November 10 • 2022

Money Mules – Why we must double down on mule prevention

Cybercrime is low risk, low investment, and high return. Not surprisingly, illegal financial gain is one of the biggest reasons for cyber-attacks. The result is a predicted USD 10 Trillion of damages by 2025. Our vision is to change that.

Written by Rob Tharle, CYBERA’s Head of Product

The focus on money mules is increasing globally, as cases of payments fraud and scams continues to grow fast. Its not just the UK¹ and US², but across Europe³, Middle East⁴ and APAC⁵.

What is a money mule?

Money Mules are not a homogeneous group, there are number of different types of money mule. Traditionally, these will have been accounts opened purposely to receive fraudulent funds or otherwise move proceeds of crime around the financial system.

These accounts will often have been managed by a mule herder, someone who organises the mules. As well as controlling the mules and the operation of accounts, this may also have included walking down a high street to get accounts opened for their mules. This was typical when the UK had an influx of immigration, with the participants often forced into this activity.

Another group is where genuine account holders sell their accounts before returning to their home countries. These are then available for by Organised Crime Groups (OCGs).

Another popular way to recruit mules is via job scams. Seemingly genuine jobs advertised on the web as, say, Money Transfer Agents, will draw in people, either wittingly or to become money mules.

More recently, with the ever-increasing need for more mule accounts, we also see mules who get enticed by acquaintances into letting their accounts be used and even some who are victims of account takeover.

Why are mules so important?

Without mule accounts, there is simply nowhere for fraudulent payments, whether unauthorised or authorised frauds, to go.

The UK fraud numbers¹ from UK finance for 2021 show that there were 195k Authorised Push Payment (APP) fraud cases and 88k remote banking cases, all of which required at least 1 mule account. Therefore, allowing for duplicates and acknowledging that there are multiple accounts used (multi-generational) before cash out, we are looking at circa close to 400k mules accounts in the UK each year.

As such, the UK is increasingly experiencing all sorts of mules, including those who have had their account taken over or tricked into it. Due to the size of these losses and the part mules play, there is increasing regulation and greater emphasis on mules as I will cover in a separate blog later in the month.

The new regulations under consultation by the UK’s Payments Services Regulator (PSR) will bring greater requirements on mules and thus we are likely to see the following:

Where does COP fit in?

Confirmation of Payee (COP) has had the effect of changing the fraudsters approach. In some cases that is changing the type of APP scam undertaken, for example away from impersonation to investment scams. It has also shifted first generation mule accounts to PSPs outside who have not implemented COP. It is also likely driving additional social engineering and account takeover (ACTO) to obtain access to genuine customers accounts in order to move funds without an understanding what they are doing.

The new proposed European regulation mandating instant payments is also mandating the use of COP, so this is not just a UK area to watch out for.

What can be done to reduce the impact of money mules?

There is no one size fits all solution here. What is required is a multi-layered approach across the customer life cycle.

At onboarding this means matching to known bad profiles and lists of post codes, email address, phones IP addresses and devices or high velocity of applications from any of these.

It won’t be possible to decline all mules at account opening and, therefore, some form of early account monitoring will be required. This should include all the systems, fraud or AML, having access to the KYC and CDD data to look for anomalies such as account turnover rising much faster than outlined by CDD. This should be coupled with restrictions which may or may not be obvious to the customer, that will help limit losses.

Early account monitoring/Ongoing Due Diligence should include whether the account is operating as you would expect based on elements such as application data, peer comparison, velocity of inbound payments, use of direct debits for utility and network analysis.

In terms of ongoing transaction monitoring, this should cover both outbound and inbound payments in real time. For outbound, this should include adding a beneficiary including where a proxy such as email is used (e.g. Zelle), adding a Zelle or equivalent to an account, as well as make a payment.

For inbound payments, trying to flag large or unusual payments in, a high velocity of inbound payments or request to pay requests.

Whilst this requires the right enterprise fraud management systems to accomplish, being able to match to a watchlist of known bad actors, is a key layer in the strategy. This applies right across the customer lifecycle. This is an even more important point now, as many mules will not look like a mule until the payment is reported.

Spotting mules is likely to get harder over the next 12 months, with looming recessions and high inflation meaning many people will be desperate for money and may turn a blind eye to getting involved in being a mule, or just be duped into being a ‘money transfers agent’ as part of a job scam.

Regulations, especially the UK, will make it increasingly expensive for firms who don’t invest to stop mules throughout the customer lifecycle, so rather than fines for not complying with AML legislation, they will have liability for fraud passed through their accounts.

The desire to capture these at the account opening stage to save themselves the costs and liability of having these accounts will increase. Therefore, we may expect an increase in the friction at account opening, even for the neo-banks and PSPs.

Whilst I have covered this from a UK perspective the same sort of issues are being played out globally, within increasing digitisation and instant payments, so expect to see similar impacts in Europe the US, Middle East and APAC.


At CYBERA we’re on a mission to stop money laundering and help protect customers from scams and other financial cybercrime. We close gaps that allow cyber criminals to thrive by sharing crime data in real-time with financial institutions, fintech, and crypto exchanges, and coordinating a global response to support customers who have become victims of financial cybercrime.

CYBERCRIME WATCHLISTTM helps support firms to reduce fraud and money laundering and meet the requirements of the CRM as part of a holistic fraud and financial crime strategy.

CYBERCRIME WATCHLISTTM Integration Points throughout the lifecycle:

  • Call within the payments processes to enrich the Fraud &/or AML Decision Engines
  • Payment APIs IBAN, Name, Username, email, Phone
  • Call at onboarding to enrich the Fraud &/or AML Decision Engines
  • KYC API — Name, Username, Email, Phone, IBAN
  • Case Manager calls to enrich investigation, when alerted for ODD or Mules
  • Manual Investigation

Financial Institutions (FIs) can check against the WATCHLIST for confirmed mule accounts when processing payments. For outbound & inbound payments, where there is a match on either IBAN (Account Number & Sort code) or on Name the transaction can be flagged as high risk.

At account opening and ongoing CDD, email, phone and name can be used to match to CYBERCRIME WATCHLISTTM to reduce opening new mule accounts.

CYBERCRIME COMPLAINTTM further supports by providing users with alerts of any of their accounts reported as mules directly in their dashboard.

Unlike other data sources, CYBERA is a global solution, so is well placed to support the increasing levels of cross-border real-time payments.