In the last edition, I broke down what 500+ fraud and risk professionals told us about mule account handovers. The big takeaway is that detection is mostly reactive, and most institutions are catching them too late.
Mule account handovers are just one example of a broader problem in fraud detection: institutions often have the right kind of signals, but the underlying data isn’t reliable enough to act on confidently.
The signals to catch mule account handovers earlier already exist. The problem is that many institutions are working with weak versions of them, creating false positives instead of clear decisions.
Having the right signal category isn’t enough. The data has to be precise enough to trust.
51% of respondents said that mule account handovers are one of the most difficult fraud types to detect, and 83% are detecting them reactively. That tracks with what I'm seeing across the industry.
But the finding that stood out most was this:
Despite being the most powerful signals for detecting mule account handovers, respondents ranked device and location intelligence as the leading sources of false positives.
That tells me a lot of institutions are working with weak versions of these signals. The signal categories are right. The underlying data just isn’t precise enough for the job.
One of the biggest mistakes I see is teams evaluating signal presence instead of signal quality.
It’s the checklist approach: "I need these signals. Do I have them? Check, check, check. Yes. I'm good."
But confirming you’re collecting the right data isn’t enough. You have to understand how accurate it is, how precise it is, and how easy it is to spoof.
Go a few levels deeper. Don't just ask whether you're collecting the data. Ask how good it is.
A lot of teams think about this in binary terms. You either have a device signal or you don’t. You either have a location signal or you don’t.
But the real question is: do you have the worst version of that signal or the best version? And how do you know?
What are the metrics behind it? How much have you tested it? Did you have a third party validate it?
Device identity is one of the strongest signals for detecting mule account handovers.
When an account changes hands, the device usually changes too. That shift is detectable. The problem is how most institutions are using device signals today.
A new device ID doesn't necessarily mean fraud, it often just means a new phone. Device changes are normal: for example, over 100 million new devices are set up in the US every year.
And web device fingerprints are fragile by design. Browser environments make device IDs unstable even when the device itself hasn’t changed.
To give you a sense of how unreliable device IDs can be across the industry:
I recently saw a vendor claiming they have 5 billion devices profiled across 657 million accounts. Do the math and that's roughly 7.5 devices per account.
Most people have two, maybe three. It's very difficult to find someone with four laptops and three phones unless they're doing something suspicious.
If a vendor is generating that many device IDs per account, it means the IDs aren't stable enough to tell when a device has actually changed versus when the same device just looks new.
We've seen how fragile device IDs can be first-hand too:
A bank with 23 million monthly active users came to us thinking their device ID was failing.
When we ran a test, we found a case where a single user's device ID had changed over 30 times in one week… but it was still the same device.
Every time the ID changed, the user had to re-verify their identity. That's a lot of friction for a legitimate customer who never switched devices.
Precise location signals are one of the most effective ways to detect when account usage shifts to a new person.
When an account suddenly starts showing a very different location behavior, that’s a strong indicator that someone new is accessing it. But most institutions are relying on location data that isn't precise enough. Some aren't using it at all.
Most institutions rely on OS-level geolocation: GPS or IP addresses passed through by the operating system. But this data isn't precise enough for fraud detection and is highly spoofable.
GPS can't determine where you are within a building.
I use this example a lot: Imagine a high-rise with 100 apartments. In one of them, there's a fraudster. If you rely on GPS alone and you want to block that fraudster, you have to block the entire building. The false positive rates would be extremely high.
Not to mention that GPS spoofing tools are widely available. It’s a very easy signal to manipulate.
IP addresses are even less useful.
An IP address is only precise enough to determine what state the user is in. And with new privacy protections from operating systems and browsers, it's become extremely easy to change your IP address and location.
VPNs are a big part of this. Usage is common and not necessarily tied to fraud. So you can't just flag every VPN user as suspicious without creating more false positives.
IP-level and GPS-level location data was never designed for fraud detection at this precision. The signal category is right. The data source is wrong.
If you have the right data, detecting mule account handovers is actually straightforward. Here's how we think about it.
Once a new login happens, there's a series of signals we look at:
Step 1: Has the device ID changed? This is the first flag, but you can't draw conclusions from this alone. The device ID might have changed because the user bought a new phone, a new laptop, or is using a new browser version.
Step 2: Is the new device associated with other accounts? If so, how many? This is a much stronger indicator. Whoever is managing mule accounts usually manages more than one. If they're managing all of those accounts from the same device, it becomes very clear very quickly.
That said, a sophisticated fraudster might use multiple devices and manage one account per device to evade detection.
Step 3: Does the location behavior match across both devices? Not a single snapshot, but the history. If location behavior is similar across both devices, the likelihood that this is not a mule account is very high. It's probably just the same user switching devices, which is completely normal.
But if there's a mismatch in location behavior between the devices, that's a very strong signal. Unless the user traveled, forgot their phone at home, and bought a new one at a different location (which is extremely unlikely), a mismatch in location behavior points strongly toward fraud.
Step 4: On the new device, have we seen other accounts associated with that location? If so, it may be that a fraudster is using multiple devices, and all of those devices have one thing in common: that precise location. At that point, it becomes a very strong indicator of mule account handover.
This isn't a complicated process. Once the underlying data is reliable enough to trust, the patterns become more obvious. If you have the right data, you can get there quite easily.
We've put this framework to the test. Here's an example:
In one case, a bank had identified 11 mule accounts on their platform. When we ran a Proof of Value with them, we uncovered more than 2,900 connected accounts.
We were able to clearly see that 28 devices, all operating from the same physical location, were linked to those 2,900+ accounts.
That concentration only became visible when you combined persistent device intelligence with precise location signals.
Without both, the bank was missing 99.7% of them.
Device and location intelligence are the right signals for detecting mule account handovers. The data behind them is what determines whether they actually work.
And this goes beyond mule account handovers. If the data behind your signals isn't precise enough, it affects fraud detection across the board.
If you want to understand how stable and precise your current signals are, we can run a Proof of Value and benchmark what your data is actually detecting and what it's missing. Reply to this email or request one here.