Using Location Data to Detect Mule Accounts
In the rapidly evolving digital payments industry, mule accounts pose a significant risk. These accounts, often set up using synthetic or stolen identities, serve as conduits for money laundering and fraud. They can enable authorized push payment fraud, account takeovers, and other malicious activities. As real-time payment systems such as Pix and FedNow gain popularity, tackling the threat of mule accounts is becoming an urgent priority.
Subscribe to the Incognia Newsletter
I recently presented a webinar with an analyst from Datos Insights, and our discussion touched on the critical issue of mule accounts in financial fraud. In this post, I’ll do a deeper dive into this topic and focus on how leveraging location data can help you detect these mule accounts and mitigate the risks associated with such financial attacks.
The rising threat of mule accounts
In the pre-Internet days, a mule was someone who physically carried drugs or money. In the digital age, however, a mule might be someone who attaches their name to a financial services account—or it might not be a real person at all. Mule accounts are used to send and receive illegally or fraudulently obtained funds so that criminals can use the proceeds of their crimes.
Banks and other financial institutions are required to follow know-your-customer (KYC) and anti-money laundering (AML) laws, meaning they require identity verification for new customers to ensure they aren’t laundering criminal proceeds or violating sanctions. Because of these laws, bank accounts have to be tied to a real-world identity, and naturally, fraudsters who are committing scams or otherwise breaking the law won’t be eager to attach their real names to the account where money from victims goes directly after the scam or theft.
That’s where mule accounts come in: they stand in the middle, so it’s harder for law enforcement and banking authorities to trace the illicit funds to the fraudster’s actual, real-world identity and bank account.
Mule accounts are often meant to be expendable. If one mule account gets caught and burned for being the recipient of fraudulent funds, fraudsters usually have more at their disposal, and their true identities remain safe from prosecution. With faster payment rails like Zelle gaining popularity in the US and elsewhere, mule accounts are increasingly being used to collect the proceeds of authorized push payment fraud and other scams against unsuspecting users.
Account takeovers are another type of fraud enabled by mule accounts. If you hijack someone’s account, you don’t want to send all of their money directly to your account with your real name attached. Mule accounts come in as a safe, anonymous middleman to siphon the funds from hijacked accounts without revealing the criminal recipient’s identity.
Mechanics of Mule Accounts
1. Creation and Transfer
Banks and other financial institutions in the US are required to abide by KYC and AML regulations that require them to verify customer identities, meaning that creating fake accounts for muling requires synthetic or stolen identity information. Because of this, mule accounts are often initially created by legitimate identity owners and subsequently sold or handed over to fraudsters. These accounts then become conduits for money laundering.
2. Authorized Push Payments
In this type of attack, fraudsters use social engineering tactics, such as impersonating bank officials, to convince victims to transfer funds to these mule accounts. With real-time payments, transfers are instant, meaning the victim has less chance or even no chance to recoup their funds after sending them to the fraudster’s mule account.
3. Account Takeovers
ATOs involve various tactics like SIM swap, phishing, and exploiting biometric systems through advanced methods like deepfakes. Once a fraudster has a customer’s credentials, they access the account, change passwords, and send all of the funds to a mule account beyond the rightful owner’s reach.
Strategies to thwart mule accounts
As real-time payment systems become more commonly used, developing new strategies to prevent mule accounts will become more crucial than ever.
1. Data-centric approach
Financial institutions should shift focus from tools to data analysis, with an emphasis on identifying high-quality fraud signals.
Key Sources of Fraud Signals:
-
Device Identification: Robust device IDs that can persist even through resets and can track individual devices across platforms.
-
Network Data: Effective VPN/proxy detection to counter overseas attacks. Threat actors from all over the world want a piece of the RTP pie, and they’ll use VPNs and proxies to try and get it.
-
Exact Location Data: Pinpointing suspicious locations to prevent large-scale fraud, with apartment-level precision in order to limit false positives.
-
Device Integrity: Detecting remote access tools, emulators, and signs of tampering. These all increase the risk that a device or account will be used for criminal or abusive purposes.
Focusing on the data associated with users, locations, and devices provides platforms with all of the context they need to make a well-informed risk assessment as to the validity of an account, transaction, or new signup. Using all of these signals in combination makes it especially difficult for bad actors to anonymize themselves.
2. Enhancing authentication and identity verification
With these foundational signals in place, traditional methods like OCR, biometrics, OTPs, and magic links gain increased reliability. If you already trust the device, the network it’s on, and the place where it’s located, your trust in any subsequent authentication signals automatically increases.
3. Detecting mule accounts through location behavior
One key to detecting mule accounts is aligning location behavior data with the physical address associated with a customer's identity. A discrepancy between the home address and a new device's location behavior can be a strong indicator of a mule account. After all, it’s very unlikely that a good user will open an account in their home in one state only to regularly use the account in a completely different state or even a different country. This sort of location behavior will raise the risk assessment of a mule account considerably.
As long as the location signals used are tamper-proof and precise enough to differentiate individual apartments, they can be used for anti-fraud purposes without risking increased false positives against good users.
4. Device ID is an additional helping hand
Device ID and device integrity, as mentioned above, are also helpful signals for identifying mule accounts. With a device integrity check, you can identify red flags on a device, such as rooting or jailbreaking, app tampering tools, app cloners, GPS spoofers, remote access tools, and emulators. These raise a device’s riskiness and can help FIs decide whether to block a device’s access preemptively.
Improving the quality and analysis of data related to device, location, and network is essential in order to effectively detect mule accounts. Real-time payments are only going to continue growing in popularity. With that growth will come even more bad actors who will take advantage of them and will need mule accounts to obtain their fraudulent funds. Leveraging high quality data like location and device intelligence is a critical method for thwarting mule accounts and defending the security of real-time payments.
