embassy/travel agency/officials/whatever with the account number and credentials she sends you. So it's "her" money; can't be a scam, can it?
The police going after money transferred from an account via stolen credentials begs to differ.
There are also online ads offering well-paying "jobs" for doing "payment processing" for a "foreign company". You receive money to your account and pass it on for a "fee". Again, until the police comes calling and you have to return the money (which you no longer have) that you sent elsewhere with a service that cannot be traced.
Then there is "overpayment" for wares or services where you are to pass on the majority for "convenience" or whatever.
There is no serious shortage of gullible fools for converting traceable money to untraceable money.
I can tell you about a specific case in Europe and how it was done (from the victim's point of view).
In this case, an email account was hijacked (likely through a stolen wallet) and with the data in it a bank clerk was convinced that 8000 Euros should be transferred to another EU country. The claim was that the account owner was stranded in that country and needed the money badly. This was done on a Friday afternoon.
When the owner noticed the withdrawal (Monday), the police were notified, but the money was already in the new account. From there it was immediately transferred to another account in Moldova. From there the trace is lost. I guess it is possible that the account holder in the intermediate country (inside the EU) was questioned, but as the amount was big, I guess that it was worth the risk
Anyways, the account holder was reimbursed, as the bank took responsibility for not following procedure. But it is clear that a big hit can be scored without any degree of sophistication.
Your doubts should be shared by everyone who comes to this afresh: the money trail should be traceable.
May I assume everyone here understands the concept of a "burner" phone; one used for a very few calls - sometimes, only one - then thrown away?
It's much harder to get a bank account than a phone subscription but when we compare "much harder" to "imposible", which one wins?
At the end of a trail, the bad guys convert electric currency into either cash, or cashable vouchers, then close - or simply for evermore ignore - that account.
Separately, this whole Question is one of the reasons no-one should be allowed an on-line banking account without first passing an industry-standard exam…
Does anyone doubt that?
- 114
- 5
In the United States, at least from my personal experience around 2017, they take the banking information, get an ATM card, and then start pulling cash from ATMs at convenience stores. Cash is harder to trace and easy to convert, and circumventing the security cameras on the ATMs basically comes down to wearing a hat and sunglasses such that you look like everyone else.
- 405
- 1
- 5
- 12
In addition to the many other cases described in the other answers:
If they managed to get an ATM card or other means of making withdrawals on an account (which is not theirs, obviously, or one they managed to create in the name of someone else), then they just transfer money from your account to that account, withdraw the money, and the trail ends.
They (directly or indirectly) transfer money to accounts in not-very-cooperative jurisdictions. Possibly add a few hops, and the trail becomes very difficult to trace.
They fund prepaid cards, and withdraw the money. Note how prepaid cards have become a lot less prevalent over the last few years, this is due to the headache for them to remain compliant with KYC/AML/CTF (Know Your Customer, Anti-Money Laundering, Counter Terrorism Financing) rules.
Basically, the goal is to end up with the money in a form that is out of reach of the good guys. Cash, bitcoin, anonymous prepaid cards...
- 4,112
- 1
- 16
- 29
The answer is sometimes not much.
Once in any of my (French) bank accounts, the hacker can obviously see what I have. In order to make a wire transfer
- either the target account is "verified" and no extra steps are needed → but in order to "verify" an account there is an extra factor that is needed (an SMS to the registered number)
- or the extra step above must be done ad-hoc.
This means that, in theory at least, there is a "multifactor authentication" done on the wire transfer.
Why "in theory"? Because there is the social engineering case @me mentions in another question, though access to the bank account ma help but is not the core of the fraud (some banks will ask you how much money you have with them as a "security question").
If you consolidated your accounts information in the hacked account, this can be used to prepare an attack on the other ones (also via social engineering, or hoping that the password is the same)
- 1,250
- 10
- 16