Prevent Account Take Over & Uncover Known Mule Accounts with Dark Web Intelligence

Glenn Fratangelo, Head of Strategy and Marketing, ​Enterprise Risk Case Management​
Prevent Account Take Over & Uncover Known Mule Accounts with Dark Web Intelligence

Fraudsters and cybercriminals are maturing their approaches, fortified by a threat environment that encompasses increasingly accessible intelligent technology and compute power, data breaches and easily available personally identifiable information (PII) that can be cheaply procured through online sources like the dark web. 

Fraud can now be conducted automatically and at scale, and the evolution of factors like instant and digital payment channels have only bolstered these fraud trends. 

Many fraud teams find themselves having to embrace a defensive-only strategy. Often it takes more than one interaction or transaction to conclusively identify that an account takeover (ATO) has occurred or a mule account has been established. In these circumstances, financial services organizations (FSOs) might have to pick between inconveniencing a customer and negatively impacting the customer experience, or simply letting the fraudulent transactions go. 

This is a tough area for FSOs to reconcile because of the dynamic nature of fraud threats. Today, bad actors are more organized, informed and adaptable than ever before, and they have an entire underground resource at their disposal – the dark and deep web, malware networks, private messaging platforms, botnets, and underground infrastructures and communities. 

Fraud Threats Abound from the Digital Underground

Manifesting from these fraud trends and the ripe risk environment of the digital underground is the looming threat of account takeover (ATO) attacks and mule accounts. 

Customer Account Takeovers 

Recent research indicates that 64 percent of financial institutions are seeing higher rates of ATO fraud attacks now than before the pandemic.1 ATO typically originates with identity theft, where a fraudster uses a stolen identity, which may have been procured via the dark web, malware infecting computers, mobile phones, or laptops, to access a customer’s account and perpetrate unauthorized transactions. 

FSOs serve both business and individual customers, and many of these customers are particularly vulnerable to this threat or have already been compromised. Malware, for example, is developed to harvest online account credentials, sensitive or business information, passwords, email correspondence, and other details. The information is then sent back to the fraudsters or cybercriminals who operate the malware. 

  • Malware has grown so advanced that it’s capable of copying the device fingerprint of the victim’s device; more so, it can control the victim’s device using remote desktop technology.
  • Malware victims are now at a particularly high risk of ATO that’s challenging to detect.
  • Malware provides a robust level of control and the quantities of information, which enables these criminals to bypass traditional authentication controls by impersonating the behaviors of the legitimate account holder.
  • Fraudsters and cybercriminals can attempt to login to these accounts and commit a range of financial crimes, including ACH fraud, fraudulent Zelle transfers, payroll fraud, wire fraud, stock manipulation, and many others. 

Mule Accounts 

In 2020, there were approximately 17,157 cases of suspected money muling activity involving 21 to 30 year-olds in the United Kingdom, an increase of 5 percent from 2019.2 In April 2021, the Federal Bureau of Investigation (FBI) released a bulletin cautioning that money muling is a growing crime in the United States.3 

Illegal financial transactions, whether it’s money laundering or fraud, frequently involve mules. Mules are accounts that act as intermediaries for facilitating and obfuscating the transfer of stolen funds. The illicit funds may originate from money laundering or ATO attacks, and mules transfer the money from their account to an operator or participant in the scam using methods like wire transfer or instant funds transfer. Due to the nature of the transfer, the funds are frequently untraceable and unrecoverable. Fraudsters and cybercriminals select mules through a variety of sources, including online dating platforms, social media accounts and online ads, and tend to target vulnerable populations like the elderly and young adults. 

  • Regardless of robust Know Your Customer (KYC) and Anti-Money Laundering (AML) processes, mule accounts can slip through the cracks.
  • Legitimate existing account holders are frequently recruited online, whether wittingly or unwittingly, to act as mules, which is challenging to detect ahead of time.
  • The popularity of instant payment platforms, like Zelle and Venmo, makes it easier and faster for mule accounts to execute transactions with less scrutiny.
  • Criminal organizations use the dark web to recruit and manage large networks of mules “as-a-service.” 

Mitigate Account Takeover

FSOs can leverage a data feed containing compromised details of financial institution customers that have recently been compromised by malware. Details include name, phone number, IP address, or SSN, which can be matched against existing customers. These customer accounts can then be instantly flagged to mitigate potential takeover attempts. Dozens of malware families are continuously monitored, which range from basic credential thieves like Azorult to powerful malware families like Dridex. 

Instead of hoping that a takeover attempt can be detected in real time, FSOs can deploy this intelligence to proactively remediate the compromised accounts, preventing takeover and ensuing customer friction. Additionally, this data feed helps FSOs identify the latest trends and popular tactics used by fraudsters to compromise accounts so they can implement effective countermeasures.

