Natasha Vernier
Nov 13, 2020

Secret Crime Fighters, Episode 2

Our next Secret Crime Fighter has seen a change to the traditional money mule typology, driven in large part by the COVID-19 pandemic. Relevant for any type of account, consumer or corporate, read on to understand how to update your money mule controls to stop the new wave of crime hitting your books.

The Typology

The Old Way

Pre-pandemic, most money mules followed the same typology - people born somewhere between 1995 and 2002, potentially at university, lacking easy access to money, and social media aware (Facebook, Instagram, Snapchat). These traditional money mules would open bank accounts, or use their existing accounts, in order to receive payments and quickly send the majority of the money on to another bank account.

However, with the pandemic throwing so many into financial uncertainty, and schemes like the UK government’s Furlough providing people with free time, our Secret Crime Fighter has seen the money mule typology change.

The New Money Mule

The new money mule typology shows people of all ages being recruited on social media. These older money mules are opening bank accounts and quickly receiving inbound payments anywhere between £5k-£15k. These inbound payments are sometimes split across multiple smaller payments, suggesting that they are the result of scams.

Instead of sending the money on to other bank accounts, the new typology sees the mules sending test payments to a cryptocurrency exchange to activate a cryptocurrency wallet. Soon after, the remaining money is distributed to these cryptocurrency wallets in smaller payments of anywhere from £200 up to a few thousand.

Organised Criminals

These mule accounts are being organised and controlled centrally. Our Secret Crime Fighter noticed a pattern of log-ins to the different mule accounts one after the other, most notably after one of the accounts had been blocked. This was presumably the criminal checking which accounts were still active. This suggests that the mules are opening the accounts, but almost immediately handing over control to the organised criminals, which is another change from the traditional mule typology.

Despite giving themselves away by log-in patterns, the criminals are using VPNs to hide their IP addresses.

Stopping the Typology

The use of cryptocurrency exchanges brings up a conversation about the risk appetite of banks and bank-like products in allowing their customers to send money to cryptocurrency exchanges. However, a blanket rule can be hard to justify, especially for consumer products.

Risk appetite aside, our Secret Crime Fighter quickly responded with an impressive array of controls, to limit the impact of these money mules.

They increased date of birth as a risk factor in their onboarding engine, increasing the chances of slightly older customers going through Enhanced Due Diligence (EDD).

They changed the EDD questions such that customers have to provide evidence of what the account will be used for.

They looked at device connections, blocking or pushing customers through EDD when any high risk connections arose.

They introduced new transaction monitoring rules for the new mule pattern, focussing on the movements of money within certain time periods.

They introduced a new procedure for customers wanting to change device, pushing them through a liveliness check to ensure that the customer is physically with the new device being used.

And they are testing Telesign to understand the risk of certain phone numbers, which would enable them to risk score customers in more detail.

These controls enabled our crime fighter to fundamentally reduce their exposure to this new mule typology.

Thanks for reading our latest Secret Crime Fighters newsletter. If you have an interesting typology that you’d like to share, we’d love to hear about it! Please email us at [email protected].

Recent Posts

Our next Secret Crime Fighter has seen a change to the traditional money mule typology, driven in large part by the COVID-19 pandemic. Relevant for any type of account, consumer or corporate, read on to understand how to update your money mule controls to stop the new wave of crime hitting your books.

The Typology

The Old Way

Pre-pandemic, most money mules followed the same typology - people born somewhere between 1995 and 2002, potentially at university, lacking easy access to money, and social media aware (Facebook, Instagram, Snapchat). These traditional money mules would open bank accounts, or use their existing accounts, in order to receive payments and quickly send the majority of the money on to another bank account.

However, with the pandemic throwing so many into financial uncertainty, and schemes like the UK government’s Furlough providing people with free time, our Secret Crime Fighter has seen the money mule typology change.

The New Money Mule

The new money mule typology shows people of all ages being recruited on social media. These older money mules are opening bank accounts and quickly receiving inbound payments anywhere between £5k-£15k. These inbound payments are sometimes split across multiple smaller payments, suggesting that they are the result of scams.

Instead of sending the money on to other bank accounts, the new typology sees the mules sending test payments to a cryptocurrency exchange to activate a cryptocurrency wallet. Soon after, the remaining money is distributed to these cryptocurrency wallets in smaller payments of anywhere from £200 up to a few thousand.

Organised Criminals

These mule accounts are being organised and controlled centrally. Our Secret Crime Fighter noticed a pattern of log-ins to the different mule accounts one after the other, most notably after one of the accounts had been blocked. This was presumably the criminal checking which accounts were still active. This suggests that the mules are opening the accounts, but almost immediately handing over control to the organised criminals, which is another change from the traditional mule typology.

Despite giving themselves away by log-in patterns, the criminals are using VPNs to hide their IP addresses.

Stopping the Typology

The use of cryptocurrency exchanges brings up a conversation about the risk appetite of banks and bank-like products in allowing their customers to send money to cryptocurrency exchanges. However, a blanket rule can be hard to justify, especially for consumer products.

Risk appetite aside, our Secret Crime Fighter quickly responded with an impressive array of controls, to limit the impact of these money mules.

They increased date of birth as a risk factor in their onboarding engine, increasing the chances of slightly older customers going through Enhanced Due Diligence (EDD).

They changed the EDD questions such that customers have to provide evidence of what the account will be used for.

They looked at device connections, blocking or pushing customers through EDD when any high risk connections arose.

They introduced new transaction monitoring rules for the new mule pattern, focussing on the movements of money within certain time periods.

They introduced a new procedure for customers wanting to change device, pushing them through a liveliness check to ensure that the customer is physically with the new device being used.

And they are testing Telesign to understand the risk of certain phone numbers, which would enable them to risk score customers in more detail.

These controls enabled our crime fighter to fundamentally reduce their exposure to this new mule typology.

Thanks for reading our latest Secret Crime Fighters newsletter. If you have an interesting typology that you’d like to share, we’d love to hear about it! Please email us at [email protected].

There’s more to read!

Resources