February 14, 2018 By Alan Kelly 3 min read

Bank fraud is a lucrative business. In the U.K. alone, over 100 million pounds were lost to transfer scams in the first six months of 2017. This stemmed from 19,370 cases, with an average loss of 3,027 pounds for consumers and 21,477 pounds for businesses, as reported by UK Finance. This type of authorized push payment (APP) scam means that a legitimate account owner approved the payment. In the U.K., there is no legal mechanism for banks to return money received following such a scam.

Fraudsters are innovating constantly to commit new types of cybercrime, but they also need to create mechanisms to move their ill-gotten gains into cash in hand. This is where mule accounts come in.

What Is a Money Mule Account?

According to Europol, 90 percent of money mule transactions are linked to cybercrime. Cybercriminals use mule accounts to deposit money and then transfer it to other accounts. Fraudsters may pose as genuine employers, offering payments to people to establish and use these accounts. This is essentially money laundering, which can carry a sentence of 14 years imprisonment in the U.K.

There is evidence that malicious actors are coercing young people in particular to act as mules. The Guardian, citing fraud prevention firm Cifas, reported that there were 8,652 cases in which bank accounts belonging to 18- to 24-year-olds were misused during the first nine months of 2017 — that’s double the number of such incidents reported in 2013.

A Mule in Sheep’s Clothing

Fraudsters need mule account owners to appear as normal users. This proposition can be attractive to some: A mule can work at home, open a few bank accounts, transfer funds and get paid for doing something that looks innocuous on the surface. Once a fraud is executed, the perpetrators need to move money fast, and mule accounts enable them to expedite this activity. Typically, several mule accounts are used to transfer funds from a single fraud incident.

Threat actors work remotely and need to recruit mules in-country to extract funds. This recruitment occurs over the web and has become quite sophisticated. In many cases, mules are unwitting accomplices and think they are acting for a legitimate business. IBM’s X-Force Exchange found evidence that fraudsters are also using malware to recruit money mules by targeting job recruitment and advertisement sites. These actors are becoming more sophisticated over time, even resorting to bitcoin ATM transfers to extract cash, according to KrebsOnSecurity.

Detecting Mule Accounts

Mule account detection is becoming more important and complex for banks as they open new account registration processes to other channels, such as mobile. With manual systems, banks could rely on staff to review application forms, ask appropriate questions, and determine data accuracy and authenticity with the benefit of time delays. Today’s systems need to be deployed with artificial intelligence (AI) capabilities that can recognize risk indicators and respond much faster without compromising the client experience.

Banks have traditionally focused on detecting fraud as a payment leaves an account. In this era of open banking and faster payments, financial institutions need to pay attention to payments going into accounts and determine whether any activity indicates a possible mule account. Detecting this type of activity requires a combination of several risk indicators, such as virtual machine detection, device spoofing evidence, device attributes, the use of automated techniques, known fraudster profiling, and user behavior in the registration and post-registration user journeys.

Action against mules requires interbank and international cooperation. On Nov. 28, 2017, Europol announced that law enforcement had arrested 159 people, interviewed 409 suspects, and identified 766 money mules and 59 mule organizers as a result of the European Money Mule Action (EMMA3) initiative, which promotes action against money muling, between Nov. 20 and 24.

Mule detection also benefits from a systemic approach along national and international lines. In 2017, Vocalink conducted a proof of concept on U.K. faster payments data across 12 financial institutions, demonstrating that sharing data across banks can be effective. However, industrializing such a system would require new regulations on sharing data between organizations. In the meantime, individual banks must ramp up their internal mule detection systems.

Hit Fraudsters Where It Hurts

Mule account detection is an intrinsic component of the IBM Trusteer New Account Fraud offering. This solution combines attributes such as those mentioned above with the latest machine learning techniques. It then integrates that data with global intelligence sources, generating insights on the devices used for registration and providing a risk assessment on newly created accounts.

Money mules play a crucial role in today’s cybercrime landscape and enable malicious actors to keep devising new ways to compromise personal and enterprise data for their own gain. By sniffing out this activity, law enforcement and security professionals can hit fraudsters where it hurts — their wallets — and build barriers to prevent future attacks from being successful.

Read the white paper: Transparently detecting new account fraud

More from Fraud Protection

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today