Desperate for work, Sallie, a single mother, was overjoyed to receive the email that she had been selected for the position doing remote support for an executive.
The hiring manager indicated that the first step was to get her office set up. To do so, they would be sending $5,000 to Sallie’s bank account. Once the money has arrived in her account, Sallie would go to a specific office supply website and order materials to support her new job. She would pay by ACH. This might delay delivery a bit, but this way she did not need to use her own credit card. She felt it was very generous — and was quite happy to avoid using her already stretched credit.
She placed the order with the supply company — computer, phone, printer, desk, ancillary office supplies. The total for the order added up to just over $4,000. She entered her routing and account number to allow the supply company to pull the funds from her bank account and was told the order would ship in two weeks. Concerned that her new employer would think she was trying to take advantage, she sent an email asking where to send the additional money. She was told to keep the money, as other expenses were sure to come up.
After a few weeks passed, no packages arrived from the office supply company. Concerned, Sallie contacted the hiring manager to let them know she hadn’t received anything. The hiring manager indicated they were having problems with that particular supplier. Sallie was directed to the web site for a different office supply company and told to place a new order there. They would be sending additional funds to her bank account to pay for the items. Sallie was not to worry about the first order, the hiring manager would take care of that.
Sadly, there was no real job for Sallie…
If you’re reading this post, you are likely a fraud professional and you recognize this as an “employment scam.” In this case, Sallie is not being scammed – in fact she was making money – she is the means for the scammers to exfiltrate money earned from other scams. While perhaps unsuspecting (at least at first), Sallie is a mule.
Mule accounts are used by fraudsters to launder ill-gotten gains. In the paper money world, this used to be done through cash businesses – bars, restaurants, casinos, laundromats, and convenience stores. In the digital world, fraudsters need to move money electronically through a series of accounts.
It oversimplifies the situation to use the phrase “mule account” and believe there is a single definition. BioCatch has created a valuable categorization of types of mule accounts that helps clarify the discussion. There are several types of mules – some who are more complicit in the scheme and others who are completely unaware, victims of an account takeover. Each type of mule account will exhibit different activities and behaviors. Understanding each will help fraud fighters identify them.
For all mule accounts, the actions of the account holder when doing “run of the mill” transactions over time sets a baseline of perceptible behavior. Having a baseline of normal behavior is a necessary tool in identifying mule activity. When acting as a mule, customers will behave differently regardless of the type of mule account. Subtle changes in behavior, when taken in aggregate, can be strong indicators of mule activity and give fraud fighters targets to evaluate.
Let’s discuss a few of the mule personas – The Chump, The Accomplice and The Deceiver.
In our story above, Sallie fit the profile of a Chump. Sallie had no intention of acting as a mule. A fraudster created a premise to get Sallie to act on their behalf. A baseline of Sallie’s account activity over time is likely to show a very regular pattern of transaction activity. And when interacting with the banking app, Sallie developed a pattern and a cadence – the things she did and the pace and way in which she did them. The office supply transactions would have clearly been new to her. She would have been more measured in the actions she took – taking care of money she thought was not hers.
There have been published court cases which highlight this type of activity at a transaction level. But do we want to wait for the activity to hit the courts to find it? Tracking the behavior of Chumps and comparing with their baseline behavior can give the financial institution an opportunity to intervene before the problem escalates.
In the case of the Accomplice, the customer is knowingly taking money in and sending it out because they get to keep a portion of the value. This is a customer who knows, or at least suspects, that there is something awry with what they are doing. But they rationalize their activity by telling themselves, “There’s no harm. I’m just helping someone move money.” This specific type of activity has drawn the attention of the U.S. Department of Justice.
Accomplices will also behave differently when acting on behalf of their “customers” than they would when interacting with the bank in the course of managing their normal financial life. Rationalization aside, they know what they are doing is wrong and will behave slightly differently. These transactions are different and unique – slowing down the cadence of interactions.
The Deceiver is a customer whose only intent is to act as a mule account. In some cases, the person doesn’t actually exist! Synthetic identity is a rampant problem in financial services – even identified by the Department of Justice as one of the fastest growing forms of identity theft. Since these accounts are created solely for the purpose of committing crimes, one might jump to the conclusion that it would be difficult to see behavior changes in activities of the account holder. While activity within the account may not show much behavioral variation, the behavior of these account holders will vary greatly from that of valid accounts. Deceiver accounts see a high incidence of automated activity. They are silent for long periods of time, then there are bursts of activity.
Mule accounts are a critically important part of the fraudster supply chain. Recent announcements of proposed reimbursement models for Faster Payments in the UK and for Zelle in the US recognize this by putting some or all of the responsibility for customer reimbursement on the financial institution that receives the funds. Those funds received are going into mule accounts.
Identifying mule accounts before a transaction happens and slowing down their activity has become a critical imperative – one that may soon lead to significant financial losses due to APP scam reimbursement policies. However, whether financial institutions are prepared for the shift is another question. In a recent study by Forrester, 60% of financial institutions surveyed say they struggle to identify financial crime early.
As an industry, we have to be better at getting ahead of the mule account problem, and part of the solution is breaking down the silos between fraud management and AML disciplines. It makes sense as these functions share many of the same objectives – including dismantling the money mule supply chain – yet they are often managed by different teams using an entirely different set of technologies.
The same Forrester study showed that 75% of financial institutions agree that integrating fraud management and AML capabilities is critical to their ability to respond to financial crime quickly, yet less than ten percent have made the move to full integration. Until that happens, there will continue to be mules among us.
Here are some additional resources related to the topic: