A paper from Microsoft Research argues that theft of banking passwords poses a much lower risk to consumers than previously thought thanks to consumer protection laws. The analysis suggests that when consumers are guaranteed reimbursement for fraudulent withdrawals from online banking accounts, the loss falls not on the bank but on the “mules” recruited by phishing fraudsters. Phishing fraudsters send the money they steal to mules for onward transmission via an untraceable, irreversible service like Western Union; the mule is allowed to deduct a “commission”, supposedly easy money. The service the mule provides the phisher is to convert a reversible banking transfer into an irreversible one; when the phished money is recovered by the bank, it is the mule that loses out.
“Mules” are recruited online by being promised easy money to “work from home”, and are told they are working for an import/export company. People who sign up to become mules are often of low education and limited financial means.
The research paper suggests that, having given protection to consumers (which is guaranteed by law in the USA, but not in the UK), and the banks having ensured they can charge-back fraudulent debits (which is already in place), the best way to reduce phishing fraud is to concentrate on reducing the supply of mules. This could be done by raising awareness that it is the mules, rather than the victims of password theft, who the phishing fraudsters are really scamming. This, it is suggested, would be much more effective than increasing protection for banking passwords, which actually only perform a relatively minor part of the security of the online banking system.