Expanding the Search for Money Mules Through Phone Analysis
John Chang, Chief of Staff, R&D
October 10, 2023
Money mule scams are not a new fad, but recent trends paint a troubling picture. The impact of mule networks has increased significantly in the last few years: some estimate that hundreds of millions of dollars, if not billions, flow through mule networks each year. Muling activities continue to proliferate despite the hard work by authorities to clamp down on these schemes.
SentiLink has been uncovering more ways to help our partners identify applicants who have likely participated in money mule schemes in the past and thus prevent those accounts from being opened.
Overview: Money Mule Schemes
Simply put, a "money mule" is someone who helps another person move funds that are illegally obtained. Some mules may be aware of their actions while others may be totally unaware they’re part of any illicit activity. In addition, they may compromise their own personal information, which can be used by fraudsters for other crimes, such as stealing government benefits, more comprehensive identity theft, and account takeovers.
A common money mule process goes like this:
Recruitment: A fraudster recruits a mule based on the promise of a romantic relationship, remote job, or winning a prize.
Grooming: The fraudster builds a relationship and asks the mule to help facilitate a financial transaction.
New Account: The mule opens a new bank account and gives account access to the recruiter.
Execute Transaction: The fraudster deposits funds into the account (checks, ACH, digital transfers) and then quickly withdraws it, often internationally.
Payment: The mule is paid a portion of the funds that are moved.
Since money mules often open new bank accounts as part of the scheme, they leave breadcrumbs behind in the process. Unfortunately, multiple transactions may be executed before an account is flagged by a financial institution. But those breadcrumbs give us vectors for additional research.
Deepening our phone analysis
Building off of our previous research on identity theft, we’ve been exploring better ways to identify individuals who are at higher risk of participating in money mule schemes by analyzing phone data. Mules typically apply for new bank accounts using a phone number controlled by the fraudster; even if a financial institution verifies phone ownership with one-time passcodes, the fraudster and mule would be able to seamlessly bypass it. Eventually, many of these phone numbers get furnished to the mule’s records at the credit bureaus.
To answer this, we devised a proprietary list of filters. Broadly, we identified phone numbers tied briefly with multiple distinct identities in the last several years, and then filtered further for phone numbers that didn’t match where the consumer actually lives.
The end result was a list of about 70,000 very high risk phones. Our fraud intelligence team reviewed a random sample of this list and found that more than 90% of them appeared to have been fraudulently furnished to many other consumers' records. That is, the numbers were not truly being used by those consumers. Many of these numbers were each furnished to hundreds or even thousands of identities.
Testing the Money Mule Phone List
We compared our target phone list to a separate list of phone numbers associated with known money mule activity in the past. This step alone yielded promising results, identifying a substantial number of those known money mule cases -- approximately 30% -- which could have easily been overlooked.
Distinguishing between witting and unwitting mules is challenging, as money muling often resembles identity theft. While we can't determine intent, this analysis demonstrates the potential to reduce losses from money mule schemes.
We also examined consumers who have a history of using temporary phone numbers and the likelihood of mule activity. Specifically, we examined cases where individuals had historical ties to multiple phone numbers that are each only used once, i.e. a temporary number. For example, this may appear when a consumer applies for one financial product with one phone number they don't typically use, and then applies for another financial product just a few months later with a different phone number they also don't use.
This signal uncovers people who are 4.2x more likely to be mules than the general population. For deposit accounts with subsequent losses more broadly, this signal uncovers individuals who are 2.6x more likely to commit first party fraud.
Roughly 35 million phone numbers are “recycled” annually, becoming available to other individuals following a period of disconnection, typically ranging from 90 to 365 days. A 2021 study from Princeton revealed that up to two-thirds of recycled phones remain associated with their previous owners at various websites, greatly amplifying the risk of identity theft, account takeovers, and money muling.
Other Results with ACH returns
After our initial analysis with money mules, we were curious if the target phone list would help to prevent other forms of losses. So far, it has shown promising results in identifying individuals who are more likely to initiate ACH transactions resulting in returns, even if not tied to money muling. We conducted analysis on ACH transactions that subsequently resulted in a customer-initiated return (R05, R07, R10, R11 and R29) excluding those with other red flags like high ID Theft scores. These kinds of transactions are returned not because of administrative errors, but rather active steps taken by customers, and often result in losses for financial institutions.
The results were surprising: an ACH transaction initiated by someone who had previously used a number from the target phone list is 33x more likely to result in one of those return codes. The performance is even higher when isolating to R10s (unauthorized transaction): that relative likelihood to result in a return increases to 40x.
The fight against money mule schemes is a complex battle. However, our early research leveraging the valuable breadcrumbs left behind by bad actors demonstrates how financial institutions can gain crucial insights to enhance their fraud detection capabilities and disrupt money mule networks.
To learn more about how signals like these can help your team, please don’t hesitate to reach out to us.