The Fifth episode of Digital Tells: A BioCatch Podcast dives into the phenomenon of online money mules. What is a mule? How does one become a mule? Why do or why should financial institutions care about mule activity? And what can be done to detect mules?
We open with commentary from Julie Conroy, Head of Risk Insights and Advisory at Aite-Novarica Group. Julie discusses the role of money mules inside criminal organizations and introduces some different mule back-stories. Digital Tells’ host Peter Beardmore digs deeper into 5 mule personas. BioCatch’s Raj Dasgupta explains the regulatory and reputational risks that mules represent to financial institutions. And John Paul Blaho, Senior Director of Product Marketing, shares a look at how behavioral biometrics can enhance mule account detection.
Are you a mule?
So, the title of this episode is admittedly a bit preposterous. If you’re listening to this podcast, it’s doubtful you're a money mule (or a drug mule, or an actual mule for that matter). But the point I’m attempting to make with this title is that there are different kinds of mules out there ~ ranging from the completely complicit (let’s just call them criminals) to the vulnerable / gullible victims of scam activities that we’ve discussed in previous episodes.
The FBI defines a money mule as <<someone who transfers or moves illegally acquired money on behalf of someone else. Criminals recruit money mules to help launder proceeds derived from online scams and frauds or crimes like human trafficking and drug trafficking.>>
Ok, that makes sense, right… I mean if you’re going to make money scamming people, stealing, selling drugs, human trafficking ~ that money’s got to get someplace where you can eventually retrieve it, right? ~ ideally below the radar of authorities ~ or even better ~ laundered sufficiently so the proceeds can be spent or invested without drawing the attention of law enforcement.
In episode 2 Tom O’Malley walked us through all the specialized functions in a cyber criminal syndicate that the U.S. government prosecuted a few years back. Remember there were malware developers, crypters, spammers, bulletproof hosters, account take over specialists - and then there were these cash-out specialists. These were the people who ran the money mules - they had these networks of accounts where money could be moved quite quickly - beyond the reach of the direct victims, their financial institutions, investigators, and authorities.
On this episode of Digital Tells - A BioCatch Podcast - we’re taking a look at the mules themselves. What is a mule? How does one become a mule? Why do or why should financial institutions care about mule activity? And what can be done to detect mules?
Julie Conroy is the head of risk insights and advisory for Aite-Novarica Group. She advises financial institutions, vendors, and merchants about risks relating to fraud and financial crime ~ strategies and tactics to mitigate those risks ~ and what that all means for customer experiences.
I spoke with Julie recently about how financial institutions are struggling with mule accounts, and I asked her specifically about the spectrum of mule personas that I mentioned earlier.
You have this organization of functions in financial crime, just as we do on the side of the good. And so you do have some people that are specifically leveraging stolen identities, synthetic identities to open up your accounts with the express purpose of exiting these funds. You also have folks that have been brought over on visas, and they're using their identities for a period of time to open up accounts. And then after those accounts have been used to serve their muling purpose for a while, they go back to their country and there's no consequences, really. Somewhere in the middle, you have people that respond to the make money in your sleep signs. They know ultimately that this isn't quite right, but they are still using their own identities in order to help facilitate the mewling. And then at the other end of things, you have people that truly have been duped by romance scams or other things into opening up these accounts, facilitating the sending of funds and truly don't know that what they're doing is facilitating financial crime.
At BioCatch, we’ve actually developed personas to help us bring some clarity to the spectrum of mules – from the more complicit to less complicit – we’ll share a link in the shownotes.
OK, so let’s briefly discuss these personas:
There’s The Deceiver – who opens an account specifically to perpetrate fraud – The deceiver is obviously the most complicit on the spectrum.
Then there’s The Peddler – who sells their genuine bank account to a criminal
There’s The Accomplice – a willing participant who’s chasing an “easy money” opportunity.
There’s The Chump – who executed a transaction believing the money is clean – this is your prototypical scam victim.
And then finally there’s The Victim – a victim of credential theft, unaware that there’s even been a break-in – The Victim obviously the less complicit persona.
As I started to research these personas, a couple things struck me.
