Hunting for Money Mules: Stop the Mules, Stop the Digital Banking Fraud

Posted December 11, 2018

Hunting for Money Mules: Stop the Mules, Stop the Digital Banking Fraud

Law enforcement agencies scored a major win December 4 when Europol announced it had identified 1,504 alleged money mules and arrested 168 in countries across Europe. In Italy alone, it was reported that state police identified 101 mules and 320 fraudulent transactions worth €34 million, of which €20 million were blocked.

It’s all part of an international effort to hunt down operatives that have become key enablers for cybercrime around the world.

And it’s not just the law enforcement agencies who are making mules a priority. Financial institutions are increasingly collaborating with one another, and with technology vendors such as ThreatMetrix, to set up proactive initiatives that map out the complex networks of money mule accounts that facilitate global cybercrime.

School for Scandal

For those just tuning in, a “money mule” is someone whose bank account is used to receive illegally-acquired funds in order to withdraw or transfer that money to other accounts. It is a key element in digital banking fraud, without money mules this type of fraud would not exist.

While some are legitimate crooks themselves, a growing number of mules are actually unwitting victims. Stolen identity credentials can be used to set up bogus accounts under someone’s name; individuals can be tricked into this through job ads targeting the unemployed, without realizing they are signing up for something illegal; or, increasingly, they’re cash-strapped students who are lured by making a quick buck.

In London, for instance, there has been a 26% increase in the number of kids as young as 13 recruited as mules in just the last year.

Sometimes the proceeds they help launder are acquired through banking account takeover, online auction fraud, or social engineering scams. And sometimes the mule doesn’t even get personally involved, instead handing over login credentials to bank accounts in their name so the cyberthieves can handle the transactions themselves, in this scenario these cyberthieves are called mule herders. Whatever the case, the mule is paid a small percentage of the proceeds for the trouble.

According to the United Nations Office of Drugs and Crime, as much as US$ 2 trillion is laundered each year worldwide, or up to 5% of global GDP. As a result, the urgency to shut down mule activities grows by the day.

Hunting High & Low

Despite law enforcement’s best efforts to identify/catch mules and educate people not to be mules, this is a small drop in the ocean compared to the vast scale of this industry for fraudsters.

It is the financial institutions themselves who are best placed to find better ways to spot mule networks. However, this often goes beyond standard cybersecurity and compliance requirements and requires an appetite to go above and beyond to protect society at whole from the perpetrators of financial crime that is often used to fuel drug and human trafficking and even terrorism.

The problem: Traditional approaches often fail to see the bigger picture, when assessing each transaction in isolation, or failing to create linkages between separate accounts and identities that can be part of a complex network created to hide nefarious mule herding activity among a sea of transactions.

And more basic rules can easily be circumvented by cybercriminals who know what they are doing. One example is banks relying on transaction values as the primary marker of fraud – only reviewing or blocking transfers when they hit say, £10,000. Fraudsters or mules may transfer funds in a series of small transactions that would largely go unnoticed.

Sure, the velocity of transactions can and often is added as an additional threshold, as well as other factors. However, banks need to tread carefully so they don’t start interfering with legitimate transactions and impacting the customer experience of trusted customers.

It also won’t ferret out that mule logged in with their own valid credentials from transferring smaller amounts of money to multiple accounts on a more sporadic basis—or any of dozens of other scenarios that routinely elude anti-fraud systems.

In order to effectively detect mule accounts and mule networks, banks need a technology refresh; as well as expanded data insights that enable them to create linkages between separate transactions and accounts that indicate mule activity.

But fair warning: Going it alone is a long shot. Detecting and disrupting these kinds of activities requires aggregated data from a large enough dataset to enable the bank to connect the dots between users, devices, accounts and more.

Not Transactions, Identities

By assessing activity in the context of a user’s true digital identity, banks can spot anomalous behavior – for instance, a fraudster logging into a mule’s account may be using a different device, or is in another city or continent, to the individual it is connected to. Especially since that same device has logged onto three other accounts at different banks in far flung cities within the last half hour.

The actual owner of a mule account, a 21-year-old college student who has never had more than €600 in her account, recently received an inflow of funds from a number of cities. No money is leaving the bank, but something’s off, and may be worth investigating.

The ThreatMetrix Digital Identity Network, for instance, sources shared intelligence gleaned from 130 million digital events each day across 40,000 sites and apps around the world. Using the ThreatMetrix solution, it is possible to look across banks and organizations in multiple industries and geographies, complete with visualizations of the relationships between users, devices, accounts and more in order to identify cybercriminal networks, individual fraudsters, mule accounts and activities in real time.

Let’s take the example of one global financial institution we’ve worked with recently in the UK, who has used global shared intelligence from ThreatMetrix, alongside advanced rulesets and machine learning algorithums designed specifically to detect emerging mule accounts. This bank was able improve their ability to identify money mules by 50%. These mules are identified in a manner of weeks. Best of all, £1 million received into mule accounts was stopped and returned to victims.


When many young people don’t realize what they’re doing or allowing to be done with their accounts, banks can stop a bad situation from getting much worse. Penalties for even unwitting mules can include up to 14 years in prison.

With that in mind, the second phase of Europol’s fight against money mules is an awareness campaign called #DontBeAMule. Running in 25 languages, the effort is designed to educate people about what money muling is, how to avoid being recruited, and the consequences of complicity in these crimes.

Sounds like a worthy effort. But considering the immense losses stemming from online banking fraud perpetrated by money mules of all stripes, financial institutions are no doubt exploring other safeguards.

An approach based on advanced behavioral analytics and shared intelligence may be a very smart place to start.

To learn more about the challenges associated with detecting mule activity and how to overcome them, watch a special, on-demand webinar, Supporting Mule Hunters with Digital Identity Intelligence

Mike Nathan

Mike Nathan

Senior Director - Solutions Consulting EMEA , ThreatMetrix

close btn