Money Mules – Where Fraud, AML and Cybersecurity Converge

Introduction

In an age defined by rapid technological advancement, we are concurrently experiencing a notable surge in attacks targeting customers in the financial services sector. The complexity, diversity, and sophistication of these attacks are also on the rise. These attacks can result in mass identity theft and synthetic identity account openings, hard-to-identify social engineering schemes, such as business email compromise and authorized push payment (APP) scams, among many others.  The proliferation and the magnitude of the issue has been exacerbated by several recent developments:

• Criminals leverage AI advancements to orchestrate more sophisticated attacks with minimal resources, utilizing bots and social media to amplify their reach.
• Real-time payments have allowed these criminals to move illicit proceeds at an unprecedented pace without detection.
• Digital onboarding aims to provide a seamless entry process for identification and verification (ID&V); however, it has facilitated the proliferation of mule account creation.
• Embedded finance presents a valuable opportunity for diversifying products and enhancing user experience by integrating financial services within social media platforms. This convergence fosters a more seamless user experience but diminishes the inherent defense mechanisms that users rely on solely within the context of traditional banking interactions.
• Exploiting the risk-averse nature of the financial services industry, criminals capitalize on limited information sharing between banks and compartmentalized approaches by cyber, fraud, AML, and KYC teams, allowing them to perpetuate these schemes on a massive scale.

At the core of this vicious cycle of financial crime are money mules – individuals recruited to transfer illegally obtained funds on behalf of criminals. Money mules help criminals maintain their anonymity by adding layers of distance between crime victims and the criminals, making it difficult for law enforcement to “follow the money”. [1]

In this article, we will explore why the phenomenon of money mules intersects with every facet of threat and risk management, encompassing cyber, fraud, AML, and KYC disciplines. We’ll underscore the imperative of sharing intelligence to identify dormant money mules within financial institutions (FIs) worldwide, crucially, to proactively thwart their entry into the system in the first place, and to identify / stop mule accounts by blocking them in real time.

The intersection of cyber, fraud, AML and KYC…

In our view, the phenomenon of money mules is not solely a fraud issue or an AML issue. It transcends individual threat vectors, encompassing cyber, KYC,  fraud and  AML considerations:

Cyber:

• Weak cybersecurity controls create opportunities for cybercriminals to access sensitive personal information, leading to identity theft incidents.
• Crime as a Service (CaaS) lowers technical barriers of entry for would-be attackers and illicit nefarious services such as fake identity creation, bot generation, automated phishing and vishing, fake identity document creation, and so on.

KYC:

• Criminals and money mules exploit compromised credentials to open accounts across financial institutions, often using AI-altered documentation to get through traditional KYC identification & verification customer onboarding processes. These altered and compromised credentials are incredibly difficult to spot with the human eye, proven by the estimate that 95% of synthetic identities are not detected during the onboarding process. [2]

Fraud:

• Social engineering scams manipulate individuals into willingly divulging their personal data and convince victims to send money to criminal enterprises. With the advancements in AI, social engineering is becoming increasingly more common and effective. 98% of cybercrime was found to involve some sort of social engineering.[3]
• Once mules successfully onboard, they either act immediately to start transferring fraudulent funds OR lay dormant for days, months, or years before engaging in fraudulent activities.
• Typically, fraud tools look at outgoing transactions and digital interactions, so they do not necessarily detect dormant accounts. Legacy solutions also don’t use digital signals at onboarding and cannot necessarily see how criminals are propagating their attacks.
• Mass account takeover allows criminals to gain access to a network of money mule accounts, which can be challenging to detect until after an attack has occurred, as the account behavior appeared normal until a certain point.

AML:

• The mule receives and sends transactions of varying amounts from and to other mule accounts at different financial institutions to further obscure the money trail.
• Without machine learning algorithms, it is difficult to detect in real-time that these transactions are fraudulent proceeds derived from criminal acts.
• As shown in Figure 1 [4], the nature of these transactions can be low-dollar or low-frequency, meaning AML transaction monitoring (“TM”) rules may not trigger. Without additional parameters to signal potential concerns with these accounts, solely relying on transaction amount or frequency makes it difficult to discern whether these activities signify money mule involvement.
• If AML investigators knew this was mule activity, they could immediately block and report these transactions as suspicious and identify the surrounding mule network to stop the criminal network from hurting other victims.

… may bring these teams together

How do we solve this multifaceted problem? By bringing together intelligence from the different disciplines and threat vectors.

Cybersecurity and fraud teams have started to converge at some forward-thinking financial institutions (FIs) because these institutions have seen the benefits that can come from intelligence sharing across these threat vectors, resulting in the emergence of a united team known as cyberfusion.

The same convergence goes for AML and KYC. While money muling equates to money laundering, traditional AML strategies alone will not effectively deter these criminals. To effectively prevent money mules from infiltrating the FI, the focus should begin with the interception at the first interaction with the bank – at customer onboarding and protecting against account takeover. FIs should leverage advanced technologies for verifying customer-provided documentation and data and pinpointing counterfeit docs; confirming genuine human identity through biometric verification and liveness checks; and cross-referencing customer information with trusted data sources using automation. In addition to applying advanced technologies to confirm the prospective customer´s identity, banks, fintechs, and neobanks alike need to be asking the right questions when onboarding customers to spot unusual activity in the future – e.g. salary, source of funds, expected activity, physical address.

