A few weeks ago I came across several email messages in Spanish purporting to have been sent by Western Union:
As you can see, this is a typical message sent as spam that we have seen in many guises. It tries to pass itself off as some kind of official notification from well-known companies -anyone from UPS to Apple or even Panda- with the real aim of trying to trick users into running the attached file. However, this time when I saw the message I couldn’t help but smile.
Why? Because I thought there was a certain irony about the message claiming to have been sent by Western Union, a company used by virtually all cyber-criminals. Should we be pointing an accusatory finger at companies like Western Union? There are those who would argue that this is like criminalizing the Internet just because there are users that abuse its services. Fair enough.
But if Western Union is just like any other company, why is it used so insistently by criminals? In practically all the cases I’ve seen of money being stolen from bank accounts (and I can assure you there have been many), the system that criminals ask the money-mules to use to send them the stolen money is Western Union. This system allows the money to be sent anonymously, so that the police cannot follow the trail.
It is an embarrassment that there are companies that allow this. Western Union knows full well that criminals use its services for these types of transfers, but what is it doing about it? Posting warnings on its website:
Out of morbid curiosity, I’ve been looking at the pages of Western Union in other countries, perhaps they had forgotten to post warnings on the websites in Russia or the Ukraine 😉 but no, it’s there on all of them. When you click on the link, there is advice and examples of scams and phishing.
Apparently, it is concerned about the fraud that exists (even though it continues to make money from the criminals). So why don’t criminals use other companies? In fact, they do. When they don’t use Western Union they use Moneygram, which operates just as “effectively” as Western Union.
There are other more popular systems for sending money, such as PayPal. So why don’t they use companies like PayPal? This is a payment platform widely used around the world, in fact it can be used in 194 countries (its distribution reaches even further than Mariposa 😉 ) yet criminals do not use it for these types of transfers. Let’s have a look at the webpage:
Not a single warning. It would seem that they don’t have this problem, but why is that? The fact is that PayPal accounts have to be associated to a bank account, and so any crimes committed are easily traceable. So even if someone fakes their identity on PayPal, it’s not so easy to do the same with a bank account. Western Union, on the other hand, has agents all around the world, so you can go and physically collect your money in cash without having to provide your bank details. Obviously you have to identify yourself, although it would seem that the methods used leave much to be desired.
In order to find some answers to these questions I used one of the secret tools that we have in the laboratory: the Internet 😉
In an interesting interview with some Nigerian scammers, they all claimed to prefer using Western Union or Moneygram, explaining:
(We prefer) Western Union Money Transfer service centre, this is because the Western Union agents themselves are all in the game so you can claim your money with fake identity and they just collect 5% from you for themselves and that’s all.
In fact, the eBay online auction site has forbidden the use of Western Union. On its Web page you can see the following advice to users regarding making safe transactions:
So how do cash transfers work with Western Union? When you send money you have to give the details of the recipient, including name and address. They give you a MTCN (Money Transfer Control Number). Whoever collects the money only has to provide the MTCN and the name of the person who has sent it. That’s all. In addition there are different agencies in each country that act as franchises, making it easy for criminals to find someone bribable. Evidently, if it is true that there are bribes, this is not really to an employee of Western Union, but to an employee of the franchise. Bear in mind that many of these franchises are local operations also involved in other business, and they provide the Western Union service as a sideline.
In any event, Western Union is surely aware that this is one of the weak links in the chain and is easily abused by criminals, and they will surely take measures to verify the integrity of their agents. At least that’s what any normal-thinking person would assume. So let’s look at how this commitment to the fight against crime works in practice:
Having got this far, the only question left is: What can be done? Firstly, as a responsible user with a commitment to the fight against crime, I’ve no intention of allowing a company which in my point of view is irresponsible to profit at my expense. But this is just a drop in the ocean, I don’t believe my mafia “friends” will stop using Western Union because I don’t use it, they might follow me on Twitter, but that’s about all 😉
Secondly, we have to demand Western Union to change the way the do business, forcing any user that wants to receive money to give his bank account (as PayPal does). And this is not something only to be done by Western Union, but by any other similar company, such as Moneygram.
Even if we could achieve something like this, we wouldn’t bring an end to cybercrime (I wish it were so easy), but it would be another small step along the way. Criminals would have another obstacle in their way and would have to look for alternatives, while we continue to hunt them down