First – with the exception of The Deceiver – the most complicit, and The Victim – the least complicit – the others – The Peddler, The Accomplice, The Chump, – they’re all kind of Sad, right? I mean, these aren’t societies winners… people basking in their own success? ‘living the dream’ so to speak? More likely – they’re desperate – They’ve fallen for easy money or get rich quick schemes – or romance schemes – and they’re either desperate enough to knowingly sell their own identity and accounts – or desperate enough to live with the ambiguity that they may have involved themselves in a criminal enterprise – or their just gullible – I mean, if you’re gullible enough to execute a transaction for a stranger on the internet - believing nothing is wrong – could that possibly be the only time someone has taken advantage or exploited you?
I’m reminded of that Clint Eastwood character in his movie The Mule that came out a few years ago. This very old man, clearly he’d made a slew of bad decisions in his life, and realizing in his final years that he was destitute – his home was foreclosed - and he’s alone / his family had lost faith in him and his x-wife (with plenty of justification) was rubbing his nose in his failures – but with just a glimmer of hope for redemption with his family and friends - he made a naïve decision to earn some money – and then around the time he realizes what he’s doing and who he’s involved with – the draw of all that money takes over – and the bad decisions just spiral.
[insert from movie trailer]
And then the second thing that struck me, when I thought about the actual online behavior of money mules. Well, there are elements of the account take over problem we discussed in episode 2 – there’s some of the Account Origination and identity theft issues we discussed in episode 3 – and the scams we explored in episode 4 are pretty thick here too. So as complex as the mules themselves are, so too will be connecting the dots through a continuum of online activity.
What are the digital Tells of mules?
Well, before we get to that, there’s another important question we need to ask.
You may recall meeting Raj Dasgupta in an earlier episode. He’s director of fraud strategy at BioCatch. I asked Raj – Do Banks even care about mule accounts? And if so, why?
The banks do care and they're required to care because of regulation. So if there is money laundering activity going on within their account base, they're responsible for it because by law, they're required to look into suspicious activity and report that activity and take action. If they're not there, then inadvertently playing a role in money laundering and money laundering can be used to fund a variety of fraudulent activity, criminal activity, including terrorism. So there is a very strong responsibility on the part of the banks to make sure that money laundering is not happening within their account base. It's against the law. And if they are not following the law, there can be heavy penalties and fines levied on them. And then, of course, there's a reputational issue. If you are known to not pay attention to mule activity going on and it's all bringing you a lot of negative press, you wouldn't want that. But that's on the softer side and the hard side. If you've not followed the law, there will be real dollar value impact in terms of fines and fees.
So there’s regulation and reputation. And those are good reasons – reasons that have been around for a while. But as Julie Conroy explains – there are market dynamics at play that have accelerated the urgency for financial institutions to focus on mules. Here’s Julie:
It was something that we at Aite group had been seeing building even prior to 2020, as you have faster payments spreading across countries across the globe. And so, as we've seen faster payments hitting large markets like the US and Canada, even in 2019, we were seeing a greater emphasis on desire to invest in mule detection technology in those countries. Then you bring 2020 and add a massive global pandemic and the hundreds of billions worth of stimulus that were pumped into ecosystems around the world and the fraudsters quickly responded. And what we saw was as you were stealing hundreds of billions of dollars from things like unemployment claims from small business loan programs, you need a very robust new network to exit those funds from the system. And so we have a couple of bodies of research that just showed market increases in mule activity during the pandemic and carrying into 2021. And with that, you know, that only further emphasized the importance from a financial institution perspective to start building. More robust controls to detect this activity, both because many believe that there is a moral obligation to be stopping this financial crime.
This stimulus fraud that Julie mentioned is a phenomenon that BioCatch has seen up close. It serves to reason that if you’re going to massively defraud the government of program money from the U.S. Payment Protection Program or enhanced unemployment benefits – you’ll need a place to send that money – a mule account. Back in June, as covid-related unemployment rates were slowly declining, the state of Virginia reported a 58% spike in unemployment applications in a single week! Not coincidently, BioCatch simultaneously saw a correlation in our data. There was a spike in high-risk applications for new deposit accounts originating from Virginia at the very same time. A spike in fraud – A spike in mule activity.
