How Cybercriminals Use Money Mule Accounts to Profit From Online Fraud
Bank fraud is a lucrative business. In the U.K. alone, over 100 million pounds were lost to transfer scams in the first six months of 2017. This stemmed from 19,370 cases, with an average loss of 3,027 pounds for consumers and 21,477 pounds for businesses, as reported by UK Finance. This type of authorized push payment (APP) scam means that a legitimate account owner approved the payment. In the U.K., there is no legal mechanism for banks to return money received following such a scam.
Fraudsters are innovating constantly to commit new types of cybercrime, but they also need to create mechanisms to move their ill-gotten gains into cash in hand. This is where mule accounts come in.
What Is a Money Mule Account?
According to Europol, 90 percent of money mule transactions are linked to cybercrime. Cybercriminals use mule accounts to deposit money and then transfer it to other accounts. Fraudsters may pose as genuine employers, offering payments to people to establish and use these accounts. This is essentially money laundering, which can carry a sentence of 14 years imprisonment in the U.K.
There is evidence that malicious actors are coercing young people in particular to act as mules. The Guardian, citing fraud prevention firm Cifas, reported that there were 8,652 cases in which bank accounts belonging to 18- to 24-year-olds were misused during the first nine months of 2017 — that’s double the number of such incidents reported in 2013.
A Mule in Sheep’s Clothing
Fraudsters need mule account owners to appear as normal users. This proposition can be attractive to some: A mule can work at home, open a few bank accounts, transfer funds and get paid for doing something that looks innocuous on the surface. Once a fraud is executed, the perpetrators need to move money fast, and mule accounts enable them to expedite this activity. Typically, several mule accounts are used to transfer funds from a single fraud incident.
Threat actors work remotely and need to recruit mules in-country to extract funds. This recruitment occurs over the web and has become quite sophisticated. In many cases, mules are unwitting accomplices and think they are acting for a legitimate business. IBM’s X-Force Exchange found evidence that fraudsters are also using malware to recruit money mules by targeting job recruitment and advertisement sites. These actors are becoming more sophisticated over time, even resorting to bitcoin ATM transfers to extract cash, according to KrebsOnSecurity.
Detecting Mule Accounts
Mule account detection is becoming more important and complex for banks as they open new account registration processes to other channels, such as mobile. With manual systems, banks could rely on staff to review application forms, ask appropriate questions, and determine data accuracy and authenticity with the benefit of time delays. Today’s systems need to be deployed with artificial intelligence (AI) capabilities that can recognize risk indicators and respond much faster without compromising the client experience.
Banks have traditionally focused on detecting fraud as a payment leaves an account. In this era of open banking and faster payments, financial institutions need to pay attention to payments going into accounts and determine whether any activity indicates a possible mule account. Detecting this type of activity requires a combination of several risk indicators, such as virtual machine detection, device spoofing evidence, device attributes, the use of automated techniques, known fraudster profiling, and user behavior in the registration and post-registration user journeys.
Action against mules requires interbank and international cooperation. On Nov. 28, 2017, Europol announced that law enforcement had arrested 159 people, interviewed 409 suspects, and identified 766 money mules and 59 mule organizers as a result of the European Money Mule Action (EMMA3) initiative, which promotes action against money muling, between Nov. 20 and 24.
Mule detection also benefits from a systemic approach along national and international lines. In 2017, Vocalink conducted a proof of concept on U.K. faster payments data across 12 financial institutions, demonstrating that sharing data across banks can be effective. However, industrializing such a system would require new regulations on sharing data between organizations. In the meantime, individual banks must ramp up their internal mule detection systems.
Hit Fraudsters Where It Hurts
Mule account detection is an intrinsic component of the IBM Trusteer New Account Fraud offering. This solution combines attributes such as those mentioned above with the latest machine learning techniques. It then integrates that data with global intelligence sources, generating insights on the devices used for registration and providing a risk assessment on newly created accounts.
Money mules play a crucial role in today’s cybercrime landscape and enable malicious actors to keep devising new ways to compromise personal and enterprise data for their own gain. By sniffing out this activity, law enforcement and security professionals can hit fraudsters where it hurts — their wallets — and build barriers to prevent future attacks from being successful.