The FTC has disrupted a long-running scam that stole millions from US consumers, a few pennies at a time. The scam worked by submitting small charges - usually less than $10 - to credit cards whose numbers were known, and then processing the charges through bogus companies. 94% of the fake charges were never challenged by the cardholders.

Just like viruses that subvert computer security by tricking human users into opening attachments or clicking questionable links, the scam targets the weakest link in the credit card system: the human card holder. For the scam to be detected, card holders must review their credit card statements and challenge any unrecognized charges. Most people don't do that, particularly for small sums.

The scam had a spam component as well. To get the money out of the US, the scammers were forced to take on 'money mules' who would receive money transferred from bank accounts opened by the fake companies, and send it abroad via Western Union or a similar money transfer service. The mules were, of course, recruited through spam in the form of unsolicited emails offering 'job vacancies' as a 'financial manager' or 'payment processor'.

One mule, now cooperating with law enforcement, worked for the scammers for more than four years. This suggests that money transfer scams of this kind may not, as previously believed, be set up to defraud the unwitting mule and empty his or her bank account as quickly as possible (although that can still happen). Rather, the goal of the scammer is to establish a stable conduit through which they can export their money, so a diligent mule may be kept on for many years. Of course, as soon as the scam unravels, the mule is still the one who's on the hook for the missing money, and risks facing federal money-laundering charges.