Most of the time, spam is just an annoyance... But in addition to being a vector for malware infection, spam can also be the gateway to getting otherwise honest individuals unwittingly involved in criminal enterprises. I've regularly covered online job scams and the spam that's used to lure unsuspecting job seekers into various types of fraudulent employment and have often wondered about the details of how some of these scams work...

Now Brian Krebs over at Washington Post's "Security Fix" blog continues his excellent investigative security journalism with an examination of how so-called "money mules" are recruited and how they work with their "employers."

See: Washington Post Security Fix Blog - "Money Mule" Recruitment Network Exposed

This is amazing stuff - you'll want to read Brian's entire post (complete with screenshots of actual messages between a mule and the scammers that hired her). Some excerpts from the article:

Security Fix interviewed one of the mules hired to receive money from Sanford School District, a small school system in Colorado that was robbed of $117,000 last month when hackers used the district's online banking credentials to send sub-$10,000 payments to this mule and 16 others.

...

The Sanford mule -- who spoke on the condition of anonymity out of fear of reprisals by the hacked company and perhaps by the hackers themselves -- said the Scope Group approached her via e-mail, saying it had found her resume on Careerbuilder.com, and would she be interested in a work-at-home job acting as a "financial manager"? Having worked as a payroll manager in a previous job, the mule said she thought it was a perfect fit. Besides, she said, she'd been out of work since March.

The mule said that after responding to the initial recruitment e-mail, she was directed to create a profile at the [scammers'] Web site [redacted here]. She was then asked to provide a large amount of personal and financial data, including her name, address, Social Security number, bank account and routing numbers, as well as a scanned copy of her drivers license. During the enrollment, she was prompted several times to make sure that her bank would allow her to withdraw up to at least $10,000 a day.

Read more at Security Fix. And don't fall prey to these sorts of scams... Proofpoint offers the following advice to consumers in order to avoid being victimized by online job, "secret shopper," wire fraud and similar scams:

• Remember, first of all that any offer presented to you that sounds too good to be true usually is—whether it's presented via email, phone or direct mail.
  
• Simply do not respond to these sorts of solicitations. Especially do not click links presented in such emails (which may lead to fraudulent websites that attempt to install malicious software on your personal computer). Note that the latest job scam emails do not include links, asking job seekers to respond to a generic webmail account (like a gmail or Yahoo mail account).
  
• Keep in mind that anyone can place an online ad, send you an email, or post a "lure" in otherwise legitimate online forums.
  
• Never pay a company to hire you. If the employment process involves sending the employer money, it's almost definitely a scam.
  
• Do not wire money (which is the same as sending cash) to individuals unknown to you or to firms that have supposedly hired you.

See my previous posts "More Employment Scams in the News", Email Job Offers Can Steal Your Identity" and "FBI Warns on Email and Job Scams" for more on this topic.