This solution also addresses the limitations of existing authentication methods. For example, fraudsters have already developed numerous techniques, like social engineering and SIM swapping, to circumvent two-factor authentication for online and mobile banking. IFM-X Dark Web Intelligence complements two-factor authentication by helping FSOs identify compromised accounts that are at high risk of takeover and take immediate action to avert the takeover. FSOs can further use this solution to augment their current ATO detection tools for more robust defense. 

Block Mule Activity

A data feed containing details of mules accounts across financial institutions associated with money laundering, fraud or other financial crime includes actionable data such as name, bank account number, phone number, and email address. This data can be matched against existing customers or transaction details. 

FSOs can use this data feed in three unique ways to augment their fraud prevention program. First, if a mule account matches a customer, then that account can be investigated and blocked as appropriate. Second, if the mule account resides at a third-party FSO, then the account information can be stored in a “negative list” to screen against future transactions. Third, new account applications can be screened against the mule data to flag any account applications that might be associated with a mule. 

While mule account data received via industry associations can be valuable, it’s often the result of an investigation into those accounts, which means it’s after the fact. Conversely, this data feed provides visibility into mule accounts at the initial stages so FSOs can flag mule accounts far earlier in the process. Furthermore, FSOs can identify mule accounts associated with peer-to-peer instant payment channels, like Zelle. 

Turn the Tables on Fraudsters 

The digital underground isn’t shrinking – it’s growing and contributing to a range of complex fraud patterns, trends and typologies that are increasingly difficult for FSOs to detect and respond to using existing solutions and strategies. It’s time for organizations to turn the tables on the fraudsters and cybercriminals who operate within this nefarious underworld, and use dark web intelligence against these bad actors to proactively and effectively protect their organization against mule accounts and ATO attacks. 

Dark Web Intelligence is the Solution

Monitoring dark web and deep web activity can help FSOs resolve the challenges they face in ATO and mule account detection. 

NICE Actimize’s IFM-X Dark Web Intelligence provides comprehensive intelligence into the digital underworld, including the forums, apps, networks, technical infrastructures, and platforms used by fraudsters and cybercriminals. Curated data feeds, which can be individually procured depending on an FSO’s needs, are interwoven into the analysis to help organizations holistically fight fraud while simultaneously reducing fraud losses and delivering an exceptional customer experience. 

Tracking dark web activity via IFM-X Dark Web Intelligence provides a number of other advantages for fighting fraud: 

  • Proven ROI to FSOs of all types and sizes. For example, ROI delivered to clients in 2020 ranged from 8.4x to more than 50x, with the median at approximately 18x. 
  • Streamlined implementation process that takes only five minutes. There’s no data or access required from the FSO’s part; monitoring is simply turned on for the organization and data begins pouring in within a couple of hours. 
  • All data is collected from external sources like marketplaces, forums, chat applications, communities, and online sites in which fraudsters and hackers operate and interact. There’s no need for this solution to access any data or systems from the FSO. 
  • Because bad actors are aware that security companies and law enforcement monitor the dark web, the amount of valuable intelligence via this source is diminishing. The solution addresses this by using proprietary sources based on years of dedicated research into underground fraud and cybercrime ecosystems, and uses human intelligence (HUMINT) alongside advanced technology to deliver intelligence that’s more customized, targeted, timely and actionable. 
  • The solution’s total data volumes have constantly and exponentially grown since 2015, which enables sustainable data collection and access. 
  • There’s no ambiguous data detection because the sources that are monitored are actively used by fraudsters and cybercriminals, which contributes to a false positive rate of less than 5 percent.


1Fooshee, T. (2020). Key Trends Driving Fraud Transformation in 2021 and Beyond. Aite Group.

2Cifas. (2021, March 11). Money Mule Recruiters use Fake Online Job Adverts to Target “Generation Covid.” Cifas.

3Federal Bureau of Investigation. (2020, April 6). FBI Warns of Money Mule Schemes Exploiting the Covid-19 Pandemic. FBI National Press Office.

Starter’s Guide to Mitigate Fraud Using Policy Manager

September 13th, 2023
Rob Wilson, Senior Business Analyst, NICE Actimize

Thwarting Money Mules in an Instant Payments Environment

September 1st, 2023
Rob Rendell, Global Head of Fraud Market Strategy & Fraud Prevention - Subject Matter Expert

PSR’s New Rules for Reimbursement will impact more PSPs

August 22nd, 2023
Ian Church, Principal Business Consultant, Enterprise Consultancy and Advisory Practice

Fraud Prevention Blog Series with Expert Sean O’Malley, IDC

August 21st, 2023
Sean O’Malley, Research Director, Compliance, Fraud and Risk Management, IDC
Speak to an Expert