From Unwitting Participants to Enablers| How a bank account ends up in the hands of mule herders

In the shadowy world of financial crime, money mule refers to someone who, either knowingly or unknowingly, allows their bank account to be used to move illegal funds. Here’s how an account might find its way to a mule herder:

•  Knowingly Participating: Some individuals are aware they’re part of a criminal network, performing high-risk, low-reward tasks. This can involve opening multiple bank accounts, now more easily done online using real or fake information.
• Unwittingly Compromised: Others might be unknowingly roped in, such as students offered quick cash to lend their account for a weekend. By Monday, their account is back in their hands, no questions asked.
• Digital Dangers: The advent of digital banking has made it easier for criminals to use stolen data or synthetic identities to conduct their illicit activities leveraging ATO.
  This evolving landscape of money muling underscores a stark reality – the fight against financial crime is not solely about technology but understanding the human vulnerabilities that technology seeks to exploit. Understanding the risks and staying informed can help protect against becoming an unwitting participant in these schemes.

This evolving landscape of money muling underscores a stark reality – the fight against financial crime is not solely about technology but understanding the human vulnerabilities that technology seeks to exploit. Understanding the risks and staying informed can help protect against becoming an unwitting participant in these schemes.

Furthermore, understanding the customer’s digital identity through device profiling, geo-location and behavioral biometrics both at onboarding and throughout the customer’s relationship with the bank is critical. As noted by the UK Financial Conduct Authority, “We found some firms are onboarding customers where multiple customers are using the same device with no clear reason. This is a typical mule characteristic where the customer may have sold their account details to a ‘mule herder’, someone who recruits individuals to become money mules, often through social engineering, who now has control of their account.”[5] Additionally, confirming whether customer details are associated with compromised Personally Identifiable Information (PII) by leveraging known compromised data sets, using resources such as Have I Been Pwned and other signals from the Dark Web, can identify criminals using compromised data.

Once the mule starts transacting, AI is essential to pinpoint that the activity is indicative of mule behavior due to the hundreds of thousands of parameters that need to be assessed. The accuracy of the model is of high importance due to legacy approaches flooding fraud and AML teams with false positives. Additionally, money mules may appear normal until the moment of activity, where they may use different tactics than traditional fraudsters.

The Lynx Money Mule Models combine both incoming and outgoing transactions, meaning the model can flag if the account receiving and/or sending funds is a mule account. For example, the models can identify if there are irregular sources of funds received by the account, which could be derived from Authorized Push Payment Fraud (APPF), or other types of fraud, as well as flag the account as a mule account. The models are updated daily using our Daily Adaptive Model (DAM) procedure to ensure the highest accuracy and lowest false positive rates. This can ensure that the mule account is shut down in real-time and stop the flow of money out of the FI. If it is known that the activity is from money muling, this should be an immediate alert to the AML team. Recognizing money muling is a form of money laundering and reporting this in real-time not only ensures regulatory compliance for the financial institution, but also helps law enforcement identify and stop these criminals from perpetrating their crimes.

This is where the link between the fraud and AML teams becomes crucial. Time is of the essence in involving law enforcement early to catch the mule and wider network before the lead goes cold and to return the funds to the victim(s).

In our minds, the money mule model is not only a fraud prevention tool that should be used to block transactions conducted by mules in real-time, but also a real-time transaction monitoring capability for AML purposes. This does not require a wholesale integration of fraud and AML teams. Rather, by leveraging one technology to apply threat intelligence more effectively across teams, we can identify mules, block fraud and report suspicious activity in real-time.

Conclusion

In conclusion, to proactively combat the expansion of criminal networks facilitated by money mules, firms in financial services must first and foremost effectively use threat intelligence across cybersecurity, KYC, fraud prevention, and AML. Criminals do not operate in siloes and neither can FI’s.

That is easier said than done. As former practitioners, we understand that. That is why we build technologies that bring together intelligence across disciplines, without requiring that these teams be fully integrated. With that said,

Cyber, fraud, KYC, and AML are all inextricably linked, and it is crucial that these teams work hand in hand to share intelligence that can benefit each other and ultimately their customers. Not only teams within these institutions, but information sharing across FI’s as well.

We believe that the right technology can bridge teams, products, processes, and intelligence to enable a 360-degree view and defense against sophisticated attacks.  Collaboration and sharing of crucial intelligence are key to staying ahead of sophisticated threats and safeguarding customers in the rapidly evolving financial and technological landscape.

[1]  https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-scams-and-crimes/money-mules

[2]  https://legal.thomsonreuters.com/blog/how-to-detect-synthetic-identity-fraud-before-it-becomes-a-problem/

[3]  https://digitalcommons.sacredheart.edu/cgi/viewcontent.cgi?article=1576&context=acadfest

[4]  https://www.mastercard.us/content/dam/public/mastercardcom/na/us/en/governments/others/vocalink-anti-money-laundering-case-study.pdf

[5]  https://www.fca.org.uk/publications/multi-firm-reviews/proceeds-fraud-detecting-preventing-money-mules