How to Overcome the Threat of Mule Fraud?
COVID-19 caused criminals to shift how they operated. Banks must adapt to change to prevent criminals from using mule fraud to take advantage of the vulnerable.
Criminal scams during COVID-19 are focused on exploiting our anxieties and changes to our working circumstances. The FBI, Interpol, and other criminal investigation organizations are publishing daily warnings due to the intensity of current trends in criminal activity.
Once criminals have managed to scam money out of someone’s account, they will often use a network of other bank accounts to exfiltrate their illicit proceeds and hide their tracks. These are known as mule accounts, and they are in increasing demand from criminal organizations.
This article looks at mule accounts—a crucial component of the scams evolving during COVID-19—and ways financial institutions can identify and disable these accounts to protect customers from fraud by immobilizing criminals.
How COVID-19 has changed the business model for fraud
As the steady supply of compromised account details through the dark web has been disrupted, new fraud types are evolving at a rapid rate. Many scams relating to COVID-19 are familiar methods being deployed in the context of the current challenges we face as a society. For example, taking advantage of remote working circumstances to commit mandate fraud, where an employee responsible for making payments to genuine suppliers is tricked into paying a bank account controlled by a criminal gang.
Often scammers will look for ways to deploy malicious software to compromise bank accounts or obtain personal information, which helps them commit identity theft. In many of the recent scams, fraudsters will spoof the text message or email chain from genuine correspondence with the providers and the authorities, making it far more likely for the recipient to click on malicious links or to action fake requests.
Other COVID-19-related scams include:
Preying on the need to stay connected during the period of isolation. For example, people are receiving text messages and emails indicating a WIFI or phone bill payment has not gone through and that they will be cut-off if they do not pay.
Preying on financial distress caused by the economic impact and offering false financial relief, such as government aid, tax breaks, or holiday cancellation refunds.
Preying on the fear of non-compliance with government instructions. For example, issuing fake fines to individuals for traveling outside of their homes during lockdown periods.
Preying on the need for medical equipment, personal hygiene, or other consumables, such as face masks and soaps.
And as governments pour relief and stimulus into their economies, these funds are also a prime target for criminals. Intercepting payments before they reach small business owners and individuals offers limited risk and high reward.
To support this shift in fraudulent activity toward new and remote methods, we are also observing a corresponding increase in the dependency on mule accounts which are used after the crime has been perpetrated to move the cash away from the scene of the crime.
3 ways criminals are using COVID-19 to build mule networks
1. Targeting those in financial distress to become money mules
It is common for criminal organizations to target vulnerable groups, including the elderly, students, and schoolchildren — even at a very young pre-teen age. As a result of COVID-19, an obvious group to target is those in financial distress.
There is a significant proportion of the global population working in the most severely impacted industries who are now unable to go to work. Many of these people will be in financial distress due to being furloughed or made redundant due to the economic impact. This means individuals have more time on their hands and may be looking for new sources of income, making them vulnerable and more susceptible to get-rich-quick schemes advertised on social media.
This form of recruitment is a common way that criminals scam ordinary people into facilitating their illicit activity. They promise a strong financial incentive for doing very little; all you need is a bank account and to be happy to look the other way.
2. Exploiting social isolation to commit identity theft and open accounts they control directly
As well as recruiting people as human puppets in their orchestrated schemes, criminals are capitalizing on the changes in working practices to open new accounts which they then control. As customers cannot currently go into a branch to open a new bank account or facility, they have to use online channels. Approving facilities remotely without in-person validation significantly increases the risk of criminal-controlled accounts, created using stolen personal information and forged documentation.
As Confirmation-of-Payee is introduced in the UK to tackle Authorized-Push-Payment fraud, we are also observing new schemes where criminals use highly targeted identity theft to set up accounts in the name of the genuine payee but under criminal control. This will mean they can still defraud the originating account of funds and avoid detection. This trend is emerging even before the industry counter-fraud measure is live. In a recent Dear CEO letter, the FCA advises on what measures financial institutions should take during COVID-19 for identification and verification purposes to mitigate this type of risk.
3. Using victims from other crimes as mule account owners
Another way in which these accounts are being obtained is by repurposing people that were previously being exploited as part of ongoing criminal activity. COVID-19 means that modern slavery and sex trafficking operations have stalled. Criminals are looking for other ways to continue making money. In some cases, victims are being redeployed into counterfeit goods manufacturing or are being redirected into other modern slavery roles where there is a current demand, such as agricultural or logistics businesses.
In other cases criminals are turning to mule fraud, opening bank accounts in the names of the victims who have then been turned out onto the street while the criminals continue to operate their accounts as mule facilities.
Financial institutions simultaneously face unprecedented operational challenges
As well as rapid changes to criminal behavior, COVID-19 has put pressure on the bank’s call centers with high levels of absenteeism through illness or difficulties adhering to social distancing guidelines. Financial institutions also have customers, particularly within elderly communities, who are unfamiliar with the concept of online banking and require additional direct support. Financial institutions are keen to maintain customer satisfaction, keeping process friction at a minimum but adapting to the new working realities presents a real challenge.
During this crisis period, financial institutions are also highly conscious of the reputational risks associated with their decisions around the account opening process and the potential impact of counter-fraud measures on customers, such as delaying or stopping transactions. While focusing on delivering the usual high standard of service to their customers, financial institutions may find it hard to simultaneously adapt defenses against the rising tide of mule fraud.
How can financial institutions effectively detect mule fraud?
Detecting mule accounts requires you to identify the connections and transactions between customers which strongly indicate they are being used to disguise fraudulent activity and subsequent payment flows.
It is the network of these accounts and the interconnected features of each customer which allows us to identify those who are likely being used as money mules with a great degree of confidence.
For example, it is possible to isolate a network of accounts that are connected via:
account information, such as common names or home addresses;
online access patterns, such as common devices used for online banking; or
transactions between the accounts.
We can then analyze account features on these networks to indicate whether they fit a common profile of mule accounts. These features include:
Signs of financial distress such as frequent overdraft delinquency
Perpetual low balances with occasional spikes
Finally, we can look at the payment flows across the network to identify patterns that fit known mule fraud network activity, including:
Starburst payment flows expand from one account to multiple accounts, and then again from those accounts into multiple others.
Inverted pyramid flows where there are multiple originating accounts paying a single or few beneficiaries.
Rapid transaction cycling in multiple directions between the accounts.
Any of these indicators viewed in isolation can generate large numbers of misleading signals. But by looking at these accounts as a network and calibrating the analysis, it is possible to deploy an effective fraud detection capability. By analyzing the network and not just the transaction, you gain a greater understanding of context, including the full flow of funds. This is proven to be a far more effective approach to proactively identifying organized crime.
Why you must expand analysis and look at inbound payments
It’s not enough to simply look for signals that are indicative of illicit activity. Any balanced assessment also needs to consider information that suggests a customer account is genuine. For example, an absence of routine transactions on an account, such as monthly rent or bill payments, can be a hallmark of a mule account. However, this could also simply signify that the bills are paid by another member of the household with an account registered to the same address.
By performing analysis at a network-level, it is possible to discount atypical but explainable transactions and account behaviors. This reduces false positives and empowers analysts to focus on genuinely high-risk cases.
There is also a lot of value in actively monitoring inbound payments received into customer accounts. It is common for counter-fraud functions to focus on analyzing outbound payments, as this is where a lot of fraud losses occur through scams such as Card-Not-Present or Authorised Push Payment fraud.
An increasing number of banks are opting to incorporate inbound payment monitoring within their strategy to tackle money mules. Identifying signals on inbound payments provide financial institutions more time to investigate and seize illicit funds before they leave the bank where appropriate.
How to overcome challenges with advanced network analytics
Criminals will frequently use accounts across multiple financial institutions, which can make it difficult to trace the funds in and out of those customer accounts. However, using network analytics, we can look within a short period after the funds go to an external account for a linked inbound flow to a different customer account, making it possible to continue tracing the funds. Additionally, the intelligence gained about that external account and its involvement in the network can then be applied elsewhere to improve the overall analysis.
When new monitoring or counter-fraud measures are proposed, several sensible questions will arise about whether it will impact customer experience or drive more complaints. However, network analytics simply provides greater context to enhance fraud detection and prevention processes. This context makes it easier to zero in on criminals and reduce the likelihood of inadvertently interrupting the payment flows of legitimate customers.
Next steps on enhanced fraud detection
Mule fraud accounts have a destructive societal impact. They are already becoming an increasingly prominent issue for the banking and financial services industry. And this will only be amplified by the current rise in scams and the economic conditions which facilitate money mule recruitment. Banks are progressively augmenting their counter-fraud capabilities and should continue doing so with a focus on inbound payments, as well as outbound.
More flexible analytics aiding rapid root cause analysis is becoming increasingly important for fraud functions. Rule-based systems have limitations (even sophisticated ones), and this is especially true during COVID-19, where “normal” activity has quickly shifted, and the baseline is no longer relevant. Agile technologies will allow financial institutions to slice and dice data on demand to explore and mitigate new threats.
Visit here to learn more about how you can improve your fraud detection and prevention efforts.