You won’t need to look too far to find news stories of stimulus fraud from the past year ~ and it’s like that some of that accounting (or reconning) is only just beginning ~ so aside from the regulatory and reputational reasons for caring about mule activity that Raj cited – there’s a wave of activity that has financial institutions searching for answers.
So what are they to do? What technologies are financial institutions relying on to detect and route out mule activity? Here’s Julie Conroy again.
You know, I've seen institutions just start with some simple rule deployment and looking for, you know, patterns of behavior that in the first 90 days and an account like we didn't see much activity, there were no direct deposits. And then all of a sudden on day 93, we see $10000 come in and ninety nine hundred dollars go out. Very just basic things like that. It's a good starting point. And then as you progress along that spectrum, there are great indicative behavioral solutions like BioCatch that can examine the behavior of the account and compare it to the way that normal people interact with the account. Also, seeing that, you know, typically it's not just a mule that is logging into their account. You also have a mule herder who is managing multiple mules, and they will also periodically be logging into the account to make sure that these mules are doing what they're supposed to be doing. So recognizing not only that second person periodically logging into the account, but then also bringing the intelligence that second person is logging into 20 other accounts at this institution, that type of behavioral analysis. Can be really powerful.
So there’s a lot there from Julie ~ but her key point here is yes, the rather binary rules financial institutions have traditionally used for monitoring account activity are a good place to start. But mules, while they may open and typically use their mule accounts on their own, those same accounts – are often controlled by complex and sophisticated organizations – either directly or indirectly. And those differences in behavior – may include some of the Digital Tells that behavioral biometrics can use to identify mule activity!
And well, that’s something BioCatch has been taking a hard look at – working with our customers and data scientists – and the good news is – there’s something there.
I recently spoke with JP Blaho, he’s senior director of product marketing at BioCatch, and I tried to get him to spill the beans on any upcoming BioCatch announcement. Here’s JP.
So, Peter, we've been talking about mule attacks and mule fraud for well over a year now. Due to the coronavirus we've seen a significant increase in this type of activity, and we've been working with some of our partner banks for this last year to identify where these are happening and how we can identify them using behavioral biometrics faster. And with these handful of financial institutions, we've refined the solution to a point that we are going to launch formally the general availability of of mule money or money mule detection solution in November. So we are already engaging with our customers around the solution, showing them how we can prevent this. But we'll do more of a formal announcement to new customers, net new opportunities and to the analyst community next month.
So, JP ~ let’s fast forward a bit. I want to zero in on what mule detection actually means for the bank and for the customer. What happens when those digital tells start to alert?
You know, in many of those instances, I think the bank identifies that account before the individual realizes that it's happening. And in many of those instances, the account gets frozen and until that consumer tries to perform a transaction, realizes that they don't have access to the account is when they have to coordinate and work with the bank to have that account reopened or have it moved into a new account. So there's a lot of pain associated with that too to the victim, you know, not just for the fact that they're part of a criminal transaction, but now they most likely have to move their account to a different within a new account number, et cetera. But also their money is frozen until they can prove that they're not part of the problem or they were not actively part of the problem. So that's a really good point.
Back to my point earlier about the topic of mules. This is a game of very few winners. But I think we have an obligation to apply the science of behavioral biometrics to help financial institutions identify mule accounts – to help them manage compliance and liability risk, to interrupt cybercriminal networks when possible - and help those who may have unwittingly found themselves in the middle of something really bad – to at least confront the truth.
Digital Tells is written and narrated by me Peter Beardmore, in partnership with my producer Doug Stevens of Creative Audio and Music, and with the unwavering support and sponsorship of my employer, BioCatch.
Special thanks to Julie Conroy, Raj Dasgupta, and JP Blaho.
I mentioned those Mule Personas that BioCatch has identified earlier in the episode – you can find a link in the shownotes to take a closer look.
For more information about this episode, behavioral biometrics, or to share a comment or idea, visit biocatch.com/podcast.
Join us for episode 6, in which we’ll take a look behind the scenes at biocatch – how the sausage gets made, so to speak, and some special insights on transforming fraud management to fuel digital business.
Until then, take care.