For every victim of a scam, for every fraudster who breaks into an online banking account, for every time a criminal organization must move illicit funds through the legitimate banking system, there is a mule account — often a whole network of them.

Within banks, mules have historically played the role of proverbial football, passed between AML and fraud teams that struggle to identify, mitigate, and shut down these threats. Financial institutions have long lacked strong enough signals to reliably predict whether a user’s account is going to be used for this type of illicit money movement. While many once recognized this type of laundering as a problem for only the world’s biggest banks, here in the U.S., we’ve seen reported money mule activity in the mid-market increase by 130% in the last year.

Tapping in: How mules proliferate

It isn’t that mule accounts aren’t also a problem for the largest financial institutions in this country. They too have reported substantial increases in mule activity. It’s that we must overcome any preconceived notions about the kinds of institutions criminals select for their laundering efforts, whom they contract to open and run those accounts, and the crucial role mules play in the broader fraud ecosystem, if we hope to meaningfully reduce the exponential increase (in both scale and sophistication) we’re seeing in fraud, scams, and financial crime in the United States and around the world.

Fraudsters choose the path of least resistance. This applies to victims, tools, and institutions. In the case of the latter, bad actors go to the places where they believe they’ll encounter the fewest and least sophisticated controls. If they succeed, they share their successful tactics across social media, the dark web, and encrypted messaging services.

Apps like Telegram serve as a hub for this kind of fraud intelligence. Often, these groups highlight their ability to connect or tap in with other fraudsters who have access to mule accounts at a specific financial institution. For access to this laundering infrastructure, fraudsters share a cut of their illicit proceeds. The funds that move through these accounts represent the full spectrum of financial crime: scams, account takeover, human trafficking, drug trafficking, arms trafficking, terrorism financing, etc.

Social media also provides providers a ready pool of recruits to trick, coerce, scam, and willingly enlist into their criminal schemes.

The youth dynamic

We increasingly see fraudsters using social media platforms as mule-recruiting sites. The intent and personas of these recruits vary. Sometimes, the mule is naïve, believing they’re signing up for a legitimate job, and the fraudster preys on their ignorance. Other times, the recruit knows they’re breaking the law and enlists anyway. The FBI has outlined many of the methods through which criminals recruit their mules.

In a closer analysis of data from the more than 200 mid-market financial institutions with which we work, we see more than 40% of mule accounts in the mid-market are owned by those younger than 30. And that number may be conservative: Mules often use stolen or synthetic identities to open their accounts, suggesting even those accounts where the listed age is older than 30 may be owned by someone younger than 30.

For comparison, those younger than 30 comprise just 10% of account takeover victims.

Younger, more digitally fluent mules also give fraudsters more options in terms of how they launder their criminal proceeds. We see those younger than 30 make up more than 50% of all mules moving funds through remote check deposits at mid-market institutions and two-thirds of mules sending funds onto virtual wallets.

Operationalizing mule account detection

We know fraud isn’t happening in isolation. We know criminals establish mule networks with a variety of personas with a variety of different intentions. And we understand younger people seem especially vulnerable to mule recruitment.

We also know how to stop it.

The answer is behavior. It’s always behavior.

Mule accounts have a fingerprint too. That fingerprint may not be an obviously criminal device. We may not see the same behavioral indicators we see in cases of account takeover. But mule activity emits very strong signals, nonetheless. While diverse, these signals are consistent whether the mule is a new account opened for the sole purpose of laundering money, or a long-standing account that recently turned bad.

A large bank in Australia identified 2,000 mule accounts with a 1:1 genuine-to-fraud ratio in its first year of deploying BioCatch’s Mule Account Detection solution, which evaluates threats in real time, notifying financial institutions of mule risk before criminals can move any illicit funds. Models are calibrated to provide clarity to front-line team investigations by sending strong score-based signals the financial institution can utilize to quarantine problematic accounts.

Mid-market financial institutions (FIs) don’t have an endless supply of human (or economic) capital to investigate every account. Mule Account Detection allows these FIs to more effectively combat mule activity while working within the constraints of smaller fraud teams. Through existing integrations, BioCatch and partner financial institutions have identified and shut down thousands of high-risk accounts, protecting financial institution assets and the members they serve.