Money mule typologies are growing

Money mule typologies — the ways and means in which criminals use proxies to move the proceeds of crime — are growing.

Scammers, fraudsters, drug traffickers and cybercriminals are employing a wider array of products and services for muling, such as debit cards, corporate accounts and crypto currencies. The use of their own victims as mules, whether through romance scams or sexploitation, is another insidious trend.

According to Kathryn Westmore, a senior research fellow at the Royal United Services Institute‘s (RUSI) Centre for Finance and Security (CFS) in London: “It is so easy to come up with ways to money mule and cash out. It is a massive problem and weʼre seeing more money mule typologies.”

Yet the response so far has been basic, and “it doesn’t [yet] feel like thereʼs a sophisticated way to tackle money mules”, she added. Money muling is becoming a more nuanced and complex issue. One of the biggest problems that needs to be addressed is mass recruitment.

A new report by Westmore reveals that in the UK, money mule activity has begun to shift to debit cards from faster payments. That pivot may have been driven by payment firms having improved their fraud controls following new UK rules requiring them to compensate victims of authorised push payment (APP) fraud.

“Weʼve cut down on some of the easier-to-address money mule behaviour, but the risks have moved to other areas,” Westmore said.

Old targets, new products

The most basic money mules are individuals who allow criminals to launder proceeds of crime through their bank accounts. In the UK, for example, university students have long been targeted and recruited, especially on social media, for this purpose.

According to Iain Armstrong, regulatory affairs practice lead at ComplyAdvantage in London, these kinds of transactions are easily detectable with a decent transaction monitoring system, however.

“If a student account that normally has an average of £180 pounds suddenly has £10,000 and this student is trying to immediately forward on that money, that sticks out like a sore thumb if you’ve got tools that can monitor for that behaviour,” he said.

Within this area, typologies have also changed, with criminals now using money mules in different ways and exploiting different products. For example, some mules are recruited to use phished credit and debit card credentials.

The European Banking Authority (EBA) noted in its recent opinion and report on anti-money laundering/countering the financing of terrorism (AML/CFT) risks that money mules have shifted away from traditional banks towards other money transfer products and services that tend to have weaker systems and controls.  

Corporate accounts

Regulatory and law enforcement agencies in both the UK and Thailand have raised the alarm on corporate or business accounts being used as mule accounts. In the UK, fintechs and other financial services firms are particularly vulnerable to this kind of abuse, because many of them no longer ask questions about the “nature and purpose” of business accounts at the onboarding stage, said Armstrong.

“A lot of the neo banks decided to drop those questions from the onboarding process, but to me it’s such a valuable data point,” he added. “If you are acquiring that information [and] asking those questions at onboarding, you can then use that in your transaction monitoring.”

In the UK, fraud prevention non-profit Cifas says business accounts are increasingly being targeted by money mules. These accounts feature about 20% of fraud cases reported to Cifas, according to the National Risk Assessment of Money Laundering and Terrorist Financing published in July.

Business accounts can send larger amounts of funds undetected, particularly in cash-intensive businesses, according to the national risk assessment. For example, it said, the National Crime Agency’s (NCA) Operation Destabilise uncovered criminals’ use of ISM Scaffolding Limited’s business accounts to launder £4.31 million in just 10 months.

Meanwhile earlier this year, Thai authorities issued a joint statement elaborating on their work to address money mules and money laundering. They found measures taken to close individual mule accounts had been effective but noted there had been a shift to corporate mule accounts.

Authorised individuals at companies could transfer large sums without having to submit to facial scanning, unlike large payments made by individual accounts. Authorities have since sought to increase the identification requirements on corporate accounts managed by authorised individuals.

Exploiting the exploited

The UK’s July money laundering and terrorist financing national risk assessment highlighted how sextortion gangs, fraudsters, human traffickers and modern-day slavers will also use their victims as money mules.

“This doubling up on scam activity, where youʼre targeting someone as a romance fraud victim or youʼre engaged in human trafficking or doing some kind of sextortion exercise and [also] using them as a money mule — that feels new,” said Armstrong at ComplyAdvantage.

“You compromise someone, so that is a crime. [The money mule element] is another layer to this problem, which is to do with the way organised crime groups are industrialising the process.”

For example, Europol has reported an increase in bank impersonation crime, where criminals pose as bank officials and convince elderly customers to open accounts they can use for muling. It said criminals will often visit elderly people in their homes to collect their identity papers to open the accounts.

Cross border

Money mule operations are increasingly crossborder in nature, because transferring funds internationally makes them even harder to trace and recover, Armstrong added.

The US, Singapore, Australia, Moldova, Ukraine and the UK have all participated in European Money Mule Action weeks, which result in thousands of arrests every year. The programme also uncovered yet another money mule typology, whereby criminal gangs have exploited refugees from the war in Ukraine forcing them to open bank accounts.

A police operation conducted earlier this year by EU and UK policing agencies demonstrated how mule operations move across borders. In April, Romanian and British authorities, assisted by the European Union Agency for Criminal Justice Cooperation (Eurojust), dismantled a network running a 3-million-euro payment fraud scam. The criminals running the scams had recruited hundreds of mules to go to the UK and open bank accounts to launder the proceeds of the scams, Eurojust said.

Response

Agencies in Australia, the European Union, India, Luxembourg, Singapore, Thailand, the United Arab Emirates (UAE), the UK and the United States have all issued statements about money mules within the past 12 months, according to Corlytics’ horizon scanning data.

This month, for example, the Australian Taxation Office (ATO), expanded its Australian Financial Crimes Exchange (AFCX) data-matching programme to clamp down on tax fraud and its associated money mule activity. Typically what happens is a bank account, often a dormant one, is hacked and the fraudster then claims a tax refund to be paid into the hacked account. The funds are transferred on or in some cases, if the fraud is detected, the account is frozen. These accounts can remain frozen for months.

It is an enormous problem in Australia, said Luke Raven, a financial crime expert in Melbourne. “For a public service, they are doing a good job and moving in the right direction,” he said. “I’m still quite concerned about the situation.”

The new programme aims to match AFCX data against ATO and other records to identify bank accounts being used fraudulently. The ATO expects to receive more than 500,000 records of suspected money mule accounts and malicious IP addresses through this programme annually, it said in a statement.

Australian banks have improved their money mule response recently, however banks need to do more to verify customers, Raven noted. “We have world class identity verification to say you are a person that exists. What the banks historically have not done as good a job with is checking the applicant is the person [whose ID has been checked],